feat: add a job generating software bill of materials (ec6f9874) · Commits · to be continuous... / Maven

README.md

+11 −0

Original line number	Diff line number	Diff line
		@@ -140,6 +140,17 @@ It is bound to the `test` stage, and uses the following variables:
		\| --------------------- \| -------------------------------------- \| ----------------- \|
		\| `MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED` \| Set to `true` to disable this job \| _none_ \|

		### `mvn-sbom` job

		This job generates a [SBOM](https://cyclonedx.org/) file listing all dependencies using [cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin).

		It is bound to the `test` stage, and uses the following variables:

		\| Name \| description \| default value \|
		\| --------------------- \| -------------------------------------- \| ----------------- \|
		\| `MAVEN_SBOM_DISABLED` \| Set to `true` to disable this job \| _none_ \|
		\| `MAVEN_SBOM_GEN_ARGS` \| Maven command used for SBOM analysis \| `org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom` \|

		### `mvn-snapshot` & `mvn-release` jobs

		These jobs are disabled by default and perform, respectively, the following:

+14 −0

Original line number	Diff line number	Diff line
		@@ -100,6 +100,20 @@
		"description": "This job verifies your project has no _snapshot_ dependencies. Failure is allowed in feature branches.",
		"disable_with": "MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED"
		},
		{
		"id": "sbom",
		"name": "Software Bill of Materials",
		"description": "This job generates a file listing all dependencies using [cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin)",
		"disable_with": "MAVEN_SBOM_DISABLED",
		"variables": [
		{
		"name": "MAVEN_SBOM_GEN_ARGS",
		"description": "Maven command used for SBOM analysis",
		"default": "org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom",
		"advanced": true
		}
		]
		},
		{
		"id": "publish",
		"name": "Publish",

+23 −0

Original line number	Diff line number	Diff line
		@@ -96,6 +96,9 @@ variables:
		-DassemblyAnalyzerEnabled=false
		-Dformats=HTML,JSON,XML

		# SBOM genenration arguments
		MAVEN_SBOM_GEN_ARGS: org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom

		# Maven deploy arguments
		MAVEN_DEPLOY_ARGS: "deploy -Dmaven.test.skip=true"

		@@ -481,6 +484,26 @@ mvn-forbid-snapshot-dependencies:
		when: never
		- !reference [.test-policy, rules]

		mvn-sbom:
		extends: .mvn-base
		stage: test
		# force no dependency
		dependencies: []
		script:
		- mvn ${TRACE+-X} $MAVEN_CLI_OPTS $mvn_settings_opt $java_proxy_args $MAVEN_SBOM_GEN_ARGS -DoutputName=mvn-sbom.cyclonedx -DoutputFormat=json
		- chmod a+r target/maven-sbom.cyclonedx.json
		artifacts:
		name: "SBOM for Maven from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
		expire_in: 1 week
		when: always
		paths:
		- "${MAVEN_PROJECT_DIR}/target/maven-sbom.cyclonedx.json"
		rules:
		# exclude if disabled
		- if: '$MAVEN_SBOM_DISABLED == "true"'
		when: never
		- !reference [.test-policy, rules]

		mvn-snapshot:
		extends: .mvn-base
		stage: publish