Skip to content

Prepare SBOM integration for GraalVM 25 #759

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rudsberg merged 4 commits into from
Sep 1, 2025
Merged

Prepare SBOM integration for GraalVM 25 #759

rudsberg merged 4 commits into from
Sep 1, 2025

Conversation

@rudsberg
Copy link
Contributor

@rudsberg rudsberg commented Jul 31, 2025

This PR updates the SBOM integration in the native-maven-plugin to handle SBOMs being embedded by default in GraalVM 25. SBOMs will be embedded even if --enable-sbom is not passed to native-image. We have updated our checks accordingly to ensure the base SBOM is generated only when the SBOM feature is enabled.

Additionally, the option augmentedSBOM has been renamed to skipBaseSBOM. We are discontinuing the use of the term "augmented" and will instead refer to the SBOM produced by native-maven-plugin (and consumed by native-image) as the "base" SBOM. The new "skip" prefix aligns better with other configuration options. skipBaseSBOM defaults to false and when set to true the base SBOM is not generated.

With regards to backwards compatibility, I believe the deprecation of augmentedSBOM should be OK given that it was just recently introduced for 24 and it's not documented in the public native-maven-plugin documentation.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Jul 31, 2025
@rudsberg
Copy link
Contributor Author

rudsberg commented Jul 31, 2025
edited
Loading

The failing functional tests seems unrelated to this PR, but I'm looking into it.

The failing test is JavaApplicationFunctionalTest > can build and execute a native image with the Maven plugin when the application has a custom packaging type FAILED and fails with:

org.graalvm.demo.ApplicationTest > message is hello native FAILED
Failures (1):
JUnit Jupiter:ApplicationTest:message is hello native
MethodSource [className = 'org.graalvm.demo.ApplicationTest', methodName = 'usesReflection', methodParameterTypes = '']
=> org.opentest4j.AssertionFailedError: expected: <Hello, native!> but was: <null>

Update:
I've identified and resolved the issue. Here’s what went wrong:

  • This PR correctly generates a base SBOM for GraalVM 25 builds that embed SBOMs by default. In other words, previously all functional tests running on GraalVM 25 and that did not use --enable-sbom did not exercise the SBOMGenerator code path, but now they do.
  • That caused this line to fail. The reason was that it uses mvnDebug, causing excessive printing by the cyclonedx-maven-plugin on version 2.8.1 that we were using, leading to a java.lang.OutOfMemoryError.

The excessive printing seemed like a bug, so I tried updating cyclonedx-maven-plugin to the latest version (2.9.1), which indeed solved it. It now logs in a reasonable manner.

rudsberg
rudsberg commented Aug 4, 2025
View reviewed changes
native-maven-plugin/src/main/java/org/graalvm/buildtools/maven/sbom/SBOMGenerator.java
try {
/* Suppress the output from the plugin. */
int loggingLevel = logger.getThreshold();
logger.setThreshold(Logger.LEVEL_DISABLED);
Copy link
Contributor Author

@rudsberg rudsberg Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logging suppression was removed because it was not working. Setting the logging level like so doesn't restrict the logging in the executeMojo call. Another PR could ensure that the output from cyclonedx-maven-plugin is suppressed.

@rudsberg rudsberg force-pushed the jrudsberg/GR-67605 branch from 8d2773f to ae5ddac Compare August 4, 2025 12:32
@rudsberg
Update cyclonedx-maven-plugin to 2.9.1 and catch all exceptions f…
5b995dc 
…or `SBOMGenerator.generateIfSupportedAndEnabled`
@rudsberg rudsberg force-pushed the jrudsberg/GR-67605 branch from ae5ddac to 5b995dc Compare August 4, 2025 13:02
rudsberg
rudsberg commented Aug 4, 2025
View reviewed changes
native-maven-plugin/src/main/java/org/graalvm/buildtools/maven/sbom/SBOMGenerator.java
JSONArray packageNamesArray = new JSONArray();
List<String> sortedPackageNames = artifact.packageNames.stream().sorted().collect(Collectors.toList());
sortedPackageNames.forEach(packageNamesArray::put);
if (artifact.prunable) {
Copy link
Contributor Author

@rudsberg rudsberg Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor orthogonal improvement.

