:mvn-goals: The maven goals to perform for the build.
(default: clean install)
+lf-infra-maven-sbom-generator
+-----------------------------
+
+Runs a specific version of SPDX SBOM Generator tool to generate a report.
+The calling job template sets the version to run in the SBOM_GENERATOR_VERSION parameter.
+
+:Optional parameters:
+ :sbom-flags: SBOM generator options. See https://github.com/opensbom-generator/spdx-sbom-generator
+
Job Templates
=============
:mvn-version: Version of maven to use. (default: mvn35)
:ossrh-profile-id: Profile ID for project as provided by OSSRH.
(default: '')
+ :sbom-flags: SBOM generator options if using sbom-generator.
+ See https://github.com/opensbom-generator/spdx-sbom-generator
+ :sbom-generator: Calls lf-infra-maven-sbom-generator to run the SPDX SBOM generator tool.
+ (default: false)
+ :sbom-generator-version: SBOM generator version to download and run if using sbom-generator.
+ (default: v0.0.10)
:sign-artifacts: Sign artifacts with Sigul. (default: false)
:stream: Keyword that represents a release code-name.
Often the same as the branch. (default: master)
mvn-version: mvn35
ossrh-profile-id: ""
mvn-pom: ""
+ sbom-flags: ""
+ sbom-generator: false
+ sbom-generator-version: "v0.0.10"
sign-artifacts: false
sign-mode: serial
stream: master
name: STAGING_PROFILE_ID
default: "{staging-profile-id}"
description: Nexus staging profile ID.
+ - string:
+ name: SBOM_GENERATOR_VERSION
+ default: "{sbom-generator-version}"
+ description: SBOM generator version to download and run.
builders:
- lf-infra-pre-build
- shell: !include-raw-escape: ../shell/maven-patch-release.sh
- lf-maven-build:
mvn-goals: "{mvn-goals}"
+ # With SBOM Generator
+ - conditional-step:
+ condition-kind: boolean-expression
+ condition-expression: "{sbom-generator}"
+ steps:
+ - shell: echo 'Running SBOM Generator'
+ - lf-infra-maven-sbom-generator:
+ sbom-flags: "{sbom-flags}"
- lf-sigul-sign-dir:
sign-artifacts: "{sign-artifacts}"
sign-dir: "$WORKSPACE/m2repo"
mvn-settings: "{mvn-settings}"
mvn-version: "{mvn-version}"
+- builder:
+ name: lf-infra-maven-sbom-generator
+ # Run Maven goals and trigger SPDX SBOM Generator tool
+ builders:
+ - inject:
+ properties-content: |
+ SBOM_FLAGS={sbom-flags}
+ - shell: !include-raw-escape:
+ - ../shell/sbom-generator.sh
+
- builder:
name: lf-infra-maven-sonar
# Run a Sonar build with Maven
--- /dev/null
+---
+features:
+ - |
+ Add new conditional builder step which calls a specific version
+ of SPDX SBOM generator which runs a scan to generate a software
+ bill of materials report in a specific repo.
--- /dev/null
+#!/bin/bash
+# SPDX-License-Identifier: EPL-1.0
+##############################################################################
+# Copyright (c) 2022 The Linux Foundation and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+##############################################################################
+echo "---> sbom-generator.sh"
+# This script downloads the specified version of SBOM generator and triggers a run.
+
+# stop on error or unbound variable
+set -eu
+
+# Add mvn executable into PATH
+export PATH=$PATH:${MVN::-4}
+SBOM_LOCATION="/tmp/spdx-sbom-generator-${SBOM_GENERATOR_VERSION}-linux-amd64.tar.gz"
+echo "INFO: downloading spdx-sbom-generator version ${SBOM_GENERATOR_VERSION}"
+URL="https://github.com/spdx/spdx-sbom-generator/releases/download/${SBOM_GENERATOR_VERSION}/\
+spdx-sbom-generator-${SBOM_GENERATOR_VERSION}-linux-amd64.tar.gz"
+# Exit if wget fails
+if ! wget -nv "${URL}" -O "${SBOM_LOCATION}"; then
+ echo "wget ${SBOM_GENERATOR_VERSION} failed"
+ exit 1;
+fi
+tar -xvf "${SBOM_LOCATION}"
+echo "INFO: running spdx-sbom-generator"
+./spdx-sbom-generator "${SBOM_FLAGS:-}" -o "${WORKSPACE}"/m2repo
+mv spdx-sbom-generator /tmp/
+rm /tmp/spdx*
+echo "---> sbom-generator.sh ends"