The SBOM report should be made available as part of the
build's artifacts as well as part of the staging package.
Copy the SBOM report to the m2repo so that is signed by
SIGUL and packaged along with the staging artifacts.
Issue: RELENG-4356
Signed-off-by: Jessica Wagantall <jwagantall@linuxfoundation.org>
Change-Id: I360bb4a26e7b70d9ec6ce8848ecc3365abb8b034
--- /dev/null
+---
+fixes:
+ - |
+ Copy SBOM report to the project's m2repo so that is signed by
+ SIGUL and pushed in the same staging package as the maven
+ artifacts.
cd ${SBOM_PATH}
./spdx-sbom-generator "${SBOM_FLAGS:-}" -g "$GLOBAL_SETTINGS_FILE" -o "${WORKSPACE}"/archives
mv "${WORKSPACE}"/archives/bom-Java-Maven.spdx "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}"
+cp "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}" "${WORKSPACE}"/m2repo/sbom-"${JOB_BASE_NAME}"
mv spdx-sbom-generator /tmp/
rm /tmp/spdx*
echo "---> sbom-generator.sh ends"