TECH-1662: Add cyclonedx plugins for SBOM creation

bpapez · bpapez · commit 41ca70037d1b · 2024-03-04T11:14:35.000+01:00
diff --git a/.github/workflows/on-merge.yml b/.github/workflows/on-merge.yml
@@ -43,18 +43,18 @@ jobs:
           nexus_username: ${{ secrets.NEXUS_USERNAME }}
           nexus_password: ${{ secrets.NEXUS_PASSWORD }}
 
-#  sbom:
-#    name: SBOM processing
-#    needs: build
-#    runs-on: ubuntu-latest
-#    container:
-#      image: cyclonedx/cyclonedx-cli:0.24.2
-#    steps:
-#      - uses: jahia/jahia-modules-action/sbom-processing@v2
-#        with:
-#          dependencytrack_hostname: ${{ vars.DEPENDENCYTRACK_HOSTNAME }}
-#          dependencytrack_apikey: ${{ secrets.DEPENDENCYTRACK_APIKEY }}
-#          sbom_artifacts: 'build-artifacts'
+  sbom:
+    name: SBOM processing
+    needs: build
+    runs-on: ubuntu-latest
+    container:
+      image: cyclonedx/cyclonedx-cli:0.24.2   
+    steps:
+      - uses: jahia/jahia-modules-action/sbom-processing@v2
+        with:
+          dependencytrack_hostname: ${{ vars.DEPENDENCYTRACK_HOSTNAME }}
+          dependencytrack_apikey: ${{ secrets.DEPENDENCYTRACK_APIKEY }}
+          sbom_artifacts: 'build-artifacts'
 
   integration-tests:
     name: Integration Tests
diff --git a/.github/workflows/schedule-sonar.yml b/.github/workflows/schedule-sonar.yml
@@ -40,4 +40,5 @@ jobs:
           github_pr_id: ${{github.event.number}}
           sonar_url: ${{ secrets.SONAR_URL }}
           sonar_token: ${{ secrets.SONAR_TOKEN }}
+          nvd_apikey: ${{ secrets.NVD_APIKEY }}
           mvn_settings_filepath: '.github/maven.settings.xml'
diff --git a/pom.xml b/pom.xml
@@ -110,6 +110,33 @@
                     </instructions>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>org.cyclonedx</groupId>
+                <artifactId>cyclonedx-maven-plugin</artifactId>
+                <version>2.7.11</version>
+                <executions>
+                    <execution>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>makeAggregateBom</goal>
+                        </goals>
+                    </execution>
+                </executions>
+                <configuration>
+                    <projectType>library</projectType>
+                    <schemaVersion>1.4</schemaVersion>
+                    <includeBomSerialNumber>true</includeBomSerialNumber>
+                    <includeCompileScope>true</includeCompileScope>
+                    <includeProvidedScope>false</includeProvidedScope>
+                    <includeRuntimeScope>true</includeRuntimeScope>
+                    <includeSystemScope>false</includeSystemScope>
+                    <includeTestScope>false</includeTestScope>
+                    <includeLicenseText>false</includeLicenseText>
+                    <outputReactorProjects>true</outputReactorProjects>
+                    <outputFormat>json</outputFormat>
+                    <outputName>java-bom.cdx</outputName>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
 </project>
