Add SBOM design document and improve SECURITY.md#332
Merged
Conversation
This document outlines the plan to add CycloneDX SBOM generation for PerlOnJava, covering both Java dependencies (via Gradle/Maven plugins) and bundled Perl modules (via SBOM::CycloneDX). Key points: - Phase 1: Add CycloneDX plugins to Gradle and Maven builds - Phase 2: Generate Perl module SBOM using SBOM::CycloneDX - Phase 3: Optional combined SBOM merging - CI/CD integration for automated SBOM generation - Compliance with NTIA minimum elements and CISA guidelines No code changes yet - this is a planning document only. Generated with [Devin](https://cli.devin.ai/docs) Co-Authored-By: Devin <noreply@cognition.ai>
Documents where SBOM files will be stored in: - Build output (build/reports/sbom/ for Gradle, target/ for Maven) - JAR distribution (META-INF/sbom/) - DEB package (/opt/perlonjava/share/sbom/) - GitHub release artifacts (standalone files) Includes configuration snippets for embedding SBOM in JAR and DEB. Generated with [Devin](https://cli.devin.ai/docs) Co-Authored-By: Devin <noreply@cognition.ai>
Documents hash support in CycloneDX: - Supported algorithms: MD5, SHA-1, SHA-256, SHA-384/512, SHA3-*, BLAKE2b/3 - Java dependencies: hashes are automatically included by plugins - Perl modules: need manual SHA-256 computation using Digest::SHA - Hash verification enables integrity checking Generated with [Devin](https://cli.devin.ai/docs) Co-Authored-By: Devin <noreply@cognition.ai>
PerlOnJava ships as a single uber JAR with all dependencies shaded in. Updated hash strategy: - Java deps: automatic per-component hashes (pre-shading artifacts) - Perl modules: skip individual hashes (version/license sufficient) - Distribution: single .sha256 file alongside JAR/DEB releases This simplifies the Perl SBOM generation - no need to compute 511 individual hashes for bundled modules. Generated with [Devin](https://cli.devin.ai/docs) Co-Authored-By: Devin <noreply@cognition.ai>
Attribution is tracked in git history. Generated with [Devin](https://cli.devin.ai/docs) Co-Authored-By: Devin <noreply@cognition.ai>
Accuracy fixes: - Correct Gradle version catalog plugin syntax - Fix output paths to match actual CycloneDX defaults (build/reports/cyclonedx/) - Remove biased claim about SPDX tooling maturity - Fix "re-implemented" claim for Perl pragmas - Remove hallucinated version date for SBOM::CycloneDX - Correct claim about CPAN checksums Clarity improvements: - Add glossary explaining SBOM, CycloneDX, PURL, VEX, shaded JAR, Maven Central, CPAN - Better explain "why SBOM matters" with concrete use cases - Simplify Phase 2 options to single recommended approach - Add context for both Java and Perl developers - Improve code examples with comments Generated with [Devin](https://cli.devin.ai/docs) Co-Authored-By: Devin <noreply@cognition.ai>
- Update Phase 3 merge example to use correct paths - Update CI/CD section to use build/reports/cyclonedx/ - Remove speculative Dependency-Track integration (can be added later) - Simplify release artifacts example Generated with [Devin](https://cli.devin.ai/docs) Co-Authored-By: Devin <noreply@cognition.ai>
- Add SBOM standards: ECMA-424, SPDX, PURL, VEX specs - Add CycloneDX tooling: CLI, online validator - Add Java/Perl resources: Maven Central, CPAN - Add EU Cyber Resilience Act - Add inline links to glossary terms Generated with [Devin](https://cli.devin.ai/docs) Co-Authored-By: Devin <noreply@cognition.ai>
Generated with [Devin](https://cli.devin.ai/docs) Co-Authored-By: Devin <noreply@cognition.ai>
- Document CPANSec as the CVE Numbering Authority for Perl/CPAN - Add cpansa-feed for machine-readable security advisories - Add perl-SBOM-Examples for SBOM best practices - Document integration opportunity for vulnerability checking - Expand Perl Resources in references section Generated with [Devin](https://cli.devin.ai/docs) Co-Authored-By: Devin <noreply@cognition.ai>
- Add email as alternative reporting channel - Add section for bundled Perl module vulnerabilities with CPANSec contact - Add response timeline targets (7/14/90 days) - Expand dependency vulnerabilities section with CPANSA feed reference - Add TODO placeholder for future SBOM reference - Add Related Resources section with security links Generated with [Devin](https://cli.devin.ai/docs) Co-Authored-By: Devin <noreply@cognition.ai>
fglock
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds an SBOM (Software Bill of Materials) design document and improves the security policy.
Changes
1. SBOM Design Document (
dev/design/sbom.md)A comprehensive plan for adding CycloneDX SBOM generation to PerlOnJava, covering:
SBOM::CycloneDXfrom CPANStatus: Planning document only - no code changes. Implementation tracked in Next Steps section.
2. Security Policy Improvements (
SECURITY.md)References
Generated with Devin