Add exporting of dependency information from SBOM to CSV file (apache…

…#41254) This new sbom command uses the SBOM we have generated for Airflow and exports information about all our dependencies, enhanced by using various sources of information about them.
uzhastik · Aug 5, 2024 · 03263b6 · 03263b6
1 parent 1546d7f
commit 03263b6
Show file tree

Hide file tree

Showing 18 changed files with 582 additions and 38 deletions.
diff --git a/.rat-excludes b/.rat-excludes
@@ -122,6 +122,9 @@ chart/Chart.yaml
 # Generated autocomplete files
 ./dev/breeze/autocomplete/*
 
+# Generated devel_deps files
+devel_deps.txt
+
 # Newsfragments are snippets that will be, eventually, consumed into RELEASE_NOTES
 newsfragments/*
 

diff --git a/dev/breeze/doc/09_release_management_tasks.rst b/dev/breeze/doc/09_release_management_tasks.rst
@@ -650,6 +650,18 @@ This command will build one docker image per python version, with all the airflo
   :width: 100%
   :alt: Breeze build all airflow images
 
+
+Exporting SBOM information
+""""""""""""""""""""""""""
+
+The SBOM information published on our website can be converted into a spreadsheet that we are using to analyse security
+properties of the dependencies. This is done by the ``export-dependency-information`` command.
+
+.. image:: ./images/output_sbom_export-dependency-information.svg
+  :target: https://raw.githubusercontent.com/apache/airflow/main/dev/breeze/images/output_sbom_export-dependency-information.svg
+  :width: 100%
+  :alt: Breeze sbom export dependency information
+
 -----
 
 Next step: Follow the `Advanced Breeze topics <10_advanced_breeze_topics.rst>`_ to

diff --git a/dev/breeze/doc/images/output_sbom.svg b/dev/breeze/doc/images/output_sbom.svg
diff --git a/dev/breeze/doc/images/output_sbom.txt b/dev/breeze/doc/images/output_sbom.txt
@@ -1 +1 @@
-924eca934035f16d89ba69e74761336f
+b03d6ab68f41027663d36fe101214323
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		924eca934035f16d89ba69e74761336f
		b03d6ab68f41027663d36fe101214323