Versions Compared

Version Old Version 7 New Version 8
Changes made by

Robert Heinemann

Robert Heinemann

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Team Members

Muddasar Ahmed

Robert Heinemann

Sean Choudhury NOTES:

Met with Jessica Gonzalez on 8/26/2021 to understand the LFN build chain and the nexus products.  During the tour of the different components involved there appeared to be two files included in everybuild that may have the information we need to generate a software BOM.  Those are the INFO.yaml and pom.xml files.

POM files are XML files used for maven and they contain details about dependencies.  

INFO.yaml files provides information for anyone that is interested in the repository. In the INFO.yaml contains specific information to the main PTL, committers with contact details, meeting information and real time communication and list of repositories under the same control. 

Committer Management Automation via INFO.yaml - Developer Wiki - Confluence (onap.org)

Jessica also suggested that we should reach out to Kenny Paulto discuss further and solicit his thoughts on what we are trying to accomplish.

As part of the build infrastructure Jessica called out Nexus 2 for Java Artifacts, Nexus 3 for Docker image delivery, NEXUS IQ for dependency scanning and Sonar cloud for code scanning.

Where in the current ONAP Release Package should Software BOMs be placed?

...

How do we generate the Software BOM?

Our first step in determining this was to try to understand the current CI/CD infrastructure.  With that in mind we met with Jessica Gonzalez on 8/26/2021 to understand the LFN build chain and the Nexus products.  During the tour of the different components involved there appeared to be two files included in every build that may have the information we need to generate a software BOM.  Those are the INFO.yaml and pom.xml files.


POM files are XML files used for maven and they contain details about dependencies.  

INFO.yaml files provides information for anyone that is interested in the repository. In the INFO.yaml contains specific information to the main PTL, committers with contact details, meeting information and real time communication and list of repositories under the same control. 

Committer Management Automation via INFO.yaml - Developer Wiki - Confluence (onap.org)


Jessica also suggested that we should reach out to Kenny Paulto discuss further and solicit his thoughts on what we are trying to accomplish.

As part of the build infrastructure Jessica called out Nexus 2 for Java Artifacts, Nexus 3 for Docker image delivery, NEXUS IQ for dependency scanning and Sonar cloud for code scanning.

How does the end user use the Software BOM for trust and validation?

...