set -eu
# Add mvn executable into PATH
-export PATH=$PATH:${MVN::-4}
+export PATH=${MVN::-4}:$PATH
SBOM_LOCATION="/tmp/spdx-sbom-generator-${SBOM_GENERATOR_VERSION}-linux-amd64.tar.gz"
echo "INFO: downloading spdx-sbom-generator version ${SBOM_GENERATOR_VERSION}"
URL="https://github.com/spdx/spdx-sbom-generator/releases/download/${SBOM_GENERATOR_VERSION}/\
echo "wget ${SBOM_GENERATOR_VERSION} failed"
exit 1;
fi
-tar -xvf "${SBOM_LOCATION}"
+# Extract SBOM bin in SBOM_PATH
+# This is a workaround until the --path flag works
+# https://github.com/opensbom-generator/spdx-sbom-generator/issues/227
+# shellcheck disable=SC2086
+tar -xzf "${SBOM_LOCATION}" -C ${SBOM_PATH}
echo "INFO: running spdx-sbom-generator"
-./spdx-sbom-generator "${SBOM_FLAGS:-}" -o "${WORKSPACE}"/m2repo
+# shellcheck disable=SC2086
+cd ${SBOM_PATH}
+./spdx-sbom-generator "${SBOM_FLAGS:-}" -g "$GLOBAL_SETTINGS_FILE" -o "${WORKSPACE}"/archives
+
+# Maven artifacts
+if [[ "$JOB_NAME" =~ "maven" ]]; then
+ mvn_group_id=$("$MVN" help:evaluate -Dexpression=project.groupId -q -DforceStdout \
+ -s "$SETTINGS_FILE" -gs "$GLOBAL_SETTINGS_FILE")
+ group_id_path="${mvn_group_id//.//}"
+ release_version=$("$MVN" help:evaluate -Dexpression=project.version -q -DforceStdout \
+ -s "$SETTINGS_FILE" -gs "$GLOBAL_SETTINGS_FILE")
+
+ mv "${WORKSPACE}/archives/bom-Java-Maven.spdx" \
+ "${WORKSPACE}/archives/${PROJECT##*/}-sbom-${release_version}.spdx"
+ cp "${WORKSPACE}/archives/${PROJECT##*/}-sbom-${release_version}.spdx" \
+ "${WORKSPACE}/m2repo/${group_id_path}/${PROJECT##*/}-sbom-${release_version}.spdx"
+fi
+
mv spdx-sbom-generator /tmp/
rm /tmp/spdx*
echo "---> sbom-generator.sh ends"