Replies: 7 comments 14 replies
-
@fmeum I'm not sure that your assertion about package info being correct for an entire module is true. For example, in a monorepo, there may be several artifacts that could be produced that others could depend on (eg. |
Beta Was this translation helpful? Give feedback.
-
I like the idea about On the REPO.bazel file: what would be the right way to set this up for repositories with 2 or more licenses? For example: https://gitlab.com/gitlab-org/gitlab uses a different license for |
Beta Was this translation helpful? Give feedback.
-
@fmeum reading the suggested purl spec, it looks good. I would point out that I think there might be a valid counter argument that this is overloading Within a single repo, it is also useful to know which target produced each artifact. It would be good to have a mechanism to (optionally) include that information too. Perhaps a |
Beta Was this translation helpful? Give feedback.
-
Building |
Beta Was this translation helpful? Give feedback.
-
Cool. FWIW... I am currently very interested in making SBOM generation
work. But, of course, the user here is using WORKSPACE rather than bzlmod,
so I want to try your thing along with a workspace rule. Having both would
be great.
…On Thu, Aug 1, 2024 at 6:37 AM Fabian Meumertzheim ***@***.***> wrote:
I sent a draft PR implementing this macro: bazelbuild/rules_license#147
<bazelbuild/rules_license#147>
—
Reply to this email directly, view it on GitHub
<#23166 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAXHHHB3Z5CUE76ODUUOGN3ZPIFW3AVCNFSM6AAAAABLYQJE2GVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAMRRGEYDANQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
@mzeren-vmw We discussed this in the Rules Authors SIG meeting, but would also be interested in your opinion on the purl spec addition. |
Beta Was this translation helpful? Give feedback.
-
rules_license
provides the basiclicense
andpackage_info
rules that serve as the basis for SBOM generation (and other kinds of supply chain analysis) for all kinds of Bazel dependencies. While individual rulesets that provide external dependencies can adopt these rules to annotate external deps with package metadata, there is no canonical way of doing this for Bazel modules themselves.I would like to discuss and collect the steps we need to take to improve this situation. My ideas so far:
Add a purl type for Bazel modules
This would provide a canonical way to refer to a given Bazel module, even if that module is not in the BCR. I prepared a draft of a specification of such a type on this branch.
Make it easy for public Bazel modules to attach
package_info
Compared to license information, which may easily vary on a per-target basis, package metadata as specified in
package_info
would usually apply to the entire module. By adding a small helper macro torules_license
, the required integration for Bazel modules could be reduced to "just":The
current_module_package_info
macro would rely onnative.module_name()
andnative.module_version()
to populate defaults for all the fields onpackage_info
automatically (e.g., the purl).Bazel registry tooling could be extended add the boilerplate automatically to new modules.
Modules with more complex requirements could still override the default package metadata on a per-package or per-target basis or choose to not use the macro.
Beta Was this translation helpful? Give feedback.
All reactions