Add SBOM report to staging package

The SBOM report should be made available as part of the
build's artifacts as well as part of the staging package.

Copy the SBOM report to the m2repo so that is signed by
SIGUL and packaged along with the staging artifacts.

Issue: RELENG-4356
Signed-off-by: Jessica Wagantall <jwagantall@linuxfoundation.org>
Change-Id: I360bb4a26e7b70d9ec6ce8848ecc3365abb8b034

diff --git a/releasenotes/notes/sbom-copy-m2repo-afb1452eca4efcc2.yaml b/releasenotes/notes/sbom-copy-m2repo-afb1452eca4efcc2.yaml
new file mode 100644 (file)
index 0000000..02ae458
--- /dev/null
+++ b/releasenotes/notes/sbom-copy-m2repo-afb1452eca4efcc2.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Copy SBOM report to the project's m2repo so that is signed by
+    SIGUL and pushed in the same staging package as the maven
+    artifacts.

diff --git a/shell/sbom-generator.sh b/shell/sbom-generator.sh
index 9b77dcc..913a639 100644 (file)
--- a/shell/sbom-generator.sh
+++ b/shell/sbom-generator.sh
@@ -33,6 +33,7 @@ echo "INFO: running spdx-sbom-generator"
 cd ${SBOM_PATH}
 ./spdx-sbom-generator "${SBOM_FLAGS:-}" -g "$GLOBAL_SETTINGS_FILE" -o "${WORKSPACE}"/archives
 mv "${WORKSPACE}"/archives/bom-Java-Maven.spdx "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}"
+cp "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}" "${WORKSPACE}"/m2repo/sbom-"${JOB_BASE_NAME}"
 mv spdx-sbom-generator /tmp/
 rm /tmp/spdx*
 echo "---> sbom-generator.sh ends"