fix(sbom): make the sbom output filename overridable (96cedd0d) · Commits · to be continuous... / Gradle

README.md

+7 −6

Original line number	Diff line number	Diff line
		@@ -267,11 +267,12 @@ This job generates a [SBOM](https://cyclonedx.org/) file listing all dependencie
		It is bound to the `test` stage, and uses the following variables:

		\| Input / Variable \| Description \| Default value \|
		\| --------------------- \| -------------------------------------- \| ----------------- \|
		\|--------------------------------------------------------\|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\|-------------------------------\|
		\| `sbom-disabled` / `GRADLE_SBOM_DISABLED` \| Set to `true` to disable this job \| _none_ \|
		\| `TBC_SBOM_MODE` \| Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `GRADLE_SBOM_DISABLED` takes precedence \| `onrelease` \|
		\| `sbom-version` / `GRADLE_SBOM_VERSION` \| Version of the `cyclonedx-gradle-plugin` used for SBOM analysis<br/>_When unset, the latest version will be used_ \| _none_ \|
		\| `maven-plugin-url` / `GRADLE_MAVEN_PLUGIN_URL` \| Maven Repository that is used to download the `cyclonedx-gradle-plugin`. No trailing slash. \| https://plugins.gradle.org/m2 \|
		\| `sbom-output-filename` / `GRADLE_SBOM_OUTPUT_FILENAME` \| Name of the file produced by the `cyclonedxBom` tasks<br/> :warning: SpringBoot 3.3+ notably overrides the default value to `application.dx.json` \| `bom.json` \|

		This job injects cyclonedx plugin in your project. This can be disabled by defining the plugin in your `build.gradle` and setting `$GRADLE_SBOM_VERSION` variable to `disabled`.

kicker.json

+5 −0

Original line number	Diff line number	Diff line
		@@ -119,6 +119,11 @@
		"name": "GRADLE_MAVEN_PLUGIN_URL",
		"description": "Maven Repository that is used to download the `cyclonedx-gradle-plugin`. No trailing slash.",
		"default": "https://plugins.gradle.org/m2"
		},
		{
		"name": "GRADLE_SBOM_OUTPUT_FILENAME",
		"description": "Name of the output file produced by the `cyclonedx-gradle-plugin`, defaults to `bom.json`",
		"default": "bom.json"
		}
		]
		},

templates/gitlab-ci-gradle.yml

+5 −1

Original line number	Diff line number	Diff line
		@@ -74,6 +74,9 @@ spec:
		description: \|-
		Maven Repository that is used to download the `cyclonedx-gradle-plugin`. No trailing slash.
		default: 'https://plugins.gradle.org/m2'
		sbom-output-filename:
		description: Name of the output file produced by the `cyclonedx-gradle-plugin`, defaults to `bom.json`
		default: 'bom.json'
		no-publish:
		description: Disable Publish (snapshot & release)
		type: boolean
		@@ -162,6 +165,7 @@ variables:
		GRADLE_SBOM_DISABLED: $[[ inputs.sbom-disabled ]]
		GRADLE_SBOM_VERSION: $[[ inputs.sbom-version ]]
		GRADLE_MAVEN_PLUGIN_URL: $[[ inputs.maven-plugin-url ]]
		GRADLE_SBOM_OUTPUT_FILENAME: $[[ inputs.sbom-output-filename ]]
		GRADLE_NO_PUBLISH: $[[ inputs.no-publish ]]
		GRADLE_PUBLISH_VERSION: $[[ inputs.publish-version ]]

		@@ -622,7 +626,7 @@ gradle-sbom:
		EOF
		fi
		- $GRADLE_CLI_BIN $GRADLE_CLI_OPTS $GRADLE_SBOM_OPTS cyclonedxBom
		- mv build/reports/bom.json reports/gradle-sbom.cyclonedx.json
		- mv build/reports/$GRADLE_SBOM_OUTPUT_FILENAME reports/gradle-sbom.cyclonedx.json
		- chmod a+r reports/gradle-sbom.cyclonedx.json
		artifacts:
		name: "SBOM for Gradle from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

Original line number	Diff line number	Diff line
		@@ -267,11 +267,12 @@ This job generates a [SBOM](https://cyclonedx.org/) file listing all dependencie
		It is bound to the `test` stage, and uses the following variables:

		\| Input / Variable \| Description \| Default value \|
		\| --------------------- \| -------------------------------------- \| ----------------- \|
		\|--------------------------------------------------------\|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\|-------------------------------\|
		\| `sbom-disabled` / `GRADLE_SBOM_DISABLED` \| Set to `true` to disable this job \| _none_ \|
		\| `TBC_SBOM_MODE` \| Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `GRADLE_SBOM_DISABLED` takes precedence \| `onrelease` \|
		\| `sbom-version` / `GRADLE_SBOM_VERSION` \| Version of the `cyclonedx-gradle-plugin` used for SBOM analysis<br/>_When unset, the latest version will be used_ \| _none_ \|
		\| `maven-plugin-url` / `GRADLE_MAVEN_PLUGIN_URL` \| Maven Repository that is used to download the `cyclonedx-gradle-plugin`. No trailing slash. \| https://plugins.gradle.org/m2 \|
		\| `sbom-output-filename` / `GRADLE_SBOM_OUTPUT_FILENAME` \| Name of the file produced by the `cyclonedxBom` tasks<br/> :warning: SpringBoot 3.3+ notably overrides the default value to `application.dx.json` \| `bom.json` \|

		This job injects cyclonedx plugin in your project. This can be disabled by defining the plugin in your `build.gradle` and setting `$GRADLE_SBOM_VERSION` variable to `disabled`.