Spring Boot Actuator "manifest" endpoint #22924
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
Thanks for the suggestion. This seems, somewhat at least, similar to #1465. |
|
It's also somewhat related to the existing |
philwebb
added
the
for: team-attention
|
@philwebb, Yes, I agree that given a git sha and/or app version from the info endpoint, you can do additional detective work to figure out what was packaged within an app. i.e. look at some report (if it exists) from the app build output for the specific version, or go grab the artifact and peek inside it. I'm looking to short-circuit that detective work by just obtaining that info from the running app instance, since it has absolute knowledge about the jars in the app. Currently, actuator exposes information on A) the beans that are running (beans endpoint), and B) the configuration (env endpoint). The next logical extension is to add a third dimension... C) the version of those beans. With those three dimensions, I can have a complete view of a running instance. And yes, as mentioned, C can currently be derived from app version from the info endpoint, but it takes some additional detective work. I'd love if it was a bit easier. Thanks for considering this feature! |
philwebb
added
status: pending-design-work
Adds a libraries actuator endpoint that displays details about the libraries used by the application. Provides out-of-the-box support for displaying details about Java libraries that are bundled within the application jar/war archive. The spring-boot-maven-plugin and spring-boot-gradle-plugin now generate a META-INF/bundled-libraries.yaml file when they package the application archive. The file is included in the packaged application archive. At runtime, libraries are contributed to the libraries endpoint via LibrariesContributor beans, similar to how InfoContributers contribute to the info endpoint. spring-boot-actuator-autoconfigure auto-configures a LibrariesContributor that adds the libraries from META-INF/bundled-libraries.yaml to the libraries endpoint. This auto-configuration can be disabled using environment properties similar to how other actuator endpoints behave. An application can provide other LibrariesContributor instances to contribute more libraries to the libraries endpoint. For example, an application might want to contribute libraries dynamically added at runtime. Or an application might want to contribute details about front-end libraries. Each Library is described as a simple set of key/value pairs. For example, Java libraries with coordinates in a Maven repository typically contain entries for `groupId`, `artifactId`, and `version`. Fixes spring-projects#22924
Adds a libraries actuator endpoint that displays details about the libraries used by the application. Provides out-of-the-box support for displaying details about Java libraries that are bundled within the application jar/war archive. The spring-boot-maven-plugin and spring-boot-gradle-plugin now generate a META-INF/bundled-libraries.yaml file when they package the application archive. The file is included in the packaged application archive. At runtime, libraries are contributed to the libraries endpoint via LibrariesContributor beans, similar to how InfoContributers contribute to the info endpoint. spring-boot-actuator-autoconfigure auto-configures a LibrariesContributor that adds the libraries from META-INF/bundled-libraries.yaml to the libraries endpoint. This auto-configuration can be disabled using environment properties similar to how other actuator endpoints behave. An application can provide other LibrariesContributor instances to contribute more libraries to the libraries endpoint. For example, an application might want to contribute libraries dynamically added at runtime. Or an application might want to contribute details about front-end libraries. Each Library is described as a simple set of key/value pairs. For example, Java libraries with coordinates in a Maven repository typically contain entries for `groupId`, `artifactId`, and `version`. Fixes spring-projects#22924
Adds a libraries actuator endpoint that displays details about the libraries used by the application. Provides out-of-the-box support for displaying details about Java libraries that are bundled within the application jar/war archive. The spring-boot-maven-plugin and spring-boot-gradle-plugin now generate a META-INF/bundled-libraries.yaml file when they package the application archive. The file is included in the packaged application archive. At runtime, libraries are contributed to the libraries endpoint via LibrariesContributor beans, similar to how InfoContributers contribute to the info endpoint. spring-boot-actuator-autoconfigure auto-configures a LibrariesContributor that adds the libraries from META-INF/bundled-libraries.yaml to the libraries endpoint. This auto-configuration can be disabled using environment properties similar to how other actuator endpoints behave. An application can provide other LibrariesContributor instances to contribute more libraries to the libraries endpoint. For example, an application might want to contribute libraries dynamically added at runtime. Or an application might want to contribute details about front-end libraries. Each Library is described as a simple set of key/value pairs. For example, Java libraries with coordinates in a Maven repository typically contain entries for `groupId`, `artifactId`, and `version`. Fixes spring-projects#22924
