Skip to content

Add a feature for embedding SBOMs#962

Closed
jerboaa wants to merge 1 commit intograalvm:mandrel/25.0from
jerboaa:sbom_embed_feature_quarkus_v1
Closed

Add a feature for embedding SBOMs#962
jerboaa wants to merge 1 commit intograalvm:mandrel/25.0from
jerboaa:sbom_embed_feature_quarkus_v1

Conversation

@jerboaa
Copy link
Copy Markdown
Collaborator

@jerboaa jerboaa commented Apr 28, 2026
edited
Loading

With the new option --enable-sbom=embed:path-classpath-resource, one can embed the specified SBOM in the produced native image. The resource is looked up on the Quarkus Feature's classpath.

The SBOM is generated by Quarkus (see quarkusio/quarkus#53552). All this patch does is to embed it into the native image following the specs in https://www.graalvm.org/jdk25/security-guide/native-image/sbom/#native-image-utils-tool with respect to sbom and sbom_length symbols.

Thoughts?

@jerboaa
Add a feature for embedding SBOMs
a17bd9f 
With the new option '--enable-sbom=embed:path-classpath-resource', one
can embed the specified SBOM in the produced native image. The resource
is looked up an the Quarkus's Features classpath.
@jerboaa jerboaa requested a review from zakkak April 28, 2026 13:30
@oracle-contributor-agreement oracle-contributor-agreement Bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Apr 28, 2026
@jerboaa jerboaa mentioned this pull request Apr 28, 2026
Draft
@zakkak
Copy link
Copy Markdown
Collaborator

zakkak commented Apr 29, 2026

Since the implementation is a feature, more so a Quarkus specific feature, I believe it would be better implemented in Quarkus instead.

Drawbacks:

  1. The main issue with that approach would be the dependency on internal GraalVM APIs like CGlobalData, meaning that the feature should be implemented using gizmo (the same way io.quarkus.runner.Feature is generated) to avoid compilation issues.
  2. If the internal APIs change, the feature would also break requiring augmenting it with GraalVM version detection to adapt accordingly.

Advantages:

  1. We don't deviate from upstream.
  2. We don't introduce a new option or an option clashing with an Oracle GraalVM option without providing the same functionality.
  3. We don't implement a Quarkus specific feature that is not expected to get upstream.

WDYT?

@jerboaa
Copy link
Copy Markdown
Collaborator Author

jerboaa commented Apr 30, 2026

I tend to agree. Those cyclic dependencies are pretty nasty. The feature also needs to add native image generator specific bits to the embedded sbom eventually. It's not clear to me to how we should approach that chicken/egg problem: SBOM is generated by quarkus, embedded in jars. On native compilation the exact native image generator version needs to get embedded as well. We only have the native image version available in the NativeImageBuildStep that depends on the jar generation step. If you have some cycles to move this forward, I'd appreciate a hand. Otherwise, I'd likely throw some AI tool at this gizmo transformation problem.

@zakkak
Copy link
Copy Markdown
Collaborator

zakkak commented Apr 30, 2026

If you have some cycles to move this forward, I'd appreciate a hand.

Sure, I will prepare a Quarkus patch and assign you as a reviewer.

@jerboaa
Copy link
Copy Markdown
Collaborator Author

jerboaa commented Apr 30, 2026

If you have some cycles to move this forward, I'd appreciate a hand.

Sure, I will prepare a Quarkus patch and assign you as a reviewer.

Makes sense. It needs to go in together with quarkusio/quarkus#53861

@jerboaa
Copy link
Copy Markdown
Collaborator Author

jerboaa commented Apr 30, 2026

Closing for now.

@jerboaa jerboaa closed this Apr 30, 2026
@zakkak zakkak mentioned this pull request May 4, 2026
Merged
@zakkak
Copy link
Copy Markdown
Collaborator

zakkak commented May 4, 2026

Sure, I will prepare a Quarkus patch and assign you as a reviewer.

quarkusio/quarkus#53923

aloubyansky pushed a commit to quarkusio/quarkus that referenced this pull request May 5, 2026
@zakkak
Embed SBOM in native image via generated GraalVM Feature
99501af 
Generate a GraalVM Feature (`io.quarkus.runner.SbomEmbedFeature`) using
Gizmo2 that embeds the application SBOM into the native image, following
the GraalVM SBOM spec.

Internal GraalVM APIs (CGlobalDataFactory, CGlobalDataFeature, Word) are
referenced via ClassMethodDesc to avoid compile-time dependencies on
internal packages that may change across GraalVM versions.

The Feature is only generated when EmbeddedSbomMetadataBuildItem is
present (i.e. when CycloneDX SBOM embedding is enabled).

See: graalvm/mandrel#962 and
#53552

Assisted-by: Claude Opus 4.6 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zakkak zakkak Awaiting requested review from zakkak

Assignees

No one assigned

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jerboaa @zakkak