Push SBOM to Maven central when releasing #6154

LogFlames · 2025-01-24T20:10:42Z

See #5255 , push sbom (cyclonedx) to maven central when releasing.

Added cyclonedx-maven-plugin to pom.xml and spoon-javadoc/pom.xml. spoon-pom is actively updated on maven-central as well but from my understanding.

Since JReleaser version 1.6.0 it has support for additional artifacts in Maven deployers (jreleaser/jreleaser#1135 ). The version in nixpkgs unstable (used in spoon) is 1.16.0 - meaning the sbom will be included in CI as well.

I then confirmed the sboms will be included in the upload by running the chore/release.sh patch script locally, modified to use jreleaser full-release --dry-run and not push anything to github. The output of that command can be seen below:

Output of `jreleaser full-release --dry-run`

::group::Releasing
[INFO]  JReleaser 1.16.0
[INFO]  Configuring with jreleaser.yml
[INFO]    - basedir set to /Users/elias/code/kth/CHAINS/spoon
[INFO]    - outputdir set to /Users/elias/code/kth/CHAINS/spoon/out/jreleaser
[INFO]  Reading configuration
🚨 project.java is deprecated since 1.16.0 and will be removed in 2.0.0. Use project.languages.java instead
[INFO]  git-root-search set to false
[INFO]  Loading variables from /Users/elias/.jreleaser/config.properties
[INFO]  Validating configuration
[INFO]  Strict mode set to false
[INFO]  Project version set to 11.2.1
[INFO]  Release is not snapshot
[INFO]  Timestamp is 2025-01-24T20:39:03.635015+01:00
[INFO]  HEAD is at fd3a4eb
[INFO]  Platform is osx-aarch_64
[INFO]  dry-run set to true
[INFO]  Generating changelog
[INFO]  Storing changelog: out/jreleaser/release/CHANGELOG.md
[INFO]  Calculating checksums for distributions and files
[INFO]    [checksum] No files configured for checksum. Skipping
[INFO]  Cataloging artifacts
[INFO]    Cataloging is not enabled. Skipping
[INFO]  Signing distributions and files
[INFO]    [sign] No files configured for signing. Skipping
[INFO]  Deploying Maven artifacts
[INFO]    [maven] Deploying all staged artifacts
[INFO]      [nexus2] Deploying to maven-central
[INFO]      [nexus2] nexus2 set to FULL_DEPLOYMENT
[INFO]      [nexus2] Verifying prerequisites
[INFO]      [nexus2] Verifying POMs
[INFO]      [nexus2] Signing key 381686F1082D983F expires at 2025-01-29T12:17:40
[INFO]      [nexus2] Checking if key 381686F1082D983F has been published
[WARN]      [nexus2] Key 381686F1082D983F was NOT found as published
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-javadoc.jar
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-sources.jar
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.xml
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-jar-with-dependencies.jar
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-pom/11.2.1/spoon-pom-11.2.1.pom
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.jar
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-sources.jar
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-javadoc.jar
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.jar
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.json
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.xml
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.json
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.pom
[INFO]      [sign] target/staging-deploy/fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.pom
[INFO]      [nexus2] Lookup staging profile for fr.inria.gforge
[WARN]      [nexus2] Could not find a staging profile matching fr.inria.gforge
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.json
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.json.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.json.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.json.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.json.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.json.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.xml
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.xml.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.xml.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.xml.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.xml.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-cyclonedx.xml.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-jar-with-dependencies.jar
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-jar-with-dependencies.jar.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-jar-with-dependencies.jar.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-jar-with-dependencies.jar.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-jar-with-dependencies.jar.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-jar-with-dependencies.jar.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-javadoc.jar
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-javadoc.jar.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-javadoc.jar.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-javadoc.jar.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-javadoc.jar.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-javadoc.jar.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-sources.jar
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-sources.jar.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-sources.jar.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-sources.jar.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-sources.jar.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1-sources.jar.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.jar
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.jar.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.jar.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.jar.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.jar.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.jar.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.pom
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.pom.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.pom.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.pom.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.pom.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-core/11.2.1/spoon-core-11.2.1.pom.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.json
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.json.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.json.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.json.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.json.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.json.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.xml
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.xml.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.xml.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.xml.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.xml.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-cyclonedx.xml.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-javadoc.jar
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-javadoc.jar.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-javadoc.jar.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-javadoc.jar.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-javadoc.jar.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-javadoc.jar.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-sources.jar
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-sources.jar.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-sources.jar.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-sources.jar.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-sources.jar.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1-sources.jar.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.jar
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.jar.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.jar.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.jar.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.jar.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.jar.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.pom
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.pom.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.pom.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.pom.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.pom.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-javadoc/11.2.1/spoon-javadoc-11.2.1.pom.sha512
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-pom/11.2.1/spoon-pom-11.2.1.pom
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-pom/11.2.1/spoon-pom-11.2.1.pom.asc
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-pom/11.2.1/spoon-pom-11.2.1.pom.md5
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-pom/11.2.1/spoon-pom-11.2.1.pom.sha1
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-pom/11.2.1/spoon-pom-11.2.1.pom.sha256
[INFO]      [nexus2]  - fr/inria/gforge/spoon/spoon-pom/11.2.1/spoon-pom-11.2.1.pom.sha512
[INFO]  Uploading distributions and files
[INFO]    [upload] Uploading is not enabled. Skipping
[INFO]  Releasing to https://github.com/INRIA/spoon@release/11.2.1
[INFO]  Announcing release
[INFO]    [announce] Announcing is not enabled. Skipping
[INFO]  Writing output properties to out/jreleaser/output.properties
[INFO]  JReleaser succeeded after 15.966 s
::endgroup::

algomaster99 · 2025-01-26T08:55:58Z

pom.xml

+      <plugin>
+        <groupId>org.cyclonedx</groupId>
+        <artifactId>cyclonedx-maven-plugin</artifactId>
+        <version>2.9.1</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>makeAggregateBom</goal>
+            </goals>
+            <phase>package</phase>
+          </execution>
+        </executions>
+      </plugin>


Do we require it here as well? Spoon-core inherits spoon-pom.

Suggested change

<plugin>

<groupId>org.cyclonedx</groupId>

<artifactId>cyclonedx-maven-plugin</artifactId>

<version>2.9.1</version>

<executions>

<execution>

<goals>

<goal>makeAggregateBom</goal>

</goals>

<phase>package</phase>

</execution>

</executions>

</plugin>

Add cyclonedx plugin to generate sboms for release

d8a6bdb

algomaster99 reviewed Jan 26, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Push SBOM to Maven central when releasing #6154

Push SBOM to Maven central when releasing #6154

LogFlames commented Jan 24, 2025

algomaster99 Jan 26, 2025

Push SBOM to Maven central when releasing #6154

Are you sure you want to change the base?

Push SBOM to Maven central when releasing #6154

Conversation

LogFlames commented Jan 24, 2025

algomaster99 Jan 26, 2025

Choose a reason for hiding this comment