Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EPIC: Re-architecture Temurin SBOM format #3952

Open
1 of 5 tasks
andrew-m-leonard opened this issue Sep 24, 2024 · 3 comments
Open
1 of 5 tasks

EPIC: Re-architecture Temurin SBOM format #3952

andrew-m-leonard opened this issue Sep 24, 2024 · 3 comments
Labels
enhancement Issues that enhance the code or documentation of the repo in any way epic Issues that are large and likely multi-layered features or refactors

Comments

@andrew-m-leonard
Copy link
Contributor

andrew-m-leonard commented Sep 24, 2024
edited by sxa
Loading

The Temurin SBOM has grown organically over time with various enhancements. It has got to a point where we need to carefully consider the current and future use cases, and possibly develop an updated architecture/layout of the SBOM

[SXA: Added issues arising from the secure dev call on 30/Sep/2024]
@andrew-m-leonard andrew-m-leonard added the enhancement Issues that enhance the code or documentation of the repo in any way label Sep 24, 2024
@andrew-m-leonard andrew-m-leonard added the epic Issues that are large and likely multi-layered features or refactors label Sep 24, 2024
@sxa sxa moved this to In Progress in 2024 4Q Adoptium Plan Sep 30, 2024
@sxa sxa pinned this issue Sep 30, 2024
@jiekang
Copy link
Contributor

jiekang commented Nov 12, 2024

@andrew-m-leonard @sxa I see this got moved to in progress but without an assignee; is there someone leading this that we should assign this issue to?

@sxa
Copy link
Member

sxa commented Nov 13, 2024

@andrew-m-leonard @sxa I see this got moved to in progress but without an assignee; is there someone leading this that we should assign this issue to?

That's a good question and one which we hadn't previously explicitly discussed so it makes sense to have clarity on it. We thrashed this around a little in our product owners call today and decided that since there is no explicit work in the epic and the subtasks all have separate owners the epic does not require an owner, but it is reasonably to have it in in-progress as opposed to todo to indicate that it is an epic which we are actively working on the tasks for. We will also add a "paused/blocked" status (I believe we had this in some earlier plans) so we can make it clearer if work has been actively paused on it.

I've updated our guidelines at the top level adoptium wiki in accordance with this policy.

@smlambert smlambert moved this to In Progress in 2025 Adoptium Plan Feb 5, 2025
@andrew-m-leonard
Copy link
Contributor Author

Following a review of SBOM -metadata and SBOM.json content it was noted the current sbom.json contains mostly repeated component data for every archive JDK,JRE,DEBUGIMAGE,TESTIMAGE,... which is duplicating a lot of information. The new sbom should refactor the common "runtime/core" component information into a CycloneDX sub-component, referenced by each archive component.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Issues that enhance the code or documentation of the repo in any way epic Issues that are large and likely multi-layered features or refactors
Projects
2025 Adoptium Plan
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jiekang @sxa @andrew-m-leonard