This is an automated email from the ASF dual-hosted git repository.
jdaugherty pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/grails-core.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new 43d7f09221 fix: remove hashes for local components
43d7f09221 is described below
commit 43d7f092212306714264c9f7653bb8c2e670c83e
Author: James Daugherty <[email protected]>
AuthorDate: Wed Oct 15 15:39:28 2025 -0400
fix: remove hashes for local components
---
.../org/apache/grails/buildsrc/SbomPlugin.groovy | 151 +++++++++++----------
1 file changed, 81 insertions(+), 70 deletions(-)
diff --git
a/build-logic/plugins/src/main/groovy/org/apache/grails/buildsrc/SbomPlugin.groovy
b/build-logic/plugins/src/main/groovy/org/apache/grails/buildsrc/SbomPlugin.groovy
index de2e17d980..75479c7568 100644
---
a/build-logic/plugins/src/main/groovy/org/apache/grails/buildsrc/SbomPlugin.groovy
+++
b/build-logic/plugins/src/main/groovy/org/apache/grails/buildsrc/SbomPlugin.groovy
@@ -61,60 +61,60 @@ class SbomPlugin implements Plugin<Project> {
// licenses are standardized @ https://spdx.org/licenses/
private static Map<String, LinkedHashMap<String, String>> LICENSES = [
- 'Apache-2.0' : [
- id : 'Apache-2.0',
- url: 'https://www.apache.org/licenses/LICENSE-2.0'
- ],
- 'BSD-2-Clause': [
- id : 'BSD-2-Clause',
- url: 'https://opensource.org/license/bsd-3-clause/'
- ],
- 'BSD-3-Clause': [
- id : 'BSD-3-Clause',
- url: 'https://opensource.org/license/bsd-3-clause/'
- ],
- // Variant of Apache 1.1 license. Approved by legal LEGAL-707
- 'OpenSymphony': [
- // id is optional and the opensymphony license doesn't have an
SPDX id
- name: 'The OpenSymphony Software License, Version 1.1',
- url :
'https://raw.githubusercontent.com/sitemesh/sitemesh2/refs/heads/master/LICENSE.txt'
- ],
- 'UPL-1.0' : [
- id : 'UPL-1.0',
- url: 'https://oss.oracle.com/licenses/upl/'
- ],
+ 'Apache-2.0' : [
+ id : 'Apache-2.0',
+ url: 'https://www.apache.org/licenses/LICENSE-2.0'
+ ],
+ 'BSD-2-Clause': [
+ id : 'BSD-2-Clause',
+ url: 'https://opensource.org/license/bsd-3-clause/'
+ ],
+ 'BSD-3-Clause': [
+ id : 'BSD-3-Clause',
+ url: 'https://opensource.org/license/bsd-3-clause/'
+ ],
+ // Variant of Apache 1.1 license. Approved by legal LEGAL-707
+ 'OpenSymphony': [
+ // id is optional and the opensymphony license doesn't
have an SPDX id
+ name: 'The OpenSymphony Software License, Version 1.1',
+ url :
'https://raw.githubusercontent.com/sitemesh/sitemesh2/refs/heads/master/LICENSE.txt'
+ ],
+ 'UPL-1.0' : [
+ id : 'UPL-1.0',
+ url: 'https://oss.oracle.com/licenses/upl/'
+ ],
]
private static Map<String, String> LICENSE_MAPPING = [
- 'pkg:maven/org.antlr/[email protected]?type=jar' :
'BSD-3-Clause', // maps incorrectly because of
https://github.com/CycloneDX/cyclonedx-core-java/issues/205
- 'pkg:maven/jline/[email protected]?type=jar' :
'BSD-2-Clause', // maps incorrectly because of
https://github.com/CycloneDX/cyclonedx-core-java/issues/205
- 'pkg:maven/org.jline/[email protected]?type=jar' :
'BSD-2-Clause', // maps incorrectly because of
https://github.com/CycloneDX/cyclonedx-core-java/issues/205
- 'pkg:maven/org.liquibase.ext/[email protected]?type=jar':
'Apache-2.0', // maps incorrectly because of
https://github.com/liquibase/liquibase/issues/2445 & the base pom does not
define a license
- 'pkg:maven/com.oracle.coherence.ce/[email protected]?type=pom':
'UPL-1.0', // does not have map based on license id
- 'pkg:maven/com.oracle.coherence.ce/[email protected]?type=pom':
'UPL-1.0', // does not have map based on license id
- 'pkg:maven/opensymphony/[email protected]?type=jar' :
'OpenSymphony', // custom license approved by legal LEGAL-707
- 'pkg:maven/org.jruby/[email protected]?type=jar' :
'BSD-3-Clause'//
