(solr) branch main updated: SOLR-16796: Add Maven SBOMs via cyclonedx (#1203)

Mon, 10 Jun 2024 10:13:48 -0700 

This is an automated email from the ASF dual-hosted git repository.

houston pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr.git


The following commit(s) were added to refs/heads/main by this push:
     new a42c605fb91 SOLR-16796: Add Maven SBOMs via cyclonedx (#1203)
a42c605fb91 is described below

commit a42c605fb916439222a086356f368f02cf80304a
Author: Arnout Engelen <[email protected]>
AuthorDate: Mon Jun 10 19:13:35 2024 +0200

    SOLR-16796: Add Maven SBOMs via cyclonedx (#1203)
    
    Co-authored-by: Kevin Risden <[email protected]>
    Co-authored-by: Houston Putman <[email protected]>
---
 build.gradle                       |  2 ++
 gradle/maven/cyclonedx-bom.gradle  | 61 ++++++++++++++++++++++++++++++++++++++
 gradle/maven/defaults-maven.gradle |  4 +++
 solr/CHANGES.txt                   |  2 ++
 4 files changed, 69 insertions(+)

diff --git a/build.gradle b/build.gradle
index 9da30ad4bf7..c9193bd7b6b 100644
--- a/build.gradle
+++ b/build.gradle
@@ -28,6 +28,7 @@ plugins {
   id 'net.ltgt.errorprone' version '3.1.0' apply false
   id 'com.diffplug.spotless' version '6.5.2' apply false
   id 'com.github.node-gradle.node' version '7.0.1' apply false
+  id 'org.cyclonedx.bom' version '1.8.2' apply false
 }
 
 // Declare default Java versions for the entire project and for SolrJ 
separately
@@ -134,6 +135,7 @@ apply from: 
file('gradle/testing/alternative-jdk-support.gradle')
 apply from: file('gradle/java/jar-manifest.gradle')
 
 // Publishing and releasing
+apply from: file('gradle/maven/cyclonedx-bom.gradle')
 apply from: file('gradle/maven/defaults-maven.gradle')
 
 // IDE support, settings and specials.
diff --git a/gradle/maven/cyclonedx-bom.gradle 
b/gradle/maven/cyclonedx-bom.gradle
new file mode 100644
index 00000000000..6daa502b30c
--- /dev/null
+++ b/gradle/maven/cyclonedx-bom.gradle
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+// This adds CycloneDX BOM (SBOM) generation for all Solr Maven artifacts
+
+allprojects { prj ->
+  plugins.withType(JavaPlugin) {
+    prj.apply plugin: 'org.cyclonedx.bom'
+
+    ext {
+      sbomDir = layout.buildDirectory.dir("sbom")
+    }
+
+    configurations {
+      sbom
+    }
+
+    def baseName = prj.archivesBaseName + "-" + version + "-cyclonedx"
+
+    cyclonedxBom {
+      includeConfigs = ["runtimeClasspath"]
+      skipConfigs = ["compileClasspath", "testCompileClasspath"]
+      projectType = "library"
+      destination = sbomDir.map(Directory::getAsFile)
+      outputName = baseName
+      outputFormat = "all"
+      includeBomSerialNumber = true
+      componentVersion = version
+    }
+    assemble.dependsOn cyclonedxBom
+
+    ext {
+      sbomXmlArtifact = artifacts.add('sbom', sbomDir.map(d -> d.file(baseName 
+ ".xml"))) {
+        type 'cyclonedx'
+        extension = 'xml'
+        classifier = 'cyclonedx'
+        builtBy cyclonedxBom
+      }
+      sbomJsonArtifact = artifacts.add('sbom', sbomDir.map(d -> 
d.file(baseName + ".json"))) {
+        type 'cyclonedx'
+        extension = 'json'
+        classifier = 'cyclonedx'
+        builtBy cyclonedxBom
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/gradle/maven/defaults-maven.gradle 
b/gradle/maven/defaults-maven.gradle
index 96e82dcc1c4..14860a688c5 100644
--- a/gradle/maven/defaults-maven.gradle
+++ b/gradle/maven/defaults-maven.gradle
@@ -149,6 +149,10 @@ configure(subprojects.findAll { it.path in 
rootProject.published }) { prj ->
             artifact sourcesJar
             artifact javadocJar
 
+            // Include SBOM artifacts
+            artifact(sbomXmlArtifact)
+            artifact(sbomJsonArtifact)
+
             pom(configurePom)
 
             pom({
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index f340847f34c..1e41d5fdea6 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -169,6 +169,8 @@ Other Changes
 
 * SOLR-16503: Use Jetty HTTP2 for SyncStrategy and PeerSyncWithLeader for 
"recovery" operations (Sanjay Dutt, David Smiley)
 
+* SOLR-16796: Include cyclonedx SBOMs with maven artifacts (Arnout Engelen, 
Houston Putman, Kevin Risden)
+
 ==================  9.6.1 ==================
 Bug Fixes
 ---------------------

Reply via email to