0

I'm using spring-boot-maven-plugin to generate the buildpack (uses internally Paketo buildpack).

During building phase, this trace is shown several times:

 [creator]     Warning: BOM table is deprecated in this buildpack api version, though it remains supported for backwards compatibility. Buildpack authors should write BOM information to <layer>.sbom.<ext>, launch.sbom.<ext>, or build.sbom.<ext>.

When I inspect with --bom option, I get following warning:

pack inspect-image docker.io/library/my-springboot-test:1.0.0.Final --bom

Warning: Using the '--bom' flag with 'pack inspect-image <image-name>' is deprecated. Users are encouraged to use 'pack sbom download <image-name>'.
{
  "remote": null,
  "local": [
    {...

and when I try "pack sbom download docker.io/library/my-springboot-test:1.0.0.Final" as suggested:

ERROR: could not find SBoM information on 'docker.io/library/my-springboot-test:1.0.0.Final'

Does anybody know how to include sbom information into the buildpack?

I've tried also to use the CycloneDX plugin in the same pom, and this one generates the sbom but I don't know where to put it for being considered into the building of the image by Paketo.

<plugin>
    <groupId>org.cyclonedx</groupId>
    <artifactId>cyclonedx-maven-plugin</artifactId>
    <version>2.7.1</version>
    <executions>
        <execution>
            <phase>package</phase>
            <goals>
                <goal>makeAggregateBom</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <projectType>library</projectType>
        <schemaVersion>1.4</schemaVersion>
        <includeBomSerialNumber>true</includeBomSerialNumber>
        <includeCompileScope>true</includeCompileScope>
        <includeProvidedScope>true</includeProvidedScope>
        <includeRuntimeScope>true</includeRuntimeScope>
        <includeSystemScope>true</includeSystemScope>
        <includeTestScope>false</includeTestScope>
        <includeLicenseText>false</includeLicenseText>
        <outputReactorProjects>true</outputReactorProjects>
        <outputFormat>json</outputFormat>
        <outputName>../layers/build.sbom.cdx</outputName>
    </configuration>
</plugin>

Is it possible to do it? What's failing?

Gonzalo Muñoz
  • 423
  • 2
  • 7
  • 1.) `Warning: BOM table is deprecated in this buildpack api version...` is confusing, but that is a message to the buildpack author, not the end user so as an end user you can ignore that. Which buildpack is generating that? I can look and see what it's doing. 2.) `pack sbom download` use this command, not `pack inspect-image` to get the SBOM. 3.) You don't need the Maven plugin, not when using buildpacks. 4.) The important question is why can't it find the SBOM info & it's hard to tell. What version of Spring Boot are you using? and can you include the full output from building? – Daniel Mikusa Jul 29 '22 at 15:53
  • Thanks for your response Daniel. I want to use spring-boot-maven-plugin because I can integrate with maven the image building process into my CI and run end-to-end tests. The spring-boot version (also for the plugin) is 2.6.6. Here it's the output of my building process: https://gist.github.com/gmunozfe/b5b0aca6bc32841f04c9c9b497628419 – Gonzalo Muñoz Jul 29 '22 at 17:32
  • 1
    I believe that this is a limitation of the Spring Boot Maven & Gradle plugins in Spring 2.6. These implement an older version of the buildpacks platform specification, which predates the new SBOM specification. The buildpacks and buildpacks tooling have moved onto using this new SBOM specification though. If you upgrade to Spring 2.7, there's a strong possibility that this will start working for you. If you can't upgrade to 2.7 just yet, you can use `pack` cli to run your builds until you can upgrade. – Daniel Mikusa Jul 29 '22 at 18:55
  • Great, it worked with spring-boot 2.7.2. Thanks a lot Daniel! – Gonzalo Muñoz Jul 29 '22 at 19:28

1 Answers1

2

This is a limitation of the Spring Boot Maven & Gradle plugins in Spring Boot 2.6.

This version of Spring Boot implements an older version of the buildpacks platform specification, which predates the new SBOM specification. The buildpacks and buildpacks tooling have moved on to using this new SBOM specification though.

There are two possible solutions:

  1. Upgrade to Spring 2.7. This implements the latest platform specification and will support the new SBOM format.

  2. If you can't upgrade to 2.7 just yet, you can use pack cli or kpack to run your builds until you can upgrade. They both also support the newer platform API required to use the new SBOM format.

Daniel Mikusa
  • 13,716
  • 1
  • 22
  • 28