From a09b8bab2c37f67f0f5e9ef36f9e93b330fdd571 Mon Sep 17 00:00:00 2001 From: Jessica Wagantall Date: Mon, 8 Aug 2022 12:28:32 -0700 Subject: [PATCH] Add SBOM report to staging package The SBOM report should be made available as part of the build's artifacts as well as part of the staging package. Copy the SBOM report to the m2repo so that is signed by SIGUL and packaged along with the staging artifacts. Issue: RELENG-4356 Signed-off-by: Jessica Wagantall Change-Id: I360bb4a26e7b70d9ec6ce8848ecc3365abb8b034 --- releasenotes/notes/sbom-copy-m2repo-afb1452eca4efcc2.yaml | 6 ++++++ shell/sbom-generator.sh | 1 + 2 files changed, 7 insertions(+) create mode 100644 releasenotes/notes/sbom-copy-m2repo-afb1452eca4efcc2.yaml diff --git a/releasenotes/notes/sbom-copy-m2repo-afb1452eca4efcc2.yaml b/releasenotes/notes/sbom-copy-m2repo-afb1452eca4efcc2.yaml new file mode 100644 index 00000000..02ae4588 --- /dev/null +++ b/releasenotes/notes/sbom-copy-m2repo-afb1452eca4efcc2.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Copy SBOM report to the project's m2repo so that is signed by + SIGUL and pushed in the same staging package as the maven + artifacts. diff --git a/shell/sbom-generator.sh b/shell/sbom-generator.sh index 9b77dcca..913a6391 100644 --- a/shell/sbom-generator.sh +++ b/shell/sbom-generator.sh @@ -33,6 +33,7 @@ echo "INFO: running spdx-sbom-generator" cd ${SBOM_PATH} ./spdx-sbom-generator "${SBOM_FLAGS:-}" -g "$GLOBAL_SETTINGS_FILE" -o "${WORKSPACE}"/archives mv "${WORKSPACE}"/archives/bom-Java-Maven.spdx "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}" +cp "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}" "${WORKSPACE}"/m2repo/sbom-"${JOB_BASE_NAME}" mv spdx-sbom-generator /tmp/ rm /tmp/spdx* echo "---> sbom-generator.sh ends" -- 2.16.6