--- /dev/null
+---
+fixes:
+ - |
+ Update to the latest version of SBOM (v0.0.15) that allows the usage of
+ a custom maven settings file to resolve transitive dependencies.
+ Update thebom-generator script to pass the project's global settings file
+ and update the sbom file name so is better identifiable.
set -eu
# Add mvn executable into PATH
-export PATH=$PATH:${MVN::-4}
+export PATH=${MVN::-4}:$PATH
SBOM_LOCATION="/tmp/spdx-sbom-generator-${SBOM_GENERATOR_VERSION}-linux-amd64.tar.gz"
echo "INFO: downloading spdx-sbom-generator version ${SBOM_GENERATOR_VERSION}"
URL="https://github.com/spdx/spdx-sbom-generator/releases/download/${SBOM_GENERATOR_VERSION}/\
tar -xzf "${SBOM_LOCATION}" -C ${SBOM_PATH}
echo "INFO: running spdx-sbom-generator"
cd ${SBOM_PATH}
-./spdx-sbom-generator "${SBOM_FLAGS:-}" -o "${WORKSPACE}"/m2repo
+./spdx-sbom-generator "${SBOM_FLAGS:-}" -g "$GLOBAL_SETTINGS_FILE" -o "${WORKSPACE}"/archives
+mv "${WORKSPACE}"/archives/bom-Java-Maven.spdx "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}"
mv spdx-sbom-generator /tmp/
rm /tmp/spdx*
echo "---> sbom-generator.sh ends"