https://web.archive.org/web/20240822213507/http://www.jcraft.com/jzlib/LICENSE.txt
shows it's a 3 clause
+ 'pkg:maven/org.antlr/[email protected]?type=jar'
: 'BSD-3-Clause', // maps incorrectly because of
https://github.com/CycloneDX/cyclonedx-core-java/issues/205
+ 'pkg:maven/jline/[email protected]?type=jar'
: 'BSD-2-Clause', // maps incorrectly because of
https://github.com/CycloneDX/cyclonedx-core-java/issues/205
+ 'pkg:maven/org.jline/[email protected]?type=jar'
: 'BSD-2-Clause', // maps incorrectly because of
https://github.com/CycloneDX/cyclonedx-core-java/issues/205
+
'pkg:maven/org.liquibase.ext/[email protected]?type=jar':
'Apache-2.0', // maps incorrectly because of
https://github.com/liquibase/liquibase/issues/2445 & the base pom does not
define a license
+
'pkg:maven/com.oracle.coherence.ce/[email protected]?type=pom': 'UPL-1.0',
// does not have map based on license id
+
'pkg:maven/com.oracle.coherence.ce/[email protected]?type=pom': 'UPL-1.0',
// does not have map based on license id
+ 'pkg:maven/opensymphony/[email protected]?type=jar'
: 'OpenSymphony', // custom license approved by legal LEGAL-707
+ 'pkg:maven/org.jruby/[email protected]?type=jar'
: 'BSD-3-Clause'//
https://web.archive.org/web/20240822213507/http://www.jcraft.com/jzlib/LICENSE.txt
shows it's a 3 clause
]
// we don't distribute these so these licenses are considered acceptable,
but we still prefer ASF licenses.
// Require a whitelist of any case of category X licenses to prevent
accidental inclusion in a distributed artifact
// this list will need to be updated anytime we change versions so we can
revise the licenses
private static Map<String, LinkedHashMap<String, String>>
LICENSE_EXCEPTIONS = [
- 'grails-data-hibernate5-core' : [
-
'pkg:maven/org.hibernate.common/[email protected]?type=jar':
'LGPL-2.1-only', // hibernate 5 is LGPL, we are migrating to ASF license in
hibernate 7
-
'pkg:maven/org.hibernate/[email protected]?type=jar'
: 'LGPL-2.1-only', // hibernate 5 is LGPL, we are migrating to ASF license
in hibernate 7
- ],
- 'grails-data-hibernate5' : [
-
'pkg:maven/org.hibernate.common/[email protected]?type=jar':
'LGPL-2.1-only', // hibernate 5 is LGPL, we are migrating to ASF license in
hibernate 7
-
'pkg:maven/org.hibernate/[email protected]?type=jar'
: 'LGPL-2.1-only', // hibernate 5 is LGPL, we are migrating to ASF license
in hibernate 7
- ],
- 'grails-data-hibernate5-spring-boot': [
-
'pkg:maven/org.hibernate.common/[email protected]?type=jar':
'LGPL-2.1-only', // hibernate 5 is LGPL, we are migrating to ASF license in
hibernate 7
-
'pkg:maven/org.hibernate/[email protected]?type=jar'
: 'LGPL-2.1-only', // hibernate 5 is LGPL, we are migrating to ASF license
in hibernate 7
- ],
- 'grails-data-hibernate5-dbmigration': [
- 'pkg:maven/javax.xml.bind/[email protected]?type=jar': 'CDDL-1.1', //
api export
- ],
+ 'grails-data-hibernate5-core' : [
+
'pkg:maven/org.hibernate.common/[email protected]?type=jar':
'LGPL-2.1-only', // hibernate 5 is LGPL, we are migrating to ASF license in
hibernate 7
+
'pkg:maven/org.hibernate/[email protected]?type=jar'
: 'LGPL-2.1-only', // hibernate 5 is LGPL, we are migrating to ASF license
in hibernate 7
+ ],
+ 'grails-data-hibernate5' : [
+
'pkg:maven/org.hibernate.common/[email protected]?type=jar':
'LGPL-2.1-only', // hibernate 5 is LGPL, we are migrating to ASF license in
hibernate 7
+
'pkg:maven/org.hibernate/[email protected]?type=jar'
: 'LGPL-2.1-only', // hibernate 5 is LGPL, we are migrating to ASF license
in hibernate 7
+ ],
+ 'grails-data-hibernate5-spring-boot': [
+
'pkg:maven/org.hibernate.common/[email protected]?type=jar':
'LGPL-2.1-only', // hibernate 5 is LGPL, we are migrating to ASF license in
hibernate 7
+
'pkg:maven/org.hibernate/[email protected]?type=jar'
