Spike: Replace Gemnasium with open source native CDX SBOM generators
Topic to Evaluate
Evaluate if we could possibly replace the Gemnasium analyzer maintained by groupcomposition analysis with open source CycloneDX SBOM generators.
The CycloneDX (CDX) SBOM generators would be native ones, meaning that they are implemented using the programming language and package manager they support. For instance, a CDX generator for sbt would be implemented in Scala, and its dependencies managed using sbt itself.
This approach has been discussed in the following threads:
The scope is limited to SBOM components of the library
type (application-level dependencies).
These SBOM components are used for Dependency Scanning.
Container Scanning and system-level dependencies are out of scope.
Timebox
3 days
Tasks prior to evaluation
-
Clearly document the topic to evaluated in this issue description -
Determine specific scope including time-bounds for investigation: 3 days
Tasks to Evaluate
Topics to research/evaluate:
-
feasibility -
opportunities -
limitations -
risks -
maintenance -
skillset -
compatible software licenses -
migration path
Outcome:
-
Make a proposal that can be turned into an epic, if accepted.
Team
-
Add workflowplanning breakdown typefeature and the corresponding ~devops::<stage>
and~group::<group>
labels. -
Ping the PM and EM.
Edited by Thiago Figueiró