search

spring-projects / spring-boot

Spring Boot
https://spring.io/projects/spring-boot
Apache License 2.0
73.66k stars 40.33k forks source link

Export SBOM contained in native-image #40630

Open mhalbritter opened 2 months ago

mhalbritter commented 2 months ago

GraalVM's native-image has a feature where it can create a SBOM on native image build time and embed it. You can then use the native-image-inspect to extract the SBOM from the native image.

The GraalVM team would be open to expose an API in the graal-sdk to get the SBOM directly without the need of the native-image-inspect. We could add support for that in our actuator SBOM endpoint.

mhalbritter commented 2 months ago

@fniephaus Would it be possible to expose the embedded SBOM via a standard Java mechanism, e.g. a readable resource on the classpath or some custom URL scheme? Then we wouldn't need to add the dependency on the GraalVM SDK and it would work right now with Boot 3.3.0-RC1.

fniephaus commented 2 months ago

@mhalbritter I think that's technically feasible. Can you give an example or two how SBOMs are otherwise accessible via classpath/modulepath or a custom URL scheme?

mhalbritter commented 2 months ago

Sure. Take a look at this documentation here. If the SBOM would be on the classpath, you could just use classpath:sbom.json in the config to read it from /sbom.json.

mhalbritter commented 1 week ago

Native images now expose their SBOM under META-INF/native-image/sbom.json. We should take a look if it makes sense to automatically discover them.