From: Jessica Wagantall Date: Mon, 8 Aug 2022 19:28:32 +0000 (-0700) Subject: Add SBOM report to staging package X-Git-Tag: v0.79.3^0 X-Git-Url: https://gerrit.linuxfoundation.org/infra/gitweb?a=commitdiff_plain;h=a09b8bab2c37f67f0f5e9ef36f9e93b330fdd571;p=releng%2Fglobal-jjb.git Add SBOM report to staging package The SBOM report should be made available as part of the build's artifacts as well as part of the staging package. Copy the SBOM report to the m2repo so that is signed by SIGUL and packaged along with the staging artifacts. Issue: RELENG-4356 Signed-off-by: Jessica Wagantall Change-Id: I360bb4a26e7b70d9ec6ce8848ecc3365abb8b034 --- diff --git a/releasenotes/notes/sbom-copy-m2repo-afb1452eca4efcc2.yaml b/releasenotes/notes/sbom-copy-m2repo-afb1452eca4efcc2.yaml new file mode 100644 index 00000000..02ae4588 --- /dev/null +++ b/releasenotes/notes/sbom-copy-m2repo-afb1452eca4efcc2.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Copy SBOM report to the project's m2repo so that is signed by + SIGUL and pushed in the same staging package as the maven + artifacts. diff --git a/shell/sbom-generator.sh b/shell/sbom-generator.sh index 9b77dcca..913a6391 100644 --- a/shell/sbom-generator.sh +++ b/shell/sbom-generator.sh @@ -33,6 +33,7 @@ echo "INFO: running spdx-sbom-generator" cd ${SBOM_PATH} ./spdx-sbom-generator "${SBOM_FLAGS:-}" -g "$GLOBAL_SETTINGS_FILE" -o "${WORKSPACE}"/archives mv "${WORKSPACE}"/archives/bom-Java-Maven.spdx "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}" +cp "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}" "${WORKSPACE}"/m2repo/sbom-"${JOB_BASE_NAME}" mv spdx-sbom-generator /tmp/ rm /tmp/spdx* echo "---> sbom-generator.sh ends"