From ec6f987402b08f88c831a345be183a56fbaa1f20 Mon Sep 17 00:00:00 2001 From: Clement Bois <clement.bois@orange.com> Date: Mon, 28 Nov 2022 16:41:25 +0000 Subject: [PATCH] feat: add a job generating software bill of materials Signed-off-by: Clement Bois <clement.bois@orange.com> --- README.md | 11 +++++++++++ kicker.json | 14 ++++++++++++++ templates/gitlab-ci-maven.yml | 23 +++++++++++++++++++++++ 3 files changed, 48 insertions(+) diff --git a/README.md b/README.md index e74c471..cab1818 100644 --- a/README.md +++ b/README.md @@ -140,6 +140,17 @@ It is bound to the `test` stage, and uses the following variables: | --------------------- | -------------------------------------- | ----------------- | | `MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED` | Set to `true` to disable this job | _none_ | +### `mvn-sbom` job + +This job generates a [SBOM](https://cyclonedx.org/) file listing all dependencies using [cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin). + +It is bound to the `test` stage, and uses the following variables: + +| Name | description | default value | +| --------------------- | -------------------------------------- | ----------------- | +| `MAVEN_SBOM_DISABLED` | Set to `true` to disable this job | _none_ | +| `MAVEN_SBOM_GEN_ARGS` | Maven command used for SBOM analysis | `org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom` | + ### `mvn-snapshot` & `mvn-release` jobs These jobs are **disabled by default** and perform, respectively, the following: diff --git a/kicker.json b/kicker.json index 457e107..1f41aa0 100644 --- a/kicker.json +++ b/kicker.json @@ -100,6 +100,20 @@ "description": "This job verifies your project has no _snapshot_ dependencies. Failure is allowed in feature branches.", "disable_with": "MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED" }, + { + "id": "sbom", + "name": "Software Bill of Materials", + "description": "This job generates a file listing all dependencies using [cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin)", + "disable_with": "MAVEN_SBOM_DISABLED", + "variables": [ + { + "name": "MAVEN_SBOM_GEN_ARGS", + "description": "Maven command used for SBOM analysis", + "default": "org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom", + "advanced": true + } + ] + }, { "id": "publish", "name": "Publish", diff --git a/templates/gitlab-ci-maven.yml b/templates/gitlab-ci-maven.yml index 6371944..5487e83 100644 --- a/templates/gitlab-ci-maven.yml +++ b/templates/gitlab-ci-maven.yml @@ -96,6 +96,9 @@ variables: -DassemblyAnalyzerEnabled=false -Dformats=HTML,JSON,XML + # SBOM genenration arguments + MAVEN_SBOM_GEN_ARGS: org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom + # Maven deploy arguments MAVEN_DEPLOY_ARGS: "deploy -Dmaven.test.skip=true" @@ -481,6 +484,26 @@ mvn-forbid-snapshot-dependencies: when: never - !reference [.test-policy, rules] +mvn-sbom: + extends: .mvn-base + stage: test + # force no dependency + dependencies: [] + script: + - mvn ${TRACE+-X} $MAVEN_CLI_OPTS $mvn_settings_opt $java_proxy_args $MAVEN_SBOM_GEN_ARGS -DoutputName=mvn-sbom.cyclonedx -DoutputFormat=json + - chmod a+r target/maven-sbom.cyclonedx.json + artifacts: + name: "SBOM for Maven from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" + expire_in: 1 week + when: always + paths: + - "${MAVEN_PROJECT_DIR}/target/maven-sbom.cyclonedx.json" + rules: + # exclude if disabled + - if: '$MAVEN_SBOM_DISABLED == "true"' + when: never + - !reference [.test-policy, rules] + mvn-snapshot: extends: .mvn-base stage: publish -- GitLab