CXX-3021 Add SBOM Lite and update release instructions #1134
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kevinAlbs
reviewed
May 9, 2024
etc/purls.txt
Outdated
| pkg:github/mnmlstc/[email protected] | ||
|
|
||
| # Catch2 is bundled as src/third_party/catch/include/catch.hpp. | ||
| pkg:github/catchorg/Catch2/@v2.13.7#single_include/catch2/catch.hpp |
There was a problem hiding this comment.
Suggest removing Catch2 due to being a test dependency.
From Centralized Vulnerability Management README:
Test- and build-time dependencies (such as the compiler) do not need to be declared.
We only need to report and fix CVEs in dependencies we actually ship, so reducing any false-positives results in less auditing and updating overhead.
kevinAlbs
approved these changes
May 9, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolves CXX-3021. No CI automation is included in this PR. Instead, the release instructions include commands documenting how to update the SBOM Lite file.
Three dependencies are identified:
No attempt is made to conditionally specify SBOM Lite according to the build configuration (specifically concerning mnmlstc/core), if such a pattern is even possible with PURL.
To better assist with specifying/documenting dependencies of this kind, all FetchContent-related routines are moved as-is into
Fetch*modules under thecmake/subdirectory which are then referenced byetc/purls.txt. Note this required moving up theset(CMAKE_MODULE_PATH ...)higher in the root CMakeLists.txt file.