Skip to content

PARQUET-2224: Publish SBOM artifacts#1017

Merged
shangxinli merged 1 commit into
apache:masterfrom
dongjoon-hyun:PARQUET-2224
Jan 10, 2023
Merged

PARQUET-2224: Publish SBOM artifacts#1017
shangxinli merged 1 commit into
apache:masterfrom
dongjoon-hyun:PARQUET-2224

Conversation

@dongjoon-hyun

@dongjoon-hyun dongjoon-hyun commented Jan 5, 2023
edited
Loading

Copy link
Copy Markdown
Member

Goal

This PR aims to publish SBOM artifacts.

Here is an article to give some context.

Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: CycloneDX, Software Identification (SWID) tag, Software Package Data Exchange® (SPDX).

This PR uses CycloneDX maven plugin, a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

For example, parquet-common-1.13.0-SNAPSHOT.jar will have parquet-common-1.13.0-SNAPSHOT-cyclonedx.xml and parquet-common-1.13.0-SNAPSHOT-cyclonedx.json.

$ ls -al ~/.m2/repository/org/apache/parquet/parquet-common/1.13.0-SNAPSHOT/
total 744
drwxr-xr-x  19 dongjoon  staff    608 Jan  5 09:34 .
drwxr-xr-x  10 dongjoon  staff    320 Jan  5 09:34 ..
-rw-r--r--   1 dongjoon  staff    544 Jan  5 09:35 _remote.repositories
-rw-r--r--   1 dongjoon  staff    998 Jan  5 09:27 maven-metadata-apache.snapshots.xml
-rw-r--r--   1 dongjoon  staff     41 Jan  5 09:27 maven-metadata-apache.snapshots.xml.sha1
-rw-r--r--   1 dongjoon  staff   1342 Jan  5 09:35 maven-metadata-local.xml
-rw-r--r--   1 dongjoon  staff  44494 Jan  5 09:27 parquet-common-1.13.0-20220510.162626-2-tests.jar
-rw-r--r--   1 dongjoon  staff     40 Jan  5 09:27 parquet-common-1.13.0-20220510.162626-2-tests.jar.sha1
-rw-r--r--   1 dongjoon  staff  96523 Jan  5 09:27 parquet-common-1.13.0-20220510.162626-2.jar
-rw-r--r--   1 dongjoon  staff     40 Jan  5 09:27 parquet-common-1.13.0-20220510.162626-2.jar.sha1
-rw-r--r--   1 dongjoon  staff   3432 Jan  5 09:28 parquet-common-1.13.0-20220510.162626-2.pom
-rw-r--r--   1 dongjoon  staff    283 Jan  5 09:28 parquet-common-1.13.0-20220510.162626-2.pom.lastUpdated
-rw-r--r--   1 dongjoon  staff     40 Jan  5 09:28 parquet-common-1.13.0-20220510.162626-2.pom.sha1
-rw-r--r--   1 dongjoon  staff   5655 Jan  5 09:35 parquet-common-1.13.0-SNAPSHOT-cyclonedx.json
-rw-r--r--   1 dongjoon  staff   4971 Jan  5 09:35 parquet-common-1.13.0-SNAPSHOT-cyclonedx.xml
-rw-r--r--   1 dongjoon  staff  44420 Jan  5 09:35 parquet-common-1.13.0-SNAPSHOT-tests.jar
-rw-r--r--   1 dongjoon  staff  96767 Jan  5 09:35 parquet-common-1.13.0-SNAPSHOT.jar
-rw-r--r--   1 dongjoon  staff   3432 Dec 29 21:38 parquet-common-1.13.0-SNAPSHOT.pom
-rw-r--r--   1 dongjoon  staff    756 Jan  5 09:27 resolver-status.properties

Jira

Tests

  • My PR adds the following unit tests OR does not need testing for this extremely good reason:

Commits

  • My commits all reference Jira issues in their subject lines. In addition, my commits follow the guidelines from "How to write a good git commit message":
    1. Subject is separated from body by a blank line
    2. Subject is limited to 50 characters (not including Jira issue reference)
    3. Subject does not end with a period
    4. Subject uses the imperative mood ("add", not "adding")
    5. Body wraps at 72 characters
    6. Body explains "what" and "why", not "how"

@dongjoon-hyun

dongjoon-hyun commented Jan 5, 2023

Copy link
Copy Markdown
Member Author

cc @ggershinsky and @sunchao

@dongjoon-hyun

dongjoon-hyun commented Jan 5, 2023

Copy link
Copy Markdown
Member Author

Also, cc @shangxinli and @gszadovszky

@dongjoon-hyun dongjoon-hyun mentioned this pull request Jan 6, 2023
Merged
@dongjoon-hyun

dongjoon-hyun commented Jan 6, 2023

Copy link
Copy Markdown
Member Author

FYI, here is the ASF SBOM wikipage.

wgtmac
wgtmac approved these changes Jan 8, 2023
View reviewed changes

@wgtmac wgtmac left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM +1

sunchao
sunchao approved these changes Jan 8, 2023
View reviewed changes

@sunchao sunchao left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dongjoon-hyun

dongjoon-hyun commented Jan 9, 2023

Copy link
Copy Markdown
Member Author

Thank you, @wgtmac and @sunchao .

ggershinsky
ggershinsky approved these changes Jan 9, 2023
View reviewed changes

@ggershinsky ggershinsky left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Passing on to @shangxinli as the project chair.

@dongjoon-hyun

dongjoon-hyun commented Jan 9, 2023

Copy link
Copy Markdown
Member Author

Thank you, @ggershinsky !

@shangxinli

shangxinli commented Jan 10, 2023

Copy link
Copy Markdown
Contributor

Thank you @dongjoon-hyun for working on it!

@shangxinli shangxinli merged commit eb2122d into apache:master Jan 10, 2023
@dongjoon-hyun

dongjoon-hyun commented Jan 10, 2023

Copy link
Copy Markdown
Member Author

Thank you all, @shangxinli , @ggershinsky , @sunchao , @wgtmac .

@dongjoon-hyun dongjoon-hyun deleted the PARQUET-2224 branch January 10, 2023 06:34
@wgtmac wgtmac mentioned this pull request Aug 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wgtmac wgtmac wgtmac approved these changes
@ggershinsky ggershinsky ggershinsky approved these changes
+1 more reviewer
@sunchao sunchao sunchao approved these changes
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@dongjoon-hyun @shangxinli @sunchao @wgtmac @ggershinsky