You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to bazel-discuss
Dear Bazel Team,
To satisfy our customers' needs, we need to generate a bzlmod compatible SBOM. As @aiuto is no longer part of the Bazel team, I took over some of his work. I used https://github.com/bazelbuild/bazel/blob/master/tools/compliance/BUILD as a base for my work. Currently, the tool only supports reading the maven lock file. I evolved the tool to also parse the bzlmod lock file (MODULE.bazel.lock). From this, I include the following packages in the SBOM in SPDX format: - maven - pypi - external python packages
We also discussed SBOMs during BazelCon 2024 last month (notes).
Cheers,
Florian
simon.m.stewart
unread,
Nov 8, 2024, 5:46:36 AMNov 8
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to bazel-discuss
Hi,
More rulesets are annotating targets with `PackageInfo` providers. If we could generate SBOMs using primitives from `rules_license`, that would be most helpful.
At work, we can generate SBOMs from the build graph using some custom code. We originally read the lock files, but found that if those changed, we'd end up over-building in our CI, since every SBOM target in the tree (which we generated for every "exportable" thing, such as `java_export`, wheels, or docker images) would have their input change.