Search code examples
spring-bootspring-boot-maven-pluginbuildpackpaketo

Paketo buildpack spring-boot-maven-plugin doesn't find sbom

I'm using spring-boot-maven-plugin to generate the buildpack (uses internally Paketo buildpack).

During building phase, this trace is shown several times:

 [creator]     Warning: BOM table is deprecated in this buildpack api version, though it remains supported for backwards compatibility. Buildpack authors should write BOM information to <layer>.sbom.<ext>, launch.sbom.<ext>, or build.sbom.<ext>.

When I inspect with --bom option, I get following warning:

pack inspect-image docker.io/library/my-springboot-test:1.0.0.Final --bom

Warning: Using the '--bom' flag with 'pack inspect-image <image-name>' is deprecated. Users are encouraged to use 'pack sbom download <image-name>'.
{
  "remote": null,
  "local": [
    {...

and when I try "pack sbom download docker.io/library/my-springboot-test:1.0.0.Final" as suggested:

ERROR: could not find SBoM information on 'docker.io/library/my-springboot-test:1.0.0.Final'

Does anybody know how to include sbom information into the buildpack?

I've tried also to use the CycloneDX plugin in the same pom, and this one generates the sbom but I don't know where to put it for being considered into the building of the image by Paketo.

<plugin>
    <groupId>org.cyclonedx</groupId>
    <artifactId>cyclonedx-maven-plugin</artifactId>
    <version>2.7.1</version>
    <executions>
        <execution>
            <phase>package</phase>
            <goals>
                <goal>makeAggregateBom</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <projectType>library</projectType>
        <schemaVersion>1.4</schemaVersion>
        <includeBomSerialNumber>true</includeBomSerialNumber>
        <includeCompileScope>true</includeCompileScope>
        <includeProvidedScope>true</includeProvidedScope>
        <includeRuntimeScope>true</includeRuntimeScope>
        <includeSystemScope>true</includeSystemScope>
        <includeTestScope>false</includeTestScope>
        <includeLicenseText>false</includeLicenseText>
        <outputReactorProjects>true</outputReactorProjects>
        <outputFormat>json</outputFormat>
        <outputName>../layers/build.sbom.cdx</outputName>
    </configuration>
</plugin>

Is it possible to do it? What's failing?

Solution

  • This is a limitation of the Spring Boot Maven & Gradle plugins in Spring Boot 2.6.

    This version of Spring Boot implements an older version of the buildpacks platform specification, which predates the new SBOM specification. The buildpacks and buildpacks tooling have moved on to using this new SBOM specification though.

    There are two possible solutions:

    1. Upgrade to Spring 2.7. This implements the latest platform specification and will support the new SBOM format.

    2. If you can't upgrade to 2.7 just yet, you can use pack cli or kpack to run your builds until you can upgrade. They both also support the newer platform API required to use the new SBOM format.