Skip to content

Commit c843512

Browse files
andrew-m-leonardandrew-m-leonard
authored
Integrate CycloneDX SBOM API