SBOM

70 views
Skip to first unread message

Leitao Fabien

unread,
Nov 7, 2024, 7:53:06 AMNov 7
to bazel-discuss
Dear Bazel Team,

To satisfy our customers' needs, we need to generate a bzlmod compatible SBOM. As @aiuto is no longer part of the Bazel team, I took over some of his work. I used https://github.com/bazelbuild/bazel/blob/master/tools/compliance/BUILD as a base for my work. Currently, the tool only supports reading the maven lock file. I evolved the tool to also parse the bzlmod lock file (MODULE.bazel.lock). From this, I include the following packages in the SBOM in SPDX format:
- maven
- pypi
- external python packages

I only modified the following two files:
https://github.com/bazelbuild/bazel/blob/master/tools/compliance/write_sbom.py
https://github.com/bazelbuild/bazel/blob/master/tools/compliance/sbom.bzl

An issue on this subject already exists: https://github.com/bazelbuild/bazel/issues/16331, as well as a discussion: https://github.com/bazelbuild/bazel/discussions/22966

Should I create a new issue before creating my pull request?

Please, do not hesitate to contact me for any further information.

Thank you.

Kind regards,
Fabien LEITAO

Florian Weikert

unread,
Nov 8, 2024, 4:10:06 AMNov 8
to bazel-discuss
Hey Fabien,

I'm very interested in your approach, so thanks for bringing this subject up :)

There are currently some ongoing efforts related to SBOM - for example, we're restructuring rules_license (proposal).
If you want to join the discussion: we have a monthly meeting (notes w. meet link), and there is a dedicated Slack channel.
We also discussed SBOMs during BazelCon 2024 last month (notes).

Cheers,

Florian

simon.m.stewart

unread,
Nov 8, 2024, 5:46:36 AMNov 8
to bazel-discuss
Hi,

More rulesets are annotating targets with `PackageInfo` providers. If we could generate SBOMs using primitives from `rules_license`, that would be most helpful. 

At work, we can generate SBOMs from the build graph using some custom code. We originally read the lock files, but found that if those changed, we'd end up over-building in our CI, since every SBOM target in the tree (which we generated for every "exportable" thing, such as `java_export`, wheels, or docker images) would have their input change.

As an aside, I should also say that the format of the lock file in `rules_jvm_external` is not documented, and I feel the right to change it when I need to. If you need to access it, please use the `v1_lock_file.bzl` or `v2_lock_file.bzl` helpers which we use for this. https://github.com/bazel-contrib/rules_jvm_external/blob/master/private/rules/v2_lock_file.bzl

Kind regards,

Simon

Reply all
Reply to author
Forward
0 new messages