From a084afc6212ee2338fbf8388ed0602eda5959d0d Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Tue, 27 Jan 2026 10:58:57 -0500 Subject: [PATCH 1/2] made script for generating sbom csv --- Makefile | 12 +++++++++++- dev-resources/sbom/sbom_flat.jq | 17 +++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 dev-resources/sbom/sbom_flat.jq diff --git a/Makefile b/Makefile index 4285f53b..5e6b284d 100644 --- a/Makefile +++ b/Makefile @@ -23,7 +23,7 @@ resources/public/admin: # All other phony targets run lrsql instances that can be used and tested # during development. All start up with fixed DB properties and seed creds. -.phony: clean-dev, ci, ephemeral, ephemeral-prod, sqlite, postgres, mariadb, mysql, bench, bench-async, keycloak-demo, ephemeral-oidc, superset-demo, clamav-demo, test-sqlite, test-postgres, test-postgres-14, test-postgres-15, test-postgres-16, test-postgres-17, test-postgres-18, test-mariadb, test-mariadb-10.6, test-mariadb-10.11, test-mariadb-11.4, test-mariadb-11.7.2, test-mariadb-11.8, test-mysql, test-mysql-8.0.44, test-mysql-8.4, test-mysql-9.5.0 +.phony: clean-dev, ci, ephemeral, ephemeral-prod, sqlite, postgres, mariadb, mysql, bench, bench-async, keycloak-demo, ephemeral-oidc, superset-demo, clamav-demo, test-sqlite, test-postgres, test-postgres-14, test-postgres-15, test-postgres-16, test-postgres-17, test-postgres-18, test-mariadb, test-mariadb-10.6, test-mariadb-10.11, test-mariadb-11.4, test-mariadb-11.7.2, test-mariadb-11.8, test-mysql, test-mysql-8.0.44, test-mysql-8.4, test-mysql-9.5.0, sbom, sbom-csv clean-dev: rm -rf *.db *.log resources/public tmp @@ -364,6 +364,16 @@ run-jar-mysql: target/bundle pom.xml: clojure -Adb-sqlite:db-postgres -Spom +sbom: pom.xml + mvn -q org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom \ + -DoutputFormat=json \ + -DoutputName=lrsql \ + -DschemaVersion=1.6 \ + -DprojectType=application + +sbom-csv: sbom + jq -r -f ./dev-resources/sbom/sbom_flat.jq ./target/lrsql.json > ./target/lrsql-sbom.csv + # TODO: Add a local vulnerability checker. # Note that we removed our previous one that used nvd-clojure as that app was # becoming too unreliable; perhaps look into clj-watson? diff --git a/dev-resources/sbom/sbom_flat.jq b/dev-resources/sbom/sbom_flat.jq new file mode 100644 index 00000000..81c77fcf --- /dev/null +++ b/dev-resources/sbom/sbom_flat.jq @@ -0,0 +1,17 @@ +def pkg_name(c): + if (c.group? // "") != "" then "\(c.group)/\(c.name)" else (c.name // "") end; + +[ + .metadata.component?, + .components[]? +] +| map(select(. != null)) +| map({ + package: pkg_name(.), + source: (.purl // .["bom-ref"] // .author // .publisher // "unknown"), + version: (.version // "unknown") + }) +| unique +| sort_by(.package, .version) +| (["package","source","version"] | @csv), + (.[] | [ .package, .source, .version ] | @csv) From e2014111ab2d6605428e5270e2d6c72704fc3174 Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Tue, 27 Jan 2026 12:48:00 -0500 Subject: [PATCH 2/2] made make task that dumps runtime info --- Makefile | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 5e6b284d..c692d42b 100644 --- a/Makefile +++ b/Makefile @@ -149,7 +149,7 @@ clamav-demo: # lrsql package, including config, docs, JARs, admin UI files, JREs, # Windows executables, NOTICE and LICENSE -.phony: clean, clean-non-dl, bundle +.phony: clean, clean-non-dl, bundle, runtime-info clean: rm -rf target resources/public pom.xml @@ -254,6 +254,14 @@ endif bundle: target/bundle +# Runtime info (Docker) + +target/runtime-info.txt: bundle Dockerfile + mkdir -p target + docker build -t lrsql:local . + docker run --rm --entrypoint sh lrsql:local -c 'set -e; echo "== OS =="; cat /etc/os-release; echo; echo "== Kernel =="; uname -a; echo; echo "== Java =="; /lrsql/runtimes/linux/bin/java -version 2>&1; echo; echo "== Packages =="; apk info -vv' > target/runtime-info.txt +runtime-info: target/runtime-info.txt + # *** Build Windows EXEs with launch4j *** # `clean-exe` removes all pre-existing executables, so that they can be rebuilt.