Skip to content

SOLR-17328: Add CycloneDX SBOMs to Solr binary distributions #3929

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ppkarwasz wants to merge 1 commit into
base: main
Choose a base branch
from
Open

SOLR-17328: Add CycloneDX SBOMs to Solr binary distributions #3929

ppkarwasz wants to merge 1 commit into from

Conversation

@ppkarwasz
Copy link
Contributor

@ppkarwasz ppkarwasz commented Dec 8, 2025
edited
Loading

Description

This change adds generation of CycloneDX SBOMs for both the full and slim Solr binary distributions. Two new tasks in the :solr:packaging module produce SBOMs at build time using resolvable configurations that mirror the actual runtime dependencies included in each distribution.

Each SBOM is written as bom.json and packaged into the root of the corresponding distribution directory or .tar.gz archive.

Solution

Solr produces two distinct binary distributions, so the standard cyclonedxBom task from the CycloneDX Gradle plugin cannot be used directly. Instead of applying the plugin, this PR introduces:

  • Two custom SBOM tasks: cyclonedxFull and cyclonedxSlim
  • Two corresponding configurations: bomFull and bomSlim

The existing packaging configuration cannot be reused because it contains only the assembled directory of dependencies, not the resolvable dependency graph itself. The new configurations therefore pull from the underlying project configurations that feed into packaging, ensuring that the SBOMs accurately reflect the dependencies that end up in each distribution.

Tests

Running any distribution-related task, fullDistTar, installFullDist, slimDistTar, or installSlimDist, now produces a bom.json file in the output artifact for that distribution.

Checklist

Please review the following and check all that apply:

  • I have reviewed the guidelines for How to Contribute and my code conforms to the standards described there to the best of my ability.
  • I have created a Jira issue and added the issue ID to my pull request title.
  • I have given Solr maintainers access to contribute to my PR branch. (optional but recommended, not available for branches on forks living under an organisation)
  • I have developed this patch against the main branch.
  • I have run ./gradlew check.
  • I have added tests for my changes.
  • I have added documentation for the Reference Guide
  • I have added a changelog entry for my change

@ppkarwasz
SOLR-17328: Add CycloneDX SBOMs to Solr binary distributions
01369d7 
This change introduces two new tasks in the `:solr:packaging` module that generate accurate CycloneDX SBOMs for both the **full** and **slim** Solr binary distributions.
Each SBOM is produced at build time using resolvable configurations that reflect the actual runtime dependencies included in the distribution.

The resulting files are packaged as `bom.json` into the root of their respective `.tar.gz` archives.

This ensures downstream users, security scanners, and compliance tooling have an authoritative SBOM directly embedded in each published artifact.

Solves [SOLR-17328](https://issues.apache.org/jira/browse/SOLR-17328)
@github-actions github-actions bot added dependencies Dependency upgrades tool:build labels Dec 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Dependency upgrades tool:build

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ppkarwasz