From ec6f987402b08f88c831a345be183a56fbaa1f20 Mon Sep 17 00:00:00 2001
From: Clement Bois <clement.bois@orange.com>
Date: Mon, 28 Nov 2022 16:41:25 +0000
Subject: [PATCH] feat: add a job generating software bill of materials
Signed-off-by: Clement Bois <clement.bois@orange.com>
---
README.md | 11 +++++++++++
kicker.json | 14 ++++++++++++++
templates/gitlab-ci-maven.yml | 23 +++++++++++++++++++++++
3 files changed, 48 insertions(+)
diff --git a/README.md b/README.md
index e74c471..cab1818 100644
--- a/README.md
+++ b/README.md
@@ -140,6 +140,17 @@ It is bound to the `test` stage, and uses the following variables:
| --------------------- | -------------------------------------- | ----------------- |
| `MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED` | Set to `true` to disable this job | _none_ |
+### `mvn-sbom` job
+
+This job generates a [SBOM](https://cyclonedx.org/) file listing all dependencies using [cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin).
+
+It is bound to the `test` stage, and uses the following variables:
+
+| Name | description | default value |
+| --------------------- | -------------------------------------- | ----------------- |
+| `MAVEN_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
+| `MAVEN_SBOM_GEN_ARGS` | Maven command used for SBOM analysis | `org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom` |
+
### `mvn-snapshot` & `mvn-release` jobs
These jobs are **disabled by default** and perform, respectively, the following:
diff --git a/kicker.json b/kicker.json
index 457e107..1f41aa0 100644
--- a/kicker.json
+++ b/kicker.json
@@ -100,6 +100,20 @@
"description": "This job verifies your project has no _snapshot_ dependencies. Failure is allowed in feature branches.",
"disable_with": "MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED"
},
+ {
+ "id": "sbom",
+ "name": "Software Bill of Materials",
+ "description": "This job generates a file listing all dependencies using [cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin)",
+ "disable_with": "MAVEN_SBOM_DISABLED",
+ "variables": [
+ {
+ "name": "MAVEN_SBOM_GEN_ARGS",
+ "description": "Maven command used for SBOM analysis",
+ "default": "org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom",
+ "advanced": true
+ }
+ ]
+ },
{
"id": "publish",
"name": "Publish",
diff --git a/templates/gitlab-ci-maven.yml b/templates/gitlab-ci-maven.yml
index 6371944..5487e83 100644
--- a/templates/gitlab-ci-maven.yml
+++ b/templates/gitlab-ci-maven.yml
@@ -96,6 +96,9 @@ variables:
-DassemblyAnalyzerEnabled=false
-Dformats=HTML,JSON,XML
+ # SBOM genenration arguments
+ MAVEN_SBOM_GEN_ARGS: org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
+
# Maven deploy arguments
MAVEN_DEPLOY_ARGS: "deploy -Dmaven.test.skip=true"
@@ -481,6 +484,26 @@ mvn-forbid-snapshot-dependencies:
when: never
- !reference [.test-policy, rules]
+mvn-sbom:
+ extends: .mvn-base
+ stage: test
+ # force no dependency
+ dependencies: []
+ script:
+ - mvn ${TRACE+-X} $MAVEN_CLI_OPTS $mvn_settings_opt $java_proxy_args $MAVEN_SBOM_GEN_ARGS -DoutputName=mvn-sbom.cyclonedx -DoutputFormat=json
+ - chmod a+r target/maven-sbom.cyclonedx.json
+ artifacts:
+ name: "SBOM for Maven from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
+ expire_in: 1 week
+ when: always
+ paths:
+ - "${MAVEN_PROJECT_DIR}/target/maven-sbom.cyclonedx.json"
+ rules:
+ # exclude if disabled
+ - if: '$MAVEN_SBOM_DISABLED == "true"'
+ when: never
+ - !reference [.test-policy, rules]
+
mvn-snapshot:
extends: .mvn-base
stage: publish
--
GitLab