- Allow the usage of a maven settings file to resolve transitive
dependencies
- Update sbom file name to reflect more information
Issue: RELENG-4300
Signed-off-by: Jessica Wagantall <jwagantall@linuxfoundation.org>
Change-Id: Ibc5f636a946879282b594c3975a1ca53bc159f6a
sbom-flags: ""
sbom-path: "$WORKSPACE"
sbom-generator: false
sbom-flags: ""
sbom-path: "$WORKSPACE"
sbom-generator: false
- sbom-generator-version: "v0.0.10"
+ sbom-generator-version: "v0.0.15"
sign-artifacts: false
sign-mode: serial
stream: master
sign-artifacts: false
sign-mode: serial
stream: master
--- /dev/null
+---
+fixes:
+ - |
+ Update to the latest version of SBOM (v0.0.15) that allows the usage of
+ a custom maven settings file to resolve transitive dependencies.
+ Update thebom-generator script to pass the project's global settings file
+ and update the sbom file name so is better identifiable.
set -eu
# Add mvn executable into PATH
set -eu
# Add mvn executable into PATH
-export PATH=$PATH:${MVN::-4}
+export PATH=${MVN::-4}:$PATH
SBOM_LOCATION="/tmp/spdx-sbom-generator-${SBOM_GENERATOR_VERSION}-linux-amd64.tar.gz"
echo "INFO: downloading spdx-sbom-generator version ${SBOM_GENERATOR_VERSION}"
URL="https://github.com/spdx/spdx-sbom-generator/releases/download/${SBOM_GENERATOR_VERSION}/\
SBOM_LOCATION="/tmp/spdx-sbom-generator-${SBOM_GENERATOR_VERSION}-linux-amd64.tar.gz"
echo "INFO: downloading spdx-sbom-generator version ${SBOM_GENERATOR_VERSION}"
URL="https://github.com/spdx/spdx-sbom-generator/releases/download/${SBOM_GENERATOR_VERSION}/\
tar -xzf "${SBOM_LOCATION}" -C ${SBOM_PATH}
echo "INFO: running spdx-sbom-generator"
cd ${SBOM_PATH}
tar -xzf "${SBOM_LOCATION}" -C ${SBOM_PATH}
echo "INFO: running spdx-sbom-generator"
cd ${SBOM_PATH}
-./spdx-sbom-generator "${SBOM_FLAGS:-}" -o "${WORKSPACE}"/m2repo
+./spdx-sbom-generator "${SBOM_FLAGS:-}" -g "$GLOBAL_SETTINGS_FILE" -o "${WORKSPACE}"/archives
+mv "${WORKSPACE}"/archives/bom-Java-Maven.spdx "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}"
mv spdx-sbom-generator /tmp/
rm /tmp/spdx*
echo "---> sbom-generator.sh ends"
mv spdx-sbom-generator /tmp/
rm /tmp/spdx*
echo "---> sbom-generator.sh ends"