Merge branch 'add-sbom' into 'master'

feat: add a job generating software bill of materials

Closes #36

See merge request to-be-continuous/maven!45

README.md

@@ -140,6 +140,17 @@ It is bound to the `test` stage, and uses the following variables:
 | --------------------- | -------------------------------------- | ----------------- |
 | `MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED` | Set to `true` to disable this job | _none_ |
 
+### `mvn-sbom` job
+
+This job generates a [SBOM](https://cyclonedx.org/) file listing all dependencies using [cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin).
+
+It is bound to the `test` stage, and uses the following variables:
+
+| Name                  | description                            | default value     |
+| --------------------- | -------------------------------------- | ----------------- |
+| `MAVEN_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
+| `MAVEN_SBOM_GEN_ARGS` | Maven command used for SBOM analysis | `org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom` |
+
 ### `mvn-snapshot` & `mvn-release` jobs
 
 These jobs are **disabled by default** and perform, respectively, the following:

kicker.json

@@ -100,6 +100,20 @@
       "description": "This job verifies your project has no _snapshot_ dependencies. Failure is allowed in feature branches.",
       "disable_with": "MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED"
     },
+    {
+      "id": "sbom",
+      "name": "Software Bill of Materials",
+      "description": "This job generates a file listing all dependencies using [cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin)",
+      "disable_with": "MAVEN_SBOM_DISABLED",
+      "variables": [
+        {
+          "name": "MAVEN_SBOM_GEN_ARGS",
+          "description": "Maven command used for SBOM analysis",
+          "default": "org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom",
+          "advanced": true
+        }
+      ]
+    },
     {
       "id": "publish",
       "name": "Publish",

templates/gitlab-ci-maven.yml

@@ -96,6 +96,9 @@ variables:
     -DassemblyAnalyzerEnabled=false
     -Dformats=HTML,JSON,XML
   
+  # SBOM genenration arguments
+  MAVEN_SBOM_GEN_ARGS: org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
+
   # Maven deploy arguments
   MAVEN_DEPLOY_ARGS: "deploy -Dmaven.test.skip=true"
 
@@ -481,6 +484,26 @@ mvn-forbid-snapshot-dependencies:
       when: never
     - !reference [.test-policy, rules]
 
+mvn-sbom:
+  extends: .mvn-base
+  stage: test
+  # force no dependency
+  dependencies: []
+  script:
+    - mvn ${TRACE+-X} $MAVEN_CLI_OPTS $mvn_settings_opt $java_proxy_args $MAVEN_SBOM_GEN_ARGS -DoutputName=mvn-sbom.cyclonedx -DoutputFormat=json
+    - chmod a+r target/maven-sbom.cyclonedx.json
+  artifacts:
+    name: "SBOM for Maven from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
+    expire_in: 1 week
+    when: always
+    paths:
+      - "${MAVEN_PROJECT_DIR}/target/maven-sbom.cyclonedx.json"
+  rules:
+    # exclude if disabled
+    - if: '$MAVEN_SBOM_DISABLED == "true"'
+      when: never
+    - !reference [.test-policy, rules]
+
 mvn-snapshot:
   extends: .mvn-base
   stage: publish