Merge branch 'add-sbom' into 'master' (46630413) · Commits · to be continuous... / Gradle

README.md

+19 −0

Original line number	Diff line number	Diff line
		@@ -188,6 +188,25 @@ dependencyCheck {

		More info on how you can configure the gradle Dependency-Check plugin can be found in the [official documentation](https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration.html)

		## Software Bill Of Materials

		This job generates a [SBOM](https://cyclonedx.org/) file listing all dependencies using [cyclonedx-gradle-plugin](https://github.com/CycloneDX/cyclonedx-gradle-plugin).

		It is bound to the `test` stage, and uses the following variables:

		\| Name \| description \| default value \|
		\| --------------------- \| -------------------------------------- \| ----------------- \|
		\| `GRADLE_SBOM_DISABLED` \| Set to `true` to disable this job \| _none_ \|
		\| `GRADLE_SBOM_VERSION` \| Version of the `cyclonedx-gradle-plugin` used for SBOM analysis<br/>_When unset, the latest version will be used_ \| _none_ \|

		This job injects cyclonedx plugin in your project. This can be disabled by defining the plugin in your `build.gradle` and setting `$GRADLE_SBOM_VERSION` variable to `disabled`.

		```groovy
		plugins {
		id 'org.cyclonedx.bom' version '1.7.2'
		}
		```

		### Publish jobs

		Currently the pipeline exposes two __manual__ jobs of publication:

kicker.json

+12 −0

Original line number	Diff line number	Diff line
		@@ -66,6 +66,18 @@
		}
		]
		},
		{
		"id": "sbom",
		"name": "Software Bill of Materials",
		"description": "This job generates a file listing all dependencies using [cyclonedx-gradle-plugin](https://github.com/CycloneDX/cyclonedx-gradle-plugin)",
		"disable_with": "GRADLE_SBOM_DISABLED",
		"variables": [
		{
		"name": "GRADLE_SBOM_VERSION",
		"description": "Version of the `cyclonedx-gradle-plugin` used for SBOM analysis.\n\n_When unset, the latest version will be used_"
		}
		]
		},
		{
		"id": "publish",
		"name": "Publish (snapshot & release)",

templates/gitlab-ci-gradle.yml

+49 −0

Original line number	Diff line number	Diff line
		@@ -361,6 +361,55 @@ gradle-dependency-check:
		- when: manual
		allow_failure: true

		gradle-sbom:
		extends: .gradle-base
		stage: test
		# force no dependency
		dependencies: []
		needs: []
		script:
		- mkdir -p -m 777 reports
		- \|
		if [[ "$GRADLE_SBOM_VERSION" == "disabled" ]]
		then
		log_info "Using CycloneDX plugin from project build configuration..."
		else
		log_info "Using CycloneDX plugin from external configuration (version \\e[32m${GRADLE_SBOM_VERSION:-latest}\\e[0m)..."
		if [[ "${GRADLE_SBOM_VERSION:-latest}" == "latest" ]]
		then
		GRADLE_SBOM_VERSION=$(curl -sSf https://plugins.gradle.org/m2/org/cyclonedx/bom/org.cyclonedx.bom.gradle.plugin/maven-metadata.xml \| awk 'match($0,"<latest>[^<]*</latest>") {print substr($0,RSTART+8,RLENGTH-17)}')
		log_info "... use CycloneDX latest version: \\e[32m$GRADLE_SBOM_VERSION\\e[0m"
		fi
		GRADLE_SBOM_OPTS="-I cyclonedx.init.gradle ${GRADLE_SBOM_OPTS}"
		cat << EOF > cyclonedx.init.gradle
		allprojects {
		buildscript {
		dependencies {
		classpath "org.cyclonedx:cyclonedx-gradle-plugin:$GRADLE_SBOM_VERSION"
		}
		}

		afterEvaluate { project ->
		project.apply plugin: 'org.cyclonedx.bom'
		}
		}
		EOF
		fi
		- $GRADLE_CLI_BIN $GRACLE_CLI_OPTS $GRADLE_SBOM_OPTS cyclonedxBom
		- mv build/reports/bom.json reports/gradle-sbom.cyclonedx.json
		- chmod a+r reports/gradle-sbom.cyclonedx.json
		artifacts:
		name: "SBOM for Gradle from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
		expire_in: 1 week
		when: always
		paths:
		- $GRADLE_PROJECT_DIR/reports/gradle-sbom.cyclonedx.json
		rules:
		# exclude if disabled
		- if: '$GRADLE_SBOM_DISABLED == "true"'
		when: never
		- !reference [.test-policy, rules]

		.gradle-base-publish:
		extends: .gradle-base
		stage: publish