This is an automated email from the ASF dual-hosted git repository. vy pushed a commit to branch 2.x in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
commit ee9c39b3f646e9b289127041ceb27dbb7da8b7ea Author: Volkan Yazıcı <[email protected]> AuthorDate: Fri Oct 20 14:54:23 2023 +0200 Implement and document SBOM (#1707) --- pom.xml | 20 ++++++++++++++++++++ src/site/markdown/maven-artifacts.md.vm | 20 ++++++++++++-------- src/site/site.xml | 15 ++++++++------- 3 files changed, 40 insertions(+), 15 deletions(-) diff --git a/pom.xml b/pom.xml index 26d4ccd905..99680751c7 100644 --- a/pom.xml +++ b/pom.xml @@ -524,6 +524,26 @@ <plugins> + <!-- `cyclonedx-maven-plugin` doesn't exclude not installed/deployed modules: https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/409 + This `generate-sbom` execution override configures such exclusions. --> + <plugin> + <groupId>org.cyclonedx</groupId> + <artifactId>cyclonedx-maven-plugin</artifactId> + <executions> + <execution> + <id>generate-sbom</id> + <configuration combine.self="append"> + <excludeArtifactId>log4j-api-java9</excludeArtifactId> + <excludeArtifactId>log4j-core-its</excludeArtifactId> + <excludeArtifactId>log4j-core-java9</excludeArtifactId> + <excludeArtifactId>log4j-layout-template-json-test</excludeArtifactId> + <excludeArtifactId>log4j-osgi-test</excludeArtifactId> + <excludeArtifactId>log4j-perf-test</excludeArtifactId> + </configuration> + </execution> + </executions> + </plugin> + <!-- Enable BOM flattening --> <plugin> <groupId>org.codehaus.mojo</groupId> diff --git a/src/site/markdown/maven-artifacts.md.vm b/src/site/markdown/maven-artifacts.md.vm index 50d640da1d..4459c300ed 100644 --- a/src/site/markdown/maven-artifacts.md.vm +++ b/src/site/markdown/maven-artifacts.md.vm @@ -123,15 +123,14 @@ To build with [SBT](http://www.scala-sbt.org/), add the dependencies listed belo #sbt(['log4j-api', 'log4j-core']) -$h2 Bill of Material +$h2 Maven Bill of Materials (BOM) -To keep your Log4j module versions in sync with each other, a -<abbr id="Bill of Material">BOM</abbr> -pom.xml file is provided for your convenience. To use this with -[Maven](https://maven.apache.org/), add the dependency listed below to your -`pom.xml` -file. When you specify the version identifier in this section, you don't have to specify the version in your -`<dependencies/>` section. +To keep your Log4j module versions aligned, a [Maven Bill of Materials (BOM) POM](https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#bill-of-materials-bom-poms) is provided for your convenience. + +To use this with Maven, add the dependency listed below to your `pom.xml` file. +Note that the `<dependencyManagement>` nesting and the `<scope>import</scope>` instruction. +This will *import* all modules bundled with the associated Log4j release to your `dependencyManagement`. +As a result, you don't have to specify versions of the imported modules (`log4j-api`, `log4j-core`, etc.) while adding them using `<dependency>` elements. `pom.xml` @@ -188,6 +187,11 @@ dependencies { } ``` +$h2 CycloneDX Software Bill of Materials (SBOM) + +Starting with version `2.22.0`, Log4j distributes [CyclenoDX Software Bill of Materials (SBOM)](https://cyclonedx.org/capabilities/sbom/) along with each deployed artifact. +This is streamlined by `logging-parent`, see https://logging.apache.org/logging-parent/latest/#cyclonedx-sbom[its website] for details. + $h2 Optional Components Log4j 2.x contains several optional components that can be included in an application. diff --git a/src/site/site.xml b/src/site/site.xml index 75e6c4e206..3eda6908ef 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -46,13 +46,14 @@ <item name="Download" href="/download.html"/> <item name="Support" href="/support.html"/> <item name="Maven, Ivy, Gradle Artifacts" href="/maven-artifacts.html" collapse="true"> - <item name="Maven" href="/maven-artifacts.html#Using_Log4j_in_your_Apache_Maven_build" /> - <item name="Ivy" href="/maven-artifacts.html#Using_Log4j_in_your_Apache_Ivy_build" /> - <item name="Gradle" href="/maven-artifacts.html#Using_Log4j_in_your_Gradle_build" /> - <item name="SBT" href="/maven-artifacts.html#Using_Log4j_in_your_SBT_build" /> - <item name="Bill of Material" href="/maven-artifacts.html#Bill_of_Material" /> - <item name="Optional Components" href="/maven-artifacts.html#Optional_Components" /> - <item name="Snapshot builds" href="/maven-artifacts.html#Snapshot_builds" /> + <item name="Maven" href="/maven-artifacts.html#using-log4j-in-your-apache-maven-build" /> + <item name="Ivy" href="/maven-artifacts.html#using-log4j-in-your-apache-ivy-build" /> + <item name="Gradle" href="/maven-artifacts.html#using-log4j-in-your-gradle-build" /> + <item name="SBT" href="/maven-artifacts.html#using-log4j-in-your-sbt-build" /> + <item name="Maven Bill of Materials (BOM)" href="/maven-artifacts.html#maven-bill-of-materials-bom" /> + <item name="CycloneDX Software Bill of Materials (SBOM)" href="/maven-artifacts.html#cyclonedx-software-bill-of-materials-sbom" /> + <item name="Optional Components" href="/maven-artifacts.html#optional-components" /> + <item name="Snapshot builds" href="/maven-artifacts.html#snapshot-builds" /> </item> <item name="Release Notes" href="/release-notes.html"/> <item name="FAQ" href="/faq.html"/>