: 'LGPL-2.1-only', // hibernate 5 is LGPL, we are migrating to ASF license
in hibernate 7
+ ],
+ 'grails-data-hibernate5-dbmigration': [
+ 'pkg:maven/javax.xml.bind/[email protected]?type=jar':
'CDDL-1.1', // api export
+ ],
]
@Override
@@ -122,11 +122,11 @@ class SbomPlugin implements Plugin<Project> {
project.pluginManager.apply(CycloneDxPlugin)
def sbomOutputLocation = project.layout.buildDirectory.file(
- project.provider {
- def artifactId = lookupProperty(project, 'pomArtifactId',
project.name)
- def version = project.findProperty('projectVersion')
- "$artifactId-$version-sbom.json" as String
- }
+ project.provider {
+ def artifactId = lookupProperty(project, 'pomArtifactId',
project.name)
+ def version = project.findProperty('projectVersion')
+ "$artifactId-$version-sbom.json" as String
+ }
)
configureSbomTask(project, sbomOutputLocation)
@@ -144,25 +144,25 @@ class SbomPlugin implements Plugin<Project> {
projectType = Component.Type.valueOf(lookupProperty(project,
'sbomProjectType', 'FRAMEWORK'))
componentName = lookupProperty(project, 'pomArtifactId',
project.name)
[email protected](new OrganizationalEntity(
- name: 'Apache Software Foundation',
- urls: [
- 'https://www.apache.org/',
- 'https://security.apache.org/'
- ],
- contacts: [
- new OrganizationalContact(
- name: 'Apache Grails Development Team',
- email: '[email protected]'
- )
- ]
+ name: 'Apache Software Foundation',
+ urls: [
+ 'https://www.apache.org/',
+ 'https://security.apache.org/'
+ ],
+ contacts: [
+ new OrganizationalContact(
+ name: 'Apache Grails Development Team',
+ email: '[email protected]'
+ )
+ ]
))
[email protected](new LicenseChoice(
- licenses: [
- new License(
- name: 'Apache-2.0',
- url:
'https://www.apache.org/licenses/LICENSE-2.0.txt'
- )
- ]
+ licenses: [
+ new License(
+ name: 'Apache-2.0',
+ url:
'https://www.apache.org/licenses/LICENSE-2.0.txt'
+ )
+ ]
))
def projectVersion =
project.findProperty('projectVersion').toString()
@@ -181,7 +181,7 @@ class SbomPlugin implements Plugin<Project> {
)
]
- if(!projectVersion.endsWith('SNAPSHOT')) {
+ if (!projectVersion.endsWith('SNAPSHOT')) {
references.add(
new ExternalReference(
url:
"https://grails.apache.org/docs/${project.findProperty('projectVersion')}/index.html",
@@ -214,21 +214,32 @@ class SbomPlugin implements Plugin<Project> {
ZonedDateTime buildDate = lookupProperty(project,
'buildDate')
bom['metadata']['timestamp'] =
DateTimeFormatter.ISO_INSTANT.format(buildDate.truncatedTo(ChronoUnit.SECONDS))
- // components[*].licenses
+ // components[*]
def comps = (bom instanceof Map && bom.components
instanceof List) ? bom.components : []
comps.each { c ->
+ // .licenses => choose a license that is
compatible with ASF policy if multiple licensed
if (c instanceof Map && c.licenses instanceof List
&& !(c.licenses as List).empty) {
def chosen = pickLicense(task, c['bom-ref'] as
String, c.licenses as List)
if (chosen != null) {
c.licenses = [chosen]
}
}
+
+ // .hashes => project hashes are only generated if
the jar file has been created,
+ // which with a parallel build may not have
occurred, so for any dependency that is a
+ // project we exclude them
+ if (c instanceof Map && c.hashes instanceof List
&& !(c.hashes as List).empty) {
+ def componentPath = c['bom-ref'] as String
+ if (componentPath.contains('?project_path=')) {
+ c.remove('hashes')
+ }
+ }
}
// dependencies[*].dependsOn is not reproducible, so
sort it
def dependencies = (bom instanceof Map &&
bom.dependencies instanceof List) ? bom.dependencies : []
dependencies.each { d ->
- if(d instanceof Map && d.dependsOn instanceof List
&& !(d.dependsOn as List).empty) {
+ if (d instanceof Map && d.dependsOn instanceof
List && !(d.dependsOn as List).empty) {
d.dependsOn = (d.dependsOn as List).sort()
}
}
