Skip to content

Issue #1639 add SBOM #1640

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Aug 22, 2025
Merged

Issue #1639 add SBOM #1640

merged 6 commits into from
Aug 22, 2025

Conversation

JoerivanEngelen
Copy link
Contributor

@JoerivanEngelen JoerivanEngelen commented Aug 18, 2025
edited
Loading

Fixes #1639

Description

Adds pixi task to generate SBOM and add SBOM. I took this approach from Ribasim: https://github.com/Deltares/Ribasim/blob/b80ebd6d189cddf601e90b06e7c3cd5b044ce1b8/pixi.toml#L194-L199

I had to remove all the target task logic from the Ribasim example to make the linting task work on TeamCity for some reason. Locally it worked without any problems.

Checklist

  • Links to correct issue
  • Update changelog, if changes affect users
  • PR title starts with Issue #nr, e.g. Issue #737
  • Unit tests were added
  • If feature added: Added/extended example
  • If feature added: Added feature to API documentation

@Manangka
Copy link
Collaborator

Manangka commented Aug 20, 2025
edited by JoerivanEngelen
Loading

A couple of questions:

  1. Why is this needed?
  2. How is the sbom used?
  3. Do we need check regenerate the sbom each time we add a dependency to the pyproject file? Or to the pixi.toml file?
  4. If so do we need a comment reminding people to update the sbom
  5. Depending on how this is uses, can this be generated automatically in the release pipeline?
  6. Do the developer docs need to be updated?

@JoerivanEngelen
Copy link
Contributor Author

JoerivanEngelen commented Aug 21, 2025
edited
Loading

  1. I hope the issue description was clear enough on this, but it apparently is necessary to provide a file in a standardized form what packages are installed along with iMOD Python for a GA release.
  2. See this link
  3. Ideally yes. Could be at least part of update pixi.toml pipeline?
  4. Good point! I can extend the PR template with an additional checkbox.
  5. See answer 3.
  6. I don't think so, as long as 3 and 4 done? It's also part of our release form.

UPDATE: I just extended the PR template

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Manangka
Copy link
Collaborator

Can you make an issue for extending the pixi update pipeline and assign me?

I know what a SBOM is but i'm just curious were it is going to be used for. It's probably not for the users but for some internal tool

@JoerivanEngelen JoerivanEngelen mentioned this pull request Aug 22, 2025
Open
@JoerivanEngelen
Copy link
Contributor Author

Can you make an issue for extending the pixi update pipeline and assign me?

Done #1643

@JoerivanEngelen JoerivanEngelen merged commit f3c2969 into master Aug 22, 2025
7 checks passed
@JoerivanEngelen JoerivanEngelen deleted the issue_#1639_SBOM_generation branch August 22, 2025 07:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Manangka Manangka Manangka approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Investigate SBOM generation
2 participants
@JoerivanEngelen @Manangka