Adds a libraries actuator endpoint that displays details about the libraries used by the application. Provides out-of-the-box support for displaying details about Java libraries that are bundled within the application jar/war archive. The spring-boot-maven-plugin and spring-boot-gradle-plugin now generate a META-INF/bundled-libraries.yaml file when they package the application archive. The file is included in the packaged application archive. At runtime, libraries are contributed to the libraries endpoint via LibrariesContributor beans, similar to how InfoContributers contribute to the info endpoint. spring-boot-actuator-autoconfigure auto-configures a LibrariesContributor that adds the libraries from META-INF/bundled-libraries.yaml to the libraries endpoint. This auto-configuration can be disabled using environment properties similar to how other actuator endpoints behave. An application can provide other LibrariesContributor instances to contribute more libraries to the libraries endpoint. For example, an application might want to contribute libraries dynamically added at runtime. Or an application might want to contribute details about front-end libraries. Each Library is described as a simple set of key/value pairs. For example, Java libraries with coordinates in a Maven repository typically contain entries for `groupId`, `artifactId`, and `version`. Fixes spring-projects#22924
Adds a libraries actuator endpoint that displays details about the libraries used by the application. Provides out-of-the-box support for displaying details about Java libraries that are bundled within the application jar/war archive. The spring-boot-maven-plugin and spring-boot-gradle-plugin now generate a META-INF/bundled-libraries.yaml file when they package the application archive. The file is included in the packaged application archive. At runtime, libraries are contributed to the libraries endpoint via LibrariesContributor beans, similar to how InfoContributers contribute to the info endpoint. spring-boot-actuator-autoconfigure auto-configures a LibrariesContributor that adds the libraries from META-INF/bundled-libraries.yaml to the libraries endpoint. This auto-configuration can be disabled using environment properties similar to how other actuator endpoints behave. An application can provide other LibrariesContributor instances to contribute more libraries to the libraries endpoint. For example, an application might want to contribute libraries dynamically added at runtime. Or an application might want to contribute details about front-end libraries. Each Library is described as a simple set of key/value pairs. For example, Java libraries with coordinates in a Maven repository typically contain entries for `groupId`, `artifactId`, and `version`. Fixes spring-projects#22924
|
Via some discussions with the Maven Central folks, I was recently reminded of various efforts to define a software bill-of-materials (sbom) standard. It's a bit like a Maven bom, but with much broader scope. An sbom can be used to describe all of the components that comprise an application, for example. https://cyclonedx.org is one example of an sbom format. https://www.ntia.gov/SBOM and https://spdx.dev have also been mentioned. AIUI, CycloneDX builds upon the latter. Given that one goal of an sbom is to describe all of the components that comprise an application and the dependencies between them, I can see this being tackled, at least in part, by a Maven or Gradle plugin that isn't specific to Spring Boot. Such a plugin already exists for CycloneDX when using Maven. A Boot endpoint could then serve the sbom exactly as generated by the build, or perhaps augment it with additional information about the operating system and the like. I'm not sure what timescale that various sbom efforts are working on, but I think it would be a shame to ship something that's proprietary unless those efforts are a really long way out. CycloneDX is already publishing a versioned spec that appears to meet the needs of what's described here. |
|
On the SBOM front, courtesy of this tweet from Kelsey Hightower, I learned that Go 1.8 has some built-in support to help with producing an SBOM. Go isn't, as far as I can tell, aligning with any particular format. It's just making the information needed to produce an SBOM more accessible. |
|
See also PR #28884 which we'll want to consider when we implement this. |
|
Also on the SBOM front, Cloud Native Buildpacks is adopting standardized SBOM formats for Docker images. Buildpacks have contributed BOM information in a custom format for a while, but they are adopting both CycloneDX and SPDX as standardized formats going forward. |
|
Just in case anyone finds it useful (cc @BigMichi1), I wrote a piece on how to include CycloneDX SBOM or just a list of the dependencies in Spring Boot actuator. If you believe that this implementation make sense I can contribute it as a PR. https://maciejwalkowiak.com/blog/maven-dependencies-spring-boot-actuator-info/ |
philwebb
added
the
for: team-meeting
|
Via @markfisher, I've just learned that Microsoft have open sourced their SBOM tooling. It's said to work with both Maven and Gradle and uses the SPDX format. |
|
For people interested in the Maven/Gradle aspect of this, it looks like sbom-tool supports Maven and Gradle thanks to the component-detection project. As far as I understand, it's looking at |
That's an interesting choice. Not all projects will use Gradle's dependency locking. |
philwebb
removed
the
for: team-meeting
|
relevant blog on this topic; TLDR; SPDX is not as complete as CycloneDX, SonaType uses CycloneDX but also participates in the SPDX Working Group and is awaiting the SPDX v3.0 specification i hope those 2 standard merge :) |
|
Spring Boot 3.3.0 contains an SBOM actuator endpoint, which provides the information about included dependencies, their versions, etc. |
mhalbritter
added
status: superseded
I'd like an actuator endpoint that shows details of the jars that are included in the spring boot application.
Perhaps the endpoint id could be "manifest".
Some examples of things that could be discovered and reported for each jar:
META-INF/MANIFEST.MF(subset of main attributes. no per-entry attributes)META-INF/**/pom.propertiesI haven't fully thought through all the intricacies, so I'm happy to discuss further.
The text was updated successfully, but these errors were encountered: