(default: false)
:sbom-generator-version: SBOM generator version to download and run if using sbom-generator.
(default: v0.0.10)
+ :sbom-path: Path where SBOM is going to be executed from.
+ (default: $WORKSPACE)
:sign-artifacts: Sign artifacts with Sigul. (default: false)
:stream: Keyword that represents a release code-name.
Often the same as the branch. (default: master)
ossrh-profile-id: ""
mvn-pom: ""
sbom-flags: ""
+ sbom-path: "$WORKSPACE"
sbom-generator: false
sbom-generator-version: "v0.0.10"
sign-artifacts: false
name: SBOM_GENERATOR_VERSION
default: "{sbom-generator-version}"
description: SBOM generator version to download and run.
+ - string:
+ name: SBOM_PATH
+ default: "{sbom-path}"
+ description: path where SBOM needs to be executed.
builders:
- lf-infra-pre-build
--- /dev/null
+---
+fixes:
+ - |
+ SBOM's path flag does not work as expected. We need to introduce a new
+ flag called SBOM_PATH to isolate the path where SBOM is going to be
+ extracted to and executed from. By default this is set to $WORKSPACE but
+ some projects need to execute the sbom from a different location in their
+ code. See https://github.com/opensbom-generator/spdx-sbom-generator/issues/227
echo "wget ${SBOM_GENERATOR_VERSION} failed"
exit 1;
fi
-tar -xvf "${SBOM_LOCATION}"
+# Extract SBOM bin in SBOM_PATH
+# This is a workaround until the --path flag works
+# https://github.com/opensbom-generator/spdx-sbom-generator/issues/227
+tar -xzf "${SBOM_LOCATION}" -C ${SBOM_PATH}
echo "INFO: running spdx-sbom-generator"
+cd ${SBOM_PATH}
./spdx-sbom-generator "${SBOM_FLAGS:-}" -o "${WORKSPACE}"/m2repo
mv spdx-sbom-generator /tmp/
rm /tmp/spdx*