From dad87a2bfb60d4b90b7c224a7db589e67fa6df76 Mon Sep 17 00:00:00 2001 From: Jessica Wagantall Date: Tue, 12 Jul 2022 15:32:09 -0700 Subject: [PATCH] Update SBOM generator script - Allow the usage of a maven settings file to resolve transitive dependencies - Update sbom file name to reflect more information Issue: RELENG-4300 Signed-off-by: Jessica Wagantall Change-Id: Ibc5f636a946879282b594c3975a1ca53bc159f6a --- jjb/lf-maven-jobs.yaml | 2 +- .../notes/sbom-global-settings-maven-1ab2832e84163567.yaml | 7 +++++++ shell/sbom-generator.sh | 5 +++-- 3 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/sbom-global-settings-maven-1ab2832e84163567.yaml diff --git a/jjb/lf-maven-jobs.yaml b/jjb/lf-maven-jobs.yaml index d8a1b5e3..5dbeef2d 100644 --- a/jjb/lf-maven-jobs.yaml +++ b/jjb/lf-maven-jobs.yaml @@ -849,7 +849,7 @@ sbom-flags: "" sbom-path: "$WORKSPACE" sbom-generator: false - sbom-generator-version: "v0.0.10" + sbom-generator-version: "v0.0.15" sign-artifacts: false sign-mode: serial stream: master diff --git a/releasenotes/notes/sbom-global-settings-maven-1ab2832e84163567.yaml b/releasenotes/notes/sbom-global-settings-maven-1ab2832e84163567.yaml new file mode 100644 index 00000000..b9a93541 --- /dev/null +++ b/releasenotes/notes/sbom-global-settings-maven-1ab2832e84163567.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Update to the latest version of SBOM (v0.0.15) that allows the usage of + a custom maven settings file to resolve transitive dependencies. + Update thebom-generator script to pass the project's global settings file + and update the sbom file name so is better identifiable. diff --git a/shell/sbom-generator.sh b/shell/sbom-generator.sh index 8b1fd357..9b77dcca 100644 --- a/shell/sbom-generator.sh +++ b/shell/sbom-generator.sh @@ -15,7 +15,7 @@ echo "---> sbom-generator.sh" set -eu # Add mvn executable into PATH -export PATH=$PATH:${MVN::-4} +export PATH=${MVN::-4}:$PATH SBOM_LOCATION="/tmp/spdx-sbom-generator-${SBOM_GENERATOR_VERSION}-linux-amd64.tar.gz" echo "INFO: downloading spdx-sbom-generator version ${SBOM_GENERATOR_VERSION}" URL="https://github.com/spdx/spdx-sbom-generator/releases/download/${SBOM_GENERATOR_VERSION}/\ @@ -31,7 +31,8 @@ fi tar -xzf "${SBOM_LOCATION}" -C ${SBOM_PATH} echo "INFO: running spdx-sbom-generator" cd ${SBOM_PATH} -./spdx-sbom-generator "${SBOM_FLAGS:-}" -o "${WORKSPACE}"/m2repo +./spdx-sbom-generator "${SBOM_FLAGS:-}" -g "$GLOBAL_SETTINGS_FILE" -o "${WORKSPACE}"/archives +mv "${WORKSPACE}"/archives/bom-Java-Maven.spdx "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}" mv spdx-sbom-generator /tmp/ rm /tmp/spdx* echo "---> sbom-generator.sh ends" -- 2.16.6