SBOM endpoint

Emmanuel Bernard

unread,

Jun 13, 2024, 10:00:20 AMJun 13

to Quarkus Development mailing list

I find the idea by our Spring Boot friends interesting

https://spring.io/blog/2024/05/24/sbom-support-in-spring-boot-3-3

A SBOM actuator in their parleys.

@Stuart, do you think that's useful?

Emmanuel

Stuart Douglas

unread,

Jun 13, 2024, 10:12:51 AMJun 13

to eber...@redhat.com, Quarkus Development mailing list

I did something kinda similar a while ago, where I ended a list of components into quarkus applications (see quarkus-app-dependencies.txt in the application itself). It would be pretty simple to use cyclonedx indeed and output an SBOM.

My original idea was to make it something usable by security scanners, but it never went anywhere. We also need to be aware of the security implications as you would not want this on a public endpoint. I'm not sure if this is interesting or not, there has been a lot more interest in the space since I first implemented the encoded dependencies idea.

Stuart

--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CANYWk7P1bw1BKmeKmituBGCdVbHK96C-PJn_qDC1aRHLxLrxKw%40mail.gmail.com.

Alexey Loubyansky

unread,

Jun 13, 2024, 10:38:09 AMJun 13

to sdou...@redhat.com, Quarkus Development mailing list, eber...@redhat.com

Right, we don’t want to use the cdx maven plugin for it though, since it’s not able to capture quarkus application dependency.

I have a branch where I implemented that part. What’s missing is proper manifesting of the resulting deliverables, since that’s what SBOMs are meant to manifest.

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CAD%2BL2cznqXwLWkB8DVeHzXfsorZ5ty4rBGhDOpNPAepQ_Lkx0Q%40mail.gmail.com.

Max Rydahl Andersen

unread,

Jun 13, 2024, 11:42:58 AMJun 13

to Alexey Loubyansky, sdou...@redhat.com, Quarkus Development mailing list, eber...@redhat.com

+1.

I think its interesting and fits into the /q/info endpoint we have - which is not active by default (good for security)
and can be put behind separate management port (even better for security).

Having a sbom serving feature is one thing.

The other is how that sbom is generated and that's where Alexey's comments are relevant:
cyclone (and any other tool out there today) don't capture/grok Quarkus dependency setup;
some will argue they don't even know about java :)

So having such understanding contributed to those projects would be a good thing.

If we can then within Quarkus build system enhance those sboms in both Maven and Gradle that might be further interesting.

/max

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CAJ97idH19jmGmpirNfKU4ZRz4ZAdrJjMGnwJEnd%2B-m6VsJV8YA%40mail.gmail.com.

Georgios Andrianakis

unread,

Jun 13, 2024, 11:45:08 AMJun 13

to mand...@redhat.com, Alexey Loubyansky, sdou...@redhat.com, Quarkus Development mailing list, eber...@redhat.com

On Thu, Jun 13, 2024 at 6:43 PM Max Rydahl Andersen <mand...@redhat.com> wrote:

+1.

I think its interesting and fits into the /q/info endpoint we have - which is not active by default (good for security)
and can be put behind separate management port (even better for security).

If we have the SBOM, we can very easily do this

To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/8CDE2A09-3C73-42A5-A6D4-0E91E9259B89%40redhat.com.

--

Georgios Andrianakis

Independent Contractor

Reply all

Reply to author

Forward