diff --git a/README.md b/README.md index e74c471bc6058ea9934d2a6eea6ce05cc0d90428..cab1818d5c0bd566ae06582c9b29c3251e4d6541 100644 --- a/README.md +++ b/README.md @@ -140,6 +140,17 @@ It is bound to the `test` stage, and uses the following variables: | --------------------- | -------------------------------------- | ----------------- | | `MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED` | Set to `true` to disable this job | _none_ | +### `mvn-sbom` job + +This job generates a [SBOM](https://cyclonedx.org/) file listing all dependencies using [cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin). + +It is bound to the `test` stage, and uses the following variables: + +| Name | description | default value | +| --------------------- | -------------------------------------- | ----------------- | +| `MAVEN_SBOM_DISABLED` | Set to `true` to disable this job | _none_ | +| `MAVEN_SBOM_GEN_ARGS` | Maven command used for SBOM analysis | `org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom` | + ### `mvn-snapshot` & `mvn-release` jobs These jobs are **disabled by default** and perform, respectively, the following: diff --git a/kicker.json b/kicker.json index 457e10771a36e4f8a1a8ba65baad5234a45253ad..1f41aa028d767a8ca7c8aa1b54c92e442c503f4e 100644 --- a/kicker.json +++ b/kicker.json @@ -100,6 +100,20 @@ "description": "This job verifies your project has no _snapshot_ dependencies. Failure is allowed in feature branches.", "disable_with": "MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED" }, + { + "id": "sbom", + "name": "Software Bill of Materials", + "description": "This job generates a file listing all dependencies using [cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin)", + "disable_with": "MAVEN_SBOM_DISABLED", + "variables": [ + { + "name": "MAVEN_SBOM_GEN_ARGS", + "description": "Maven command used for SBOM analysis", + "default": "org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom", + "advanced": true + } + ] + }, { "id": "publish", "name": "Publish", diff --git a/templates/gitlab-ci-maven.yml b/templates/gitlab-ci-maven.yml index 6371944cf9fe63430ff6b94208d7a3f438e53327..5487e83191d84cc88d32dcd121a58b7a98bc1a5a 100644 --- a/templates/gitlab-ci-maven.yml +++ b/templates/gitlab-ci-maven.yml @@ -96,6 +96,9 @@ variables: -DassemblyAnalyzerEnabled=false -Dformats=HTML,JSON,XML + # SBOM genenration arguments + MAVEN_SBOM_GEN_ARGS: org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom + # Maven deploy arguments MAVEN_DEPLOY_ARGS: "deploy -Dmaven.test.skip=true" @@ -481,6 +484,26 @@ mvn-forbid-snapshot-dependencies: when: never - !reference [.test-policy, rules] +mvn-sbom: + extends: .mvn-base + stage: test + # force no dependency + dependencies: [] + script: + - mvn ${TRACE+-X} $MAVEN_CLI_OPTS $mvn_settings_opt $java_proxy_args $MAVEN_SBOM_GEN_ARGS -DoutputName=mvn-sbom.cyclonedx -DoutputFormat=json + - chmod a+r target/maven-sbom.cyclonedx.json + artifacts: + name: "SBOM for Maven from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" + expire_in: 1 week + when: always + paths: + - "${MAVEN_PROJECT_DIR}/target/maven-sbom.cyclonedx.json" + rules: + # exclude if disabled + - if: '$MAVEN_SBOM_DISABLED == "true"' + when: never + - !reference [.test-policy, rules] + mvn-snapshot: extends: .mvn-base stage: publish