Warning about SBOM reported when running bootBuildImage with gradle-plugin.
The message is as follows.
Warning: this buildpack is including both old and new format SBOM information, which is an invalid state. To prevent the lifecycle from failing, libcnb is discarding the old SBOM information.
This problem seems to be caused by buildpack of Executable JAR and Spring Boot.
The same problem is reproduced at least in versions that refer to Executable JAR Buildpack 6.0.0 and Spring Boot Buildpack 5.0.0.
A project that can reproduce the problem has been pushed as follows. https://github.com/k163377/spring-boot-build-image-warn-sandbox
The complete log is shown as follows.
complete log
17:53:37: Executing 'bootBuildImage'...
> Task :compileKotlin UP-TO-DATE
> Task :compileJava NO-SOURCE
> Task :processResources NO-SOURCE
> Task :classes UP-TO-DATE
> Task :bootJarMainClassName UP-TO-DATE
> Task :bootJar UP-TO-DATE
> Task :bootBuildImage
Building image 'docker.io/library/spring-boot-build-image-warn-sandbox:1.0-SNAPSHOT'
> Pulling builder image 'docker.io/paketobuildpacks/builder:base' ..................................................
> Pulled builder image 'paketobuildpacks/builder@sha256:988d9d956b62d18a828ea9deab5586d5a307becae23c72c76746c8307048d56f'
> Pulling run image 'docker.io/paketobuildpacks/run:base-cnb' ..................................................
> Pulled run image 'paketobuildpacks/run@sha256:b1e8add4fc569e37085342cd05186d17cb81e128ee60fd9fd633337e25ac7808'
> Executing lifecycle version v0.13.0
> Using build cache volume 'pack-cache-3819609661d9.build'
> Running creator
[creator] ===> DETECTING
[creator] 6 of 19 buildpacks participating
[creator] paketo-buildpacks/ca-certificates 3.0.0
[creator] paketo-buildpacks/bellsoft-liberica 9.0.0
[creator] paketo-buildpacks/syft 1.0.0
[creator] paketo-buildpacks/executable-jar 6.0.0
[creator] paketo-buildpacks/dist-zip 5.0.0
[creator] paketo-buildpacks/spring-boot 5.0.0
[creator] ===> ANALYZING
[creator] Restoring metadata for "paketo-buildpacks/ca-certificates:helper" from app image
[creator] Restoring metadata for "paketo-buildpacks/bellsoft-liberica:jre" from app image
[creator] Restoring metadata for "paketo-buildpacks/bellsoft-liberica:helper" from app image
[creator] Restoring metadata for "paketo-buildpacks/bellsoft-liberica:java-security-properties" from app image
[creator] Restoring metadata for "paketo-buildpacks/syft:syft" from cache
[creator] Restoring metadata for "paketo-buildpacks/spring-boot:helper" from app image
[creator] Restoring metadata for "paketo-buildpacks/spring-boot:spring-cloud-bindings" from app image
[creator] Restoring metadata for "paketo-buildpacks/spring-boot:web-application-type" from app image
[creator] ===> RESTORING
[creator] Restoring data for "paketo-buildpacks/syft:syft" from cache
[creator] ===> BUILDING
[creator]
[creator] Paketo CA Certificates Buildpack 3.0.0
[creator] https://github.com/paketo-buildpacks/ca-certificates
[creator] Launch Helper: Reusing cached layer
[creator]
[creator] Paketo BellSoft Liberica Buildpack 9.0.0
[creator] https://github.com/paketo-buildpacks/bellsoft-liberica
[creator] Build Configuration:
[creator] $BP_JVM_TYPE JRE the JVM type - JDK or JRE
[creator] $BP_JVM_VERSION 17.* the Java version
[creator] Launch Configuration:
[creator] $BPL_DEBUG_ENABLED false enables Java remote debugging support
[creator] $BPL_DEBUG_PORT 8000 configure the remote debugging port
[creator] $BPL_DEBUG_SUSPEND false configure whether to suspend execution until a debugger has attached
[creator] $BPL_HEAP_DUMP_PATH write heap dumps on error to this path
[creator] $BPL_JAVA_NMT_ENABLED true enables Java Native Memory Tracking (NMT)
[creator] $BPL_JAVA_NMT_LEVEL summary configure level of NMT, summary or detail
[creator] $BPL_JFR_ARGS configure custom Java Flight Recording (JFR) arguments
[creator] $BPL_JFR_ENABLED false enables Java Flight Recording (JFR)
[creator] $BPL_JMX_ENABLED false enables Java Management Extensions (JMX)
[creator] $BPL_JMX_PORT 5000 configure the JMX port
[creator] $BPL_JVM_HEAD_ROOM 0 the headroom in memory calculation
[creator] $BPL_JVM_LOADED_CLASS_COUNT 35% of classes the number of loaded classes in memory calculation
[creator] $BPL_JVM_THREAD_COUNT 250 the number of threads in memory calculation
[creator] $JAVA_TOOL_OPTIONS the JVM launch flags
[creator] BellSoft Liberica JRE 17.0.1: Contributing to layer
[creator] Downloading from https://github.com/bell-sw/Liberica/releases/download/17.0.1+12/bellsoft-jre17.0.1+12-linux-amd64.tar.gz
[creator] Verifying checksum
[creator] Expanding to /layers/paketo-buildpacks_bellsoft-liberica/jre
[creator] Adding 128 container CA certificates to JVM truststore
[creator] Writing env.launch/BPI_APPLICATION_PATH.default
[creator] Writing env.launch/BPI_JVM_CACERTS.default
[creator] Writing env.launch/BPI_JVM_CLASS_COUNT.default
[creator] Writing env.launch/BPI_JVM_SECURITY_PROVIDERS.default
[creator] Writing env.launch/JAVA_HOME.default
[creator] Writing env.launch/JAVA_TOOL_OPTIONS.append
[creator] Writing env.launch/JAVA_TOOL_OPTIONS.delim
[creator] Writing env.launch/MALLOC_ARENA_MAX.default
[creator] Launch Helper: Reusing cached layer
[creator] Java Security Properties: Reusing cached layer
[creator]
[creator] Paketo Syft Buildpack 1.0.0
[creator] https://github.com/paketo-buildpacks/syft
[creator]
[creator] Paketo Executable JAR Buildpack 6.0.0
[creator] https://github.com/paketo-buildpacks/executable-jar
[creator] Class Path: Contributing to layer
[creator] Writing env/CLASSPATH.delim
[creator] Writing env/CLASSPATH.prepend
[creator] Warning: this buildpack is including both old and new format SBOM information, which is an invalid state. To prevent the lifecycle from failing, libcnb is discarding the old SBOM information.
[creator] Process types:
[creator] executable-jar: java org.springframework.boot.loader.JarLauncher (direct)
[creator] task: java org.springframework.boot.loader.JarLauncher (direct)
[creator] web: java org.springframework.boot.loader.JarLauncher (direct)
[creator]
[creator] Paketo Spring Boot Buildpack 5.0.0
[creator] https://github.com/paketo-buildpacks/spring-boot
[creator] Creating slices from layers index
[creator] dependencies
[creator] spring-boot-loader
[creator] snapshot-dependencies
[creator] application
[creator] Launch Helper: Reusing cached layer
[creator] Spring Cloud Bindings 1.8.0: Reusing cached layer
[creator] Web Application Type: Reusing cached layer
[creator] Warning: this buildpack is including both old and new format SBOM information, which is an invalid state. To prevent the lifecycle from failing, libcnb is discarding the old SBOM information.
[creator] 4 application slices
[creator] Image labels:
[creator] org.springframework.boot.version
[creator] ===> EXPORTING
[creator] Reusing layer 'paketo-buildpacks/ca-certificates:helper'
[creator] Reusing layer 'paketo-buildpacks/bellsoft-liberica:helper'
[creator] Reusing layer 'paketo-buildpacks/bellsoft-liberica:java-security-properties'
[creator] Adding layer 'paketo-buildpacks/bellsoft-liberica:jre'
[creator] Reusing layer 'paketo-buildpacks/executable-jar:classpath'
[creator] Reusing layer 'paketo-buildpacks/spring-boot:helper'
[creator] Reusing layer 'paketo-buildpacks/spring-boot:spring-cloud-bindings'
[creator] Reusing layer 'paketo-buildpacks/spring-boot:web-application-type'
[creator] Reusing 5/5 app layer(s)
[creator] Reusing layer 'launcher'
[creator] Reusing layer 'config'
[creator] Reusing layer 'process-types'
[creator] Adding label 'io.buildpacks.lifecycle.metadata'
[creator] Adding label 'io.buildpacks.build.metadata'
[creator] Adding label 'io.buildpacks.project.metadata'
[creator] Adding label 'org.springframework.boot.version'
[creator] Setting default process type 'web'
[creator] Saving docker.io/library/spring-boot-build-image-warn-sandbox:1.0-SNAPSHOT...
[creator] *** Images (f14191421637):
[creator] docker.io/library/spring-boot-build-image-warn-sandbox:1.0-SNAPSHOT
[creator] Reusing cache layer 'paketo-buildpacks/syft:syft'
Successfully built image 'docker.io/library/spring-boot-build-image-warn-sandbox:1.0-SNAPSHOT'
BUILD SUCCESSFUL in 4m 7s
4 actionable tasks: 1 executed, 3 up-to-date
17:57:44: Execution finished 'bootBuildImage'.
Comment From: scottfrederick
Thanks for getting in touch. This warning is outside of Spring Boot's control. Spring Boot invokes a CNB builder (the Paketo builder by default), which bundles buildpacks. Paketo buildpacks are in the process of converting to a new Software Bill Of Materials (SBOM) format, which is leading to this warning. If it's a problem for you, you can file an issue with the Paketo Java buildpack project or discuss it with the Paketo team on Slack.
If you want to work around the warning, you can configure your build to use a Paketo Java buildpack release earlier than 6.0.0, as in this example:
bootBuildImage {
buildpacks = [
"gcr.io/paketo-buildpacks/java:5.21.1"
]
}
Comment From: dmikusa
FYI, this has been fixed in the latest buildpack release.