--- /dev/null
+---
+prelude: >
+ The SBOM generator script creates an spdx file in the root level.
+ When the artifacts are staged the file gets overwritten.
+fixes:
+ - |
+ Create the spdx file as ${PROJECT}-sbom-${release_version}.spdx
+ and then copy the spdx file under the namespace ${group_id_path} dir.
echo "INFO: running spdx-sbom-generator"
cd ${SBOM_PATH}
./spdx-sbom-generator "${SBOM_FLAGS:-}" -g "$GLOBAL_SETTINGS_FILE" -o "${WORKSPACE}"/archives
-mv "${WORKSPACE}"/archives/bom-Java-Maven.spdx "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}"
-cp "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}" "${WORKSPACE}"/m2repo/sbom-"${JOB_BASE_NAME}"
+
+# Maven artifacts
+if [[ "$JOB_NAME" =~ "maven" ]]; then
+ mvn_group_id=$("$MVN" help:evaluate -Dexpression=project.groupId -q -DforceStdout \
+ -s "$SETTINGS_FILE" -gs "$GLOBAL_SETTINGS_FILE")
+ group_id_path="${mvn_group_id//.//}"
+ release_version=$("$MVN" help:evaluate -Dexpression=project.version -q -DforceStdout \
+ -s "$SETTINGS_FILE" -gs "$GLOBAL_SETTINGS_FILE")
+
+ mv "${WORKSPACE}/archives/bom-Java-Maven.spdx" \
+ "${WORKSPACE}/archives/${PROJECT##*/}-sbom-${release_version}.spdx"
+ cp "${WORKSPACE}/archives/${PROJECT##*/}-sbom-${release_version}.spdx" \
+ "${WORKSPACE}/m2repo/${group_id_path}/${PROJECT##*/}-sbom-${release_version}.spdx"
+fi
+
mv spdx-sbom-generator /tmp/
rm /tmp/spdx*
echo "---> sbom-generator.sh ends"