From 3c627ccf046b02f12767aa45d9ac4bf515352f2f Mon Sep 17 00:00:00 2001
From: Anil Belur <abelur@linuxfoundation.org>
Date: Thu, 27 Oct 2022 09:34:26 +1000
Subject: [PATCH] Fix: Copy the spdx file in root of the $project

The SBOM generator script creates an spdx file in the root level.
When the artifacts are pushed the spdx file gets overwritten.

Create the spdx file as ${PROJECT}-sbom-${release_version}.spdx
and then copy the spdx file under the namespace ${group_id_path} dir.

Change-Id: Ia8bd06ac160e30886c7133aef8f0c82e5aded3dd
Signed-off-by: Anil Belur <abelur@linuxfoundation.org>
---
 .../notes/fix-sbom-file-creation-12eb6bc1d0cdaf36.yaml  |  8 ++++++++
 shell/sbom-generator.sh                                 | 17 +++++++++++++++--
 2 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/fix-sbom-file-creation-12eb6bc1d0cdaf36.yaml

diff --git a/releasenotes/notes/fix-sbom-file-creation-12eb6bc1d0cdaf36.yaml b/releasenotes/notes/fix-sbom-file-creation-12eb6bc1d0cdaf36.yaml
new file mode 100644
index 00000000..650d8a6e
--- /dev/null
+++ b/releasenotes/notes/fix-sbom-file-creation-12eb6bc1d0cdaf36.yaml
@@ -0,0 +1,8 @@
+---
+prelude: >
+    The SBOM generator script creates an spdx file in the root level.
+    When the artifacts are staged the file gets overwritten.
+fixes:
+  - |
+    Create the spdx file as ${PROJECT}-sbom-${release_version}.spdx
+    and then copy the spdx file under the namespace ${group_id_path} dir.
diff --git a/shell/sbom-generator.sh b/shell/sbom-generator.sh
index 913a6391..c63efd68 100644
--- a/shell/sbom-generator.sh
+++ b/shell/sbom-generator.sh
@@ -32,8 +32,21 @@ tar -xzf "${SBOM_LOCATION}" -C ${SBOM_PATH}
 echo "INFO: running spdx-sbom-generator"
 cd ${SBOM_PATH}
 ./spdx-sbom-generator "${SBOM_FLAGS:-}" -g "$GLOBAL_SETTINGS_FILE" -o "${WORKSPACE}"/archives
-mv "${WORKSPACE}"/archives/bom-Java-Maven.spdx "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}"
-cp "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}" "${WORKSPACE}"/m2repo/sbom-"${JOB_BASE_NAME}"
+
+# Maven artifacts
+if [[ "$JOB_NAME" =~ "maven" ]]; then
+    mvn_group_id=$("$MVN" help:evaluate -Dexpression=project.groupId -q -DforceStdout \
+                    -s "$SETTINGS_FILE" -gs "$GLOBAL_SETTINGS_FILE")
+    group_id_path="${mvn_group_id//.//}"
+    release_version=$("$MVN" help:evaluate -Dexpression=project.version -q -DforceStdout \
+                      -s "$SETTINGS_FILE" -gs "$GLOBAL_SETTINGS_FILE")
+
+    mv "${WORKSPACE}/archives/bom-Java-Maven.spdx" \
+        "${WORKSPACE}/archives/${PROJECT##*/}-sbom-${release_version}.spdx"
+    cp "${WORKSPACE}/archives/${PROJECT##*/}-sbom-${release_version}.spdx" \
+        "${WORKSPACE}/m2repo/${group_id_path}/${PROJECT##*/}-sbom-${release_version}.spdx"
+fi
+
 mv spdx-sbom-generator /tmp/
 rm /tmp/spdx*
 echo "---> sbom-generator.sh ends"
-- 
2.16.6