Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

{CI} Generate SBOM manifest for built packages #21278

Merged
merged 13 commits into from
Mar 7, 2022
Merged

{CI} Generate SBOM manifest for built packages #21278

merged 13 commits into from
Mar 7, 2022

Conversation

wangzelin007
Copy link
Member

@wangzelin007 wangzelin007 commented Feb 14, 2022
edited
Loading

Description

Add ado-sbom-generator-task to support Generate SBOM (Software Bill of Materials) manifest for built packages.

We need generate SBOM manifest in every artifacts directory.

image

But there are two remaining problems:

  1. Required packages like azure-mgmt-resource are missing from the built artifact. SBOM team use component-detection to detect python packages.
    Open two issues in component-detection repo.
    Component detection only find the setup.py file in tools directory.
    Component detection only match setup.py and requirement.txt file.
  2. Pipeline fail when variables Packaging.EnableSBOMSigning: true is set.
    error message:
- ##[error]The signing feature is not available for your organization yet.

Testing Guide

History Notes

[Component Name 1] BREAKING CHANGE: az command a: Make some customer-facing breaking change.
[Component Name 2] az command b: Add some customer-facing feature.

This checklist is used to make sure that common guidelines for a pull request are followed.

@wangzelin007
commit
c31cc9f 
test sbom
@yonzhan yonzhan requested a review from jsntcy February 15, 2022 11:28
@yonzhan yonzhan added this to the Feb 2022 (2022-03-01) milestone Feb 15, 2022
@yonzhan
Copy link
Collaborator

yonzhan commented Feb 15, 2022

CI

@wangzelin007
Copy link
Member Author

/azp run

@azure-pipelines
Copy link

Azure Pipelines successfully started running 2 pipeline(s).

@wangzelin007 wangzelin007 changed the title {CI} test sbom {CI} Support sbom Mar 4, 2022
@wangzelin007 wangzelin007 changed the title {CI} Support sbom {CI} Support SBOM Mar 4, 2022
@wangzelin007 wangzelin007 linked an issue Mar 4, 2022 that may be closed by this pull request
Executive Order SBOM addition #21120
Closed
@jiasli
Copy link
Member

jiasli commented Mar 4, 2022
edited
Loading

PR title can be "Generate SBOM manifest for built packages".

BTW, if anyone is interested, SBOM stands for "Software Bill of Materials".

BTW No 2, it should be "manifest", not "mainfest". 🤣

@wangzelin007 wangzelin007 changed the title {CI} Support SBOM {CI} Generate SBOM manifest for built packages Mar 4, 2022
@wangzelin007 wangzelin007 merged commit 1c021d9 into Azure:dev Mar 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jiasli jiasli jiasli approved these changes

@jsntcy jsntcy jsntcy approved these changes

@kairu-ms kairu-ms Awaiting requested review from kairu-ms

Assignees

@wangzelin007 wangzelin007

Labels
None yet
Projects
None yet
Milestone
Mar 2022 (2022-04-06)
Development

Successfully merging this pull request may close these issues.

Executive Order SBOM addition
4 participants
@wangzelin007 @yonzhan @jiasli @jsntcy