Open mhalbritter opened 2 months ago
@fniephaus Would it be possible to expose the embedded SBOM via a standard Java mechanism, e.g. a readable resource on the classpath or some custom URL scheme? Then we wouldn't need to add the dependency on the GraalVM SDK and it would work right now with Boot 3.3.0-RC1.
@mhalbritter I think that's technically feasible. Can you give an example or two how SBOMs are otherwise accessible via classpath/modulepath or a custom URL scheme?
Sure. Take a look at this documentation here. If the SBOM would be on the classpath, you could just use classpath:sbom.json
in the config to read it from /sbom.json
.
Native images now expose their SBOM under META-INF/native-image/sbom.json
. We should take a look if it makes sense to automatically discover them.
GraalVM's
native-image
has a feature where it can create a SBOM on native image build time and embed it. You can then use thenative-image-inspect
to extract the SBOM from the native image.The GraalVM team would be open to expose an API in the
graal-sdk
to get the SBOM directly without the need of thenative-image-inspect
. We could add support for that in our actuator SBOM endpoint.