Update SBOM generator script 87/70387/1 v0.79.0
authorJessica Wagantall <jwagantall@linuxfoundation.org>
Tue, 12 Jul 2022 22:32:09 +0000 (15:32 -0700)
committerJessica Wagantall <jwagantall@linuxfoundation.org>
Wed, 13 Jul 2022 00:41:08 +0000 (17:41 -0700)
- Allow the usage of a maven settings file to resolve transitive
  dependencies
- Update sbom file name to reflect more information

Issue: RELENG-4300
Signed-off-by: Jessica Wagantall <jwagantall@linuxfoundation.org>
Change-Id: Ibc5f636a946879282b594c3975a1ca53bc159f6a

jjb/lf-maven-jobs.yaml
releasenotes/notes/sbom-global-settings-maven-1ab2832e84163567.yaml [new file with mode: 0644]
shell/sbom-generator.sh

index d8a1b5e..5dbeef2 100644 (file)
     sbom-flags: ""
     sbom-path: "$WORKSPACE"
     sbom-generator: false
-    sbom-generator-version: "v0.0.10"
+    sbom-generator-version: "v0.0.15"
     sign-artifacts: false
     sign-mode: serial
     stream: master
diff --git a/releasenotes/notes/sbom-global-settings-maven-1ab2832e84163567.yaml b/releasenotes/notes/sbom-global-settings-maven-1ab2832e84163567.yaml
new file mode 100644 (file)
index 0000000..b9a9354
--- /dev/null
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Update to the latest version of SBOM (v0.0.15) that allows the usage of
+    a custom maven settings file to resolve transitive dependencies.
+    Update thebom-generator script to pass the project's global settings file
+    and update the sbom file name so is better identifiable.
index 8b1fd35..9b77dcc 100644 (file)
@@ -15,7 +15,7 @@ echo "---> sbom-generator.sh"
 set -eu
 
 # Add mvn executable into PATH
-export PATH=$PATH:${MVN::-4}
+export PATH=${MVN::-4}:$PATH
 SBOM_LOCATION="/tmp/spdx-sbom-generator-${SBOM_GENERATOR_VERSION}-linux-amd64.tar.gz"
 echo "INFO: downloading spdx-sbom-generator version ${SBOM_GENERATOR_VERSION}"
 URL="https://github.com/spdx/spdx-sbom-generator/releases/download/${SBOM_GENERATOR_VERSION}/\
@@ -31,7 +31,8 @@ fi
 tar -xzf "${SBOM_LOCATION}" -C ${SBOM_PATH}
 echo "INFO: running spdx-sbom-generator"
 cd ${SBOM_PATH}
-./spdx-sbom-generator "${SBOM_FLAGS:-}" -o "${WORKSPACE}"/m2repo
+./spdx-sbom-generator "${SBOM_FLAGS:-}" -g "$GLOBAL_SETTINGS_FILE" -o "${WORKSPACE}"/archives
+mv "${WORKSPACE}"/archives/bom-Java-Maven.spdx "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}"
 mv spdx-sbom-generator /tmp/
 rm /tmp/spdx*
 echo "---> sbom-generator.sh ends"