-
-
Notifications
You must be signed in to change notification settings - Fork 269
Outreachy: Software Bill Of Materials Refinements: Project SmoothBOM
Shelley Lambert edited this page Nov 29, 2022
·
9 revisions
An SBOM, or Software Bill of Materials, is an artifact that is created at build time to capture important information about "what went into the build". This 'SmoothBOM' project will focus on refinements to our Eclipse Temurin SBOM. The project will involve a fair amount of experimentation to rerun builds with variations of dependencies found using the 'strace' utility, in order to determine what dependencies have an impact on build reproducibility.
We would like help from an Outreachy intern to verify the Eclipse Temurin SBOM, for example:
- verify our SBOM content is in a valid json format before we publish it using the SBOM CLI tool
- check that the contents of the SBOM are complete enough to reflect our build (with SHAs, tool versions etc) and contain all the information required to reproduce a build (so that it is binary identical) - adapt an existing or develop a new Jenkins pipeline script to take an SBOM artifact as input, to launch a new build, which would be binary identical to the build that the SBOM originated from
- Before we publish our SBOM content, we must ensure that it is in a valid json format using the SBOM CLI tool. Issue 3018
- Sign the SBOM see Issue 3158
- Verify that the SBOM contains all the necessary information to duplicate a build and is complete enough to reflect our build (including SHAs, tool versions, etc). (so that it is binary identical)
- Update our CI Jenkins build SBOM generating APIs to produce a complete list of linux package dependencies depending on the build process' active
strace, utilizing the Temurin package determination scripting that is already in place.
Intern: Atuhwera Julian
Mentors: Andrew Leonard, Wen Zhou, Shelley Lambert