ppkarwasz opened a new pull request, #3929: URL: https://github.com/apache/solr/pull/3929
# Description This change adds generation of CycloneDX SBOMs for both the **full** and **slim** Solr binary distributions. Two new tasks in the `:solr:packaging` module produce SBOMs at build time using resolvable configurations that mirror the actual runtime dependencies included in each distribution. Each SBOM is written as `bom.json` and packaged into the root of the corresponding distribution directory or `.tar.gz` archive. # Solution Solr produces two distinct binary distributions, so the standard `cyclonedxBom` task from the [CycloneDX Gradle plugin](https://github.com/CycloneDX/cyclonedx-gradle-plugin) cannot be used directly. Instead of applying the plugin, this PR introduces: * Two custom SBOM tasks: `cyclonedxFull` and `cyclonedxSlim` * Two corresponding configurations: `bomFull` and `bomSlim` The existing `packaging` configuration cannot be reused because it contains only the **assembled directory** of dependencies, not the resolvable dependency graph itself. The new configurations therefore pull from the underlying project configurations that feed into `packaging`, ensuring that the SBOMs accurately reflect the dependencies that end up in each distribution. # Tests Running any distribution-related task, `fullDistTar`, `installFullDist`, `slimDistTar`, or `installSlimDist`, now produces a `bom.json` file in the output artifact for that distribution. # Checklist Please review the following and check all that apply: - [ ] I have reviewed the guidelines for [How to Contribute](https://github.com/apache/solr/blob/main/CONTRIBUTING.md) and my code conforms to the standards described there to the best of my ability. - [ ] I have created a Jira issue and added the issue ID to my pull request title. - [ ] I have given Solr maintainers [access](https://help.github.com/en/articles/allowing-changes-to-a-pull-request-branch-created-from-a-fork) to contribute to my PR branch. (optional but recommended, not available for branches on forks living under an organisation) - [ ] I have developed this patch against the `main` branch. - [ ] I have run `./gradlew check`. - [ ] I have added tests for my changes. - [ ] I have added documentation for the [Reference Guide](https://github.com/apache/solr/tree/main/solr/solr-ref-guide) - [ ] I have added a [changelog entry](https://github.com/apache/solr/blob/main/dev-docs/changelog.adoc) for my change -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
