Skip to content

Bundle SBOM for Enterprise image [DI-745]#1239

Draft
JackPGreen wants to merge 1 commit intomasterfrom
add-sbom
Draft

Bundle SBOM for Enterprise image [DI-745]#1239
JackPGreen wants to merge 1 commit intomasterfrom
add-sbom

Conversation

@JackPGreen
Copy link
Collaborator

@JackPGreen JackPGreen commented Feb 25, 2026
edited by atlassian bot
Loading

Requires https://github.com/hazelcast/hazelcast-mono/pull/6061

Bundles the SBOM generated from the deployed artifacts (download via Maven), along with the SBOM generated via Docker for the system state (e.g. installed packages etc).
This bundling is required as in isolation, Docker cannot reliably determine the packages used in the artifact.

Until SBOM deployed upstream, tested with a hardcoded SBOM and then checking resultant image:

% docker buildx imagetools inspect sandbox-hazelcast-enterprise:5.7.0-SNAPSHOT-slim-jdk17 --format "{{ json .SBOM }}"
{
  "linux/amd64": {
    "SPDX": {
      "SPDXID": "SPDXRef-DOCUMENT",
      "creationInfo": {
        "created": "2026-02-25T19:37:28Z",
{...}
            {
              "referenceCategory": "PACKAGE-MANAGER",
              "referenceLocator": "pkg:maven/com.google.code.gson/gson@2.12.1",
              "referenceType": "purl"
            }
{...}

Fixes: DI-745

@JackPGreen JackPGreen self-assigned this Feb 25, 2026
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 25, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@JackPGreen JackPGreen

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JackPGreen