(Shaded dependencies are correctly marked as non-prunable since we cannot be sure the packageNames are accurate. Therefore, leaving the packageNames array empty increases clarity.)

@rudsberg rudsberg requested review from dnestoro and melix August 4, 2025 14:15
dnestoro
dnestoro previously approved these changes Aug 27, 2025
View reviewed changes
melix
melix requested changes Aug 27, 2025
View reviewed changes
Copy link
Collaborator

@melix melix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks mostly ok. I cannot tell if the removal of the previous property is acceptable or not, that's probably for @vjovanov to tell.

melix
melix previously approved these changes Aug 27, 2025
View reviewed changes
vjovanov
vjovanov previously approved these changes Aug 28, 2025
View reviewed changes
@rudsberg
Copy link
Contributor Author

rudsberg commented Aug 28, 2025

The 1 failing test is the same test that is failing on master (link), so it's unrelated to this PR.

CC: @dnestoro

@rudsberg rudsberg dismissed stale reviews from vjovanov and melix via 5968205 August 28, 2025 12:42
@rudsberg rudsberg requested review from dnestoro and melix August 28, 2025 14:00
@dnestoro
Copy link
Contributor

dnestoro commented Aug 28, 2025

The 1 failing test is the same test that is failing on master (link), so it's unrelated to this PR.

CC: @dnestoro

It looks like a regression in latest-ea GraalVM release. I will check

@rudsberg rudsberg merged commit 3ec2767 into master Sep 1, 2025
186 of 187 checks passed
@rudsberg rudsberg deleted the jrudsberg/GR-67605 branch September 1, 2025 13:10
mergify bot added a commit to robfrank/linklift that referenced this pull request Oct 7, 2025
@mergify
chore(deps): bump org.graalvm.buildtools:native-maven-plugin from 0.1…
537fa33 
…1.0 to 0.11.1 [skip ci]

Bumps [org.graalvm.buildtools:native-maven-plugin](https://github.com/graalvm/native-build-tools) from 0.11.0 to 0.11.1.
Release notes

*Sourced from [org.graalvm.buildtools:native-maven-plugin's releases](https://github.com/graalvm/native-build-tools/releases).*

> 0.11.1
> ------
>
> What's Changed
> --------------
>
> * Create release 0.11.0 by [`@​brahimhaddou`](https://github.com/brahimhaddou) in [graalvm/native-build-tools#746](https://redirect.github.com/graalvm/native-build-tools/pull/746)
> * bump version to 0.11.1 SNAPSHOT by [`@​brahimhaddou`](https://github.com/brahimhaddou) in [graalvm/native-build-tools#749](https://redirect.github.com/graalvm/native-build-tools/pull/749)
> * [GR-68095] Change links in the Native Build Tools Gradle page by [`@​ban-mi`](https://github.com/ban-mi) in [graalvm/native-build-tools#753](https://redirect.github.com/graalvm/native-build-tools/pull/753)
> * Group annotations by dependency and print a warning if the dependency is missing by [`@​dnestoro`](https://github.com/dnestoro) in [graalvm/native-build-tools#752](https://redirect.github.com/graalvm/native-build-tools/pull/752)
> * Fix configuration cache compatibility in generating excluded args by [`@​bacecek`](https://github.com/bacecek) in [graalvm/native-build-tools#763](https://redirect.github.com/graalvm/native-build-tools/pull/763)
> * Remove the default Maven phase bound to the `metadata-copy` Maven goal to simplify the use of integration tests by [`@​linghengqian`](https://github.com/linghengqian) in [graalvm/native-build-tools#748](https://redirect.github.com/graalvm/native-build-tools/pull/748)
> * Prepare SBOM integration for GraalVM 25 by [`@​rudsberg`](https://github.com/rudsberg) in [graalvm/native-build-tools#759](https://redirect.github.com/graalvm/native-build-tools/pull/759)
> * Add testing of Gradle 9 by [`@​melix`](https://github.com/melix) in [graalvm/native-build-tools#766](https://redirect.github.com/graalvm/native-build-tools/pull/766)
> * supporting jdk toolchain configuration by [`@​SergeDemoulinGebit`](https://github.com/SergeDemoulinGebit) in [graalvm/native-build-tools#622](https://redirect.github.com/graalvm/native-build-tools/pull/622)
> * Move JUnit tests to get started by [`@​ban-mi`](https://github.com/ban-mi) in [graalvm/native-build-tools#767](https://redirect.github.com/graalvm/native-build-tools/pull/767)
> * Disable layered images test temporarily because of a problem on GralVM side by [`@​dnestoro`](https://github.com/dnestoro) in [graalvm/native-build-tools#772](https://redirect.github.com/graalvm/native-build-tools/pull/772)
> * Add new JUnit 5.14/6.0 types to initialize-at-build-time classes by [`@​marcphilipp`](https://github.com/marcphilipp) in [graalvm/native-build-tools#771](https://redirect.github.com/graalvm/native-build-tools/pull/771)
> * Prepare repository for release `0.11.1` by [`@​dnestoro`](https://github.com/dnestoro) in [graalvm/native-build-tools#770](https://redirect.github.com/graalvm/native-build-tools/pull/770)
>
> New Contributors
> ----------------
>
> * [`@​ban-mi`](https://github.com/ban-mi) made their first contribution in [graalvm/native-build-tools#753](https://redirect.github.com/graalvm/native-build-tools/pull/753)
> * [`@​bacecek`](https://github.com/bacecek) made their first contribution in [graalvm/native-build-tools#763](https://redirect.github.com/graalvm/native-build-tools/pull/763)
> * [`@​SergeDemoulinGebit`](https://github.com/SergeDemoulinGebit) made their first contribution in [graalvm/native-build-tools#622](https://redirect.github.com/graalvm/native-build-tools/pull/622)
>
> **Full Changelog**: <graalvm/native-build-tools@0.11.0...0.11.1>


Commits

* [`6545631`](graalvm/native-build-tools@6545631) Create release 0.11.1
* [`359acfb`](graalvm/native-build-tools@359acfb) Update licenses to pass style check
* [`7327427`](graalvm/native-build-tools@7327427) Add changelog entries
* [`73d17cc`](graalvm/native-build-tools@73d17cc) Update Reachability metadata version
* [`eb52764`](graalvm/native-build-tools@eb52764) Add new JUnit 5.14/6.0 types to initialize-at-build-time classes
* [`f94e6d6`](graalvm/native-build-tools@f94e6d6) Disable layered images test temporarily because of a problem on GraalVM side
* [`200e23c`](graalvm/native-build-tools@200e23c) Update docs/src/docs/asciidoc/end-to-end-gradle-guide.adoc
* [`079f06d`](graalvm/native-build-tools@079f06d) Move JUnit tests to get started
* [`50d8fbb`](graalvm/native-build-tools@50d8fbb) supporting jdk toolchain configuration
* [`77b4cfb`](graalvm/native-build-tools@77b4cfb) Add testing of Gradle 9
* Additional commits viewable in [compare view](graalvm/native-build-tools@0.11.0...0.11.1)
  
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility\_score?dependency-name=org.graalvm.buildtools:native-maven-plugin&package-manager=maven&previous-version=0.11.0&new-version=0.11.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
  
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show  ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vjovanov vjovanov vjovanov left review comments

@melix melix Awaiting requested review from melix

+1 more reviewer

@dnestoro dnestoro dnestoro approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rudsberg @dnestoro @melix @vjovanov