[MDEV-36398] Extend SBOM with 'license' and 'copyright' - Jira

Details

Type: Task
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Fix Version/s: 11.8.2
Component/s: OTHER
Labels:
None

Description

A customer is asking to extend SBOMs beyond their original goal of NTIA and executive order compliance. Apparently, own product and dependencies need to be have license and copyright statement.

License (as SPDX-id) can in theory be deduced by github APIs

Here is the rough plan -
the "machine-readable" file will be yaml-formatted. It consists of a yaml-list. i.e items starting with <dash>-name, every items has a couple of keys, license and maybe "copyright" if known, but also information we hardcoded elsewhere, e.g CPE identifier, or publisher. a cmake parser function will convert the list and they keys into a set of cmake variables, e.g THIRD_PARTY_ZLIB_LICENSE will be taken from

 -zlib

    license:GPL2

Attachments

Issue Links

relates to: PT-438 Loading...

Activity

Ascending order - Click to sort in descending order

Vladislav Vaintroub created issue - 2025-03-26 14:39

Sergei Golubchik added a comment - 2025-03-26 14:47

there were discussions about machine-parseable license file that distros at some point wanted.
if we'll have that we can machine-parse it from cmake for SBOM

Sergei Golubchik added a comment - 2025-03-26 14:47 there were discussions about machine-parseable license file that distros at some point wanted. if we'll have that we can machine-parse it from cmake for SBOM

Alex Hanshaw made changes - 2025-03-26 16:45

Field	Original Value	New Value
Remote Link		This issue links to "PT-438 (Jira)" [ 37468 ]

Sergei Golubchik made changes - 2025-04-03 16:19

Priority

Major [ 3 ]

Critical [ 2 ]

Vladislav Vaintroub made changes - 2025-04-03 17:00

Description

A customer is asking to extend SBOMs beyond their original goal of NTIA and executive order compliance. Apparently, own product and dependencies need to be have license and copyright statement.

copyright statement can be deduced automatically, so there must be some file that we can hardcode this information in.

License (as SPDX-id) can in theory be deduced by github APIs

Here is the rough plan -
the "machine-readable" file will be yaml-formatted. It consists of a yaml-list. i.e items starting with <dash>-name, every items has a couple of keys, license and maybe "copyright" if known, but also information we hardcoded elsewhere, e.g CPE identifier, or publisher. a cmake parser function will convert the list and they keys into a set of cmake variables, e.g THIRD_PARTY_ZLIB_LICENSE will be taken from
{noformat}
-zlib
license:GPL2
{noformat}

Vladislav Vaintroub made changes - 2025-04-07 20:38

Status

Open [ 1 ]

In Progress [ 3 ]

Vladislav Vaintroub added a comment - 2025-04-08 09:18

Please review the associated PR#3958

Vladislav Vaintroub added a comment - 2025-04-08 09:18 Please review the associated PR#3958

Vladislav Vaintroub made changes - 2025-04-08 09:18

Assignee	Vladislav Vaintroub [ wlad ]	Sergei Golubchik [ serg ]
Status	In Progress [ 3 ]	In Review [ 10002 ]

Sergei Golubchik made changes - 2025-04-11 09:16

Assignee	Sergei Golubchik [ serg ]	Vladislav Vaintroub [ wlad ]
Status	In Review [ 10002 ]	Stalled [ 10000 ]

Vladislav Vaintroub made changes - 4 days ago

Component/s		OTHER [ 10125 ]
Fix Version/s		11.8.2 [ 30001 ]
Fix Version/s	11.8 [ 29921 ]
Resolution		Fixed [ 1 ]
Status	Stalled [ 10000 ]	Closed [ 6 ]

People

Assignee:: Vladislav Vaintroub

Reporter:: Vladislav Vaintroub

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2025-03-26 14:39

Updated:: 4 days ago 08:42

Resolved:: 4 days ago 08:42

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration