Skip to content

WIP: Add CycloneDX SBOM #2897

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

WIP: Add CycloneDX SBOM #2897

wants to merge 1 commit into from

Conversation

@snazy
Copy link
Member

@snazy snazy commented Oct 25, 2025

No description provided.

@github-project-automation github-project-automation bot moved this to PRs In Progress in Basic Kanban Board Oct 25, 2025
@snazy snazy force-pushed the cyclonedx-sbom branch 8 times, most recently from a812ec9 to 1735a04 Compare October 27, 2025 09:30
@snazy snazy mentioned this pull request Oct 27, 2025
Open
@snazy snazy force-pushed the cyclonedx-sbom branch 6 times, most recently from a353dd8 to 7c548d3 Compare November 1, 2025 19:53
@snazy
WIP: Add CycloneDX SBOM
9fd5139 
* Java: Uses cyclonedx-gradle-plugin
* Python: Uses cyclonedx-bom
  * Not as rich as the SBOM for Java :(
snazy
snazy commented Nov 4, 2025
View reviewed changes
client/python/pyproject.toml
license = "Apache-2.0"
keywords = ["Apache Polaris", "Polaris", "Polaris Management Service", "Apache Iceberg REST Catalog API"]
dynamic = ["classifiers"]
dependencies = [
Copy link
Member Author

@snazy snazy Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MonkeyCanCode I heard you're a poetry guy ;)

This PR is a draft / experiment, but if you have some time I'd appreciate your advise.

So, in this PR I want to generate Cyclone SBOMs and also tried to add some rudimentary stuff for the Python client.

I'm not sure why, but I had to move some stuff around in this file. Is this an issue (no clue why the CycloneDX tool expects stuff to be in this place when scanning the poetry metadata 🤷 )?

And what I also don't understand why chardet's reported as an error for example in this run. I know we tackled this dependency before, but I don't see why it's flagged again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@snazy