Skip to content
Snippets Groups Projects
Commit cd09a286 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'add-sbom' into 'master'

feat: add a job generating software bill of materials

Closes #36

See merge request to-be-continuous/maven!45
parents bc128a98 ec6f9874
No related branches found
No related tags found
No related merge requests found
...@@ -140,6 +140,17 @@ It is bound to the `test` stage, and uses the following variables: ...@@ -140,6 +140,17 @@ It is bound to the `test` stage, and uses the following variables:
| --------------------- | -------------------------------------- | ----------------- | | --------------------- | -------------------------------------- | ----------------- |
| `MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED` | Set to `true` to disable this job | _none_ | | `MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED` | Set to `true` to disable this job | _none_ |
### `mvn-sbom` job
This job generates a [SBOM](https://cyclonedx.org/) file listing all dependencies using [cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin).
It is bound to the `test` stage, and uses the following variables:
| Name | description | default value |
| --------------------- | -------------------------------------- | ----------------- |
| `MAVEN_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
| `MAVEN_SBOM_GEN_ARGS` | Maven command used for SBOM analysis | `org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom` |
### `mvn-snapshot` & `mvn-release` jobs ### `mvn-snapshot` & `mvn-release` jobs
These jobs are **disabled by default** and perform, respectively, the following: These jobs are **disabled by default** and perform, respectively, the following:
......
...@@ -100,6 +100,20 @@ ...@@ -100,6 +100,20 @@
"description": "This job verifies your project has no _snapshot_ dependencies. Failure is allowed in feature branches.", "description": "This job verifies your project has no _snapshot_ dependencies. Failure is allowed in feature branches.",
"disable_with": "MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED" "disable_with": "MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED"
}, },
{
"id": "sbom",
"name": "Software Bill of Materials",
"description": "This job generates a file listing all dependencies using [cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin)",
"disable_with": "MAVEN_SBOM_DISABLED",
"variables": [
{
"name": "MAVEN_SBOM_GEN_ARGS",
"description": "Maven command used for SBOM analysis",
"default": "org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom",
"advanced": true
}
]
},
{ {
"id": "publish", "id": "publish",
"name": "Publish", "name": "Publish",
......
...@@ -96,6 +96,9 @@ variables: ...@@ -96,6 +96,9 @@ variables:
-DassemblyAnalyzerEnabled=false -DassemblyAnalyzerEnabled=false
-Dformats=HTML,JSON,XML -Dformats=HTML,JSON,XML
# SBOM genenration arguments
MAVEN_SBOM_GEN_ARGS: org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
# Maven deploy arguments # Maven deploy arguments
MAVEN_DEPLOY_ARGS: "deploy -Dmaven.test.skip=true" MAVEN_DEPLOY_ARGS: "deploy -Dmaven.test.skip=true"
...@@ -481,6 +484,26 @@ mvn-forbid-snapshot-dependencies: ...@@ -481,6 +484,26 @@ mvn-forbid-snapshot-dependencies:
when: never when: never
- !reference [.test-policy, rules] - !reference [.test-policy, rules]
mvn-sbom:
extends: .mvn-base
stage: test
# force no dependency
dependencies: []
script:
- mvn ${TRACE+-X} $MAVEN_CLI_OPTS $mvn_settings_opt $java_proxy_args $MAVEN_SBOM_GEN_ARGS -DoutputName=mvn-sbom.cyclonedx -DoutputFormat=json
- chmod a+r target/maven-sbom.cyclonedx.json
artifacts:
name: "SBOM for Maven from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
expire_in: 1 week
when: always
paths:
- "${MAVEN_PROJECT_DIR}/target/maven-sbom.cyclonedx.json"
rules:
# exclude if disabled
- if: '$MAVEN_SBOM_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
mvn-snapshot: mvn-snapshot:
extends: .mvn-base extends: .mvn-base
stage: publish stage: publish
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment