[MDEV-34979] generate SBOM from server builds - Jira

XML

Word

Printable

Details

Type: Task
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Fix Version/s: 11.8.1
Component/s: Compiling
Labels:
- Preview_11.8

Description

For various compliance purposes we need to generate a Software Bill of Materials for a server build. It's a JSON that follows a specific schema. The main purpose of it is to list dependencies of the built binaries. Dependencies here are used in the sense of vulnerability management, that is, if X contains a security vulnerability, will Y have it? In that sense CONNECT depends on minizip.

cmake knows what it links targets with, and bundled sources (like gzip or minizip) have the version embedded that cmake can read it with FILE(STRINGS ...) for example.

It seems that it should be possible to dump this information into a json template, e.g. with CONFIGURE_FILE().

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

sbom_review.txt
3 kB
2024-12-06 11:40

Issue Links

relates to

MDEV-34287 Debian - dep 5 compatible debian/copyright

Open

blocks: PT-199 Loading...

Activity

People

Assignee:: Vladislav Vaintroub

Reporter:: Sergei Golubchik

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2024-09-21 09:01

Updated:: Yesterday 17:16

Resolved:: 2025-02-05 10:10

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.