Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Muddasar Ahmed

Robert Heinemann

@Seanc




NOTES:

Met with Jessica Gonzalez on 8/26/2021 to understand the LFN build chain and the nexus products.  During the tour of the different components involved there appeared to be two files included in everybuild that may have the information we need to generate a software BOM.  Those are the INFO.yaml and pom.xml files.


POM files are XML files used for maven and they contain details about dependencies.  

INFO.yaml files provides information for anyone that is interested in the repository. In the INFO.yaml contains specific information to the main PTL, committers with contact details, meeting information and real time communication and list of repositories under the same control. 

Committer Management Automation via INFO.yaml - Developer Wiki - Confluence (onap.org)


Jessica also suggested that we should reach out to Kenny Paulto discuss further and solicit his thoughts on what we are trying to accomplish.

As part of the build infrastructure Jessica called out Nexus 2 for Java Artifacts, Nexus 3 for Docker image delivery, NEXUS IQ for dependency scanning and Sonar cloud for code scanning.

Where in the current ONAP Release Package should Software BOMs be placed?

We looked at the structure of releases.  There isn't a bundled release per se.  In other words there isn't a single archive that contains all the code / binaries for a release like Casablanca or say Honolulu.  Each release is by project.  So current thinking is that a BOM should be created per project. and included in the GitHub repo.


What is the structure of the Software BOM?

NTIA Software BOM References

How do we generate the Software BOM?


How does the end user use the Software BOM for trust and validation?


Attachments

  • No labels