bazelbuild/bazel

Build Event for external dependencies used in the invocation

Open

#23,933 opened on Oct 10, 2024

View on GitHub
 (1 comment) (0 reactions) (0 assignees)Java (25,384 stars) (4,465 forks)batch import
P2help wantedteam-ExternalDepstype: feature request

Description

Description of the feature request:

When troubleshooting past invocations, it might be useful to know which dependencies were used in the invocation: information like which version was used, any override was applied, which URL was it downloaded from with what checksum etc...

Which category does this issue belong to?

No response

What underlying problem are you trying to solve with this feature?

By sending a build event with this information, the BES implementation could help developer identify issues a bit more easily. We can also leverage the build events for downstream supply chain security keeping and identify vulnerabilities faster/easier.

Which operating system are you running Bazel on?

No response

What is the output of bazel info release?

No response

If bazel info release returns development version or (@non-git), tell us how you built Bazel.

No response

What's the output of git remote get-url origin; git rev-parse HEAD ?

No response

Have you found anything relevant by searching the web?

The current Supply Chain Security approach is mostly oriented around using rules_license's aspect to gather the dependencies information. This works but requires additional setup on the code level.

Providing a build event based on bzlmod data would provide a much more sensible default with minimal setup needed. The tradeoff is that you will only get the dependencies information on the invocation level and not on a target level, which is fine for smaller user cases.

Any other information, logs, or outputs that you want to share?

No response

Contributor guide

Tech stack
java
Domain
build systemobservability
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
5
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
over 1 week
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Bazel internalsJavabzlmod
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
10
Research direction
Investigate the Bazel source code for the Build Event Protocol (BEP) and how external dependencies are tracked via bzlmod. Look at the existing BEP events in src/main/java/com/google/devtools/build/lib/buildeventstream/ and the bzlmod implementation in src/main/java/com/google/devtools/build/lib/bazel/bzlmod/. Consider creating a new BuildEvent class for dependency information and hooking into the dependency resolution phase. See also the rules license aspect for inspiration.