Change Temurin SBOM generation to XML

[andrew-m-leonard]

Currently Temurin produces SBOM's in json format, however this has its limitations and cost:

• json "signing" uses JSF format and very few tooling provides JSF signing and verification. Currently Temurin uses and open source component https://github.com/cyberphone/openkeystore which does not have a huge following, and we have to build and compile this source, which is not provided as an open source binary release.
• Similarly to verify these signatures we need to use the same open source tool, which means "Users" are not easily able to verify and SBOM themselves, without going through a procedure to clone temurin-build and build the TemurinSignSBOM java class that uses openkeystore
• The Cyclonedx-cli tool does not provide support for signing and verifying JSON SBOMs:

% cyclonedx-cli sign bom test.json --key-file test.pem
Loading private key...
Only XML BOMs are currently supported for signing.

As opposed to using an XML format SBOM:

• Provides full feature support for XML, including "signing" and "signature verification", and "validation":

% cyclonedx sign bom testCDXA.xml --key-file cdsa_test.pem
Loading private key...
Loading XML BOM...
Generating signature...
Saving signature...
% cyclonedx verify all testCDXA.xml --key-file cdsa_test_pub.pem
Loading public key...
Loading XML BOM...
Reading signatures...
Found 1 signatures...
Verifying signature 1... verified

All signatures verified
% cyclonedx validate --input-file testCDXA.xml            
BOM validated successfully.

• The Cyclonedx-cli tool can then easily be used by 3rd party users to both sign and verify SBOMs, CDXAs, ...

Other arguments for using XML format:

• XML has a far longer background, and thus many stable tooling support, it is extensively used by the AQAvit and TKG test suites
• XML has a strong Schema based support
• XML can be easily parsed and processed from bash using Perl xpath utility, eg:

% xpath -q -e '/bom/metadata/authors/author/name/text()' testSBOM.xml
Adoptium Temurin

[andrew-m-leonard]

@netomi hi Thomas, I was wondering what your opinion might be to using XML documents as opposed to JSON, especially when it comes to Eclipse Signing with sigstore potentially?

[netomi]

so if xml files have better tool support, I see no reason why the project should not use them.
Also conversion between xml and json format should be possible if needed.

[andrew-m-leonard]

The support for XML SBOM generated using the cyclonedx-core-java is currently blocked due to issue: CycloneDX/cyclonedx-core-java#562

For the moment we will stick with json SBOM until this is fixed, or we have a python-library route...

[Haroon-Khel]

@andrew-m-leonard do we want to continue with this now that CycloneDX/cyclonedx-core-java#562 is resolved?

[andrew-m-leonard]

@andrew-m-leonard do we want to continue with this now that CycloneDX/cyclonedx-core-java#562 is resolved?

Yes, all the necessary CycloneDX issues are fixed. So we can move forward with this, I will add PMCAgenda to propose

[sxa]

Noting that we'll need to make changes to a few things to cope with this change:

• The instructions we give to others to how to perform reproducible builds pull information from the SBOM
• We currently use jq to parse the SBOM in places (e.g. the download test) that will need to be replaced
• The API currently adds -metadata to the name of the SBOM control files used by the API (because they also end in .json. If we switch to xml should we also change the metadata file to just be .xml.json?
  • OpenJDK21U-sbom_aarch64_windows_hotspot_21.0.6_7.json. Current example names:
  • OpenJDK21U-sbom_aarch64_windows_hotspot_21.0.6_7-metadata.json
• <placeholder for something I've forgotten since I came up with it>

Anywhere else we're parsing this? Should we look at the download stats for the SBOM files to identify the impact of switching this?

[andrew-m-leonard]

I will get user feedback on JSON vs XML...

[andrew-m-leonard]

@Haroon-Khel following PMC review, we want to get user input and thoughts on changing to xml SBOMs first, before we change