[jira] [Work logged] (HIVE-26912) Publish SBOM artifacts

ASF GitHub Bot (Jira) Mon, 09 Jan 2023 01:02:36 -0800


     [ 
https://issues.apache.org/jira/browse/HIVE-26912?focusedWorklogId=837834&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-837834
 ]


ASF GitHub Bot logged work on HIVE-26912:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 09/Jan/23 09:01
            Start Date: 09/Jan/23 09:01
    Worklog Time Spent: 10m 
      Work Description: dongjoon-hyun opened a new pull request, #3926:
URL: https://github.com/apache/hive/pull/3926

   ### What changes were proposed in this pull request?
   
   This PR aims to publish SBOM artifacts along with the other Apache projects.
   
   - https://cwiki.apache.org/confluence/display/COMDEV/SBOM
   
   Here is an article to give some context.
   - 
https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/
   
   Software Bill of Materials (SBOM) are additional artifacts containing the 
aggregate of all direct and transitive dependencies of a project. The US 
Government (based on NIST recommendations) currently accepts only the three 
most popular SBOM standards as valid, namely: 
[CycloneDX](https://cyclonedx.org/), [Software Identification (SWID) 
tag](https://csrc.nist.gov/projects/Software-Identification-SWID), [Software 
Package Data Exchange® (SPDX)](https://spdx.dev/).
   
   This PR uses one of the Maven plugin, [CycloneDX maven 
plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin), a lightweight 
software bill of materials (SBOM) standard designed for use in application 
security contexts and supply chain component analysis.
   
   https://maven.apache.org/plugins/index.html#misc
   
   
   ### Why are the changes needed?
   
   This is helpful for the users who want to check the artifacts.
   
   ### Does this PR introduce _any_ user-facing change?
   
   No.
   
   ### How was this patch tested?
   
   `hive-common-4.0.0-SNAPSHOT.jar` will have 
`hive-common-4.0.0-SNAPSHOT-cyclonedx.xml` and 
`hive-common-4.0.0-SNAPSHOT-cyclonedx.json` files addtionally.
   ```
   $ mvn install -pl common -DskipTests
   ...
   
   $ ls -al 
/Users/dongjoon/.m2/repository/org/apache/hive/hive-common/4.0.0-SNAPSHOT/
   total 2976
   drwxr-xr-x  9 dongjoon  staff     288 Jan  9 00:52 .
   drwxr-xr-x  4 dongjoon  staff     128 Jan  9 00:52 ..
   -rw-r--r

Issue Time Tracking
-------------------

            Worklog Id:     (was: 837834)
    Remaining Estimate: 0h
            Time Spent: 10m

> Publish SBOM artifacts
> ----------------------
>
>                 Key: HIVE-26912
>                 URL: https://issues.apache.org/jira/browse/HIVE-26912
>             Project: Hive
>          Issue Type: Improvement
>          Components: Build Infrastructure
>    Affects Versions: 4.0.0
>            Reporter: Dongjoon Hyun
>            Priority: Minor
>          Time Spent: 10m
>  Remaining Estimate: 0h
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Work logged] (HIVE-26912) Publish SBOM artifacts

Reply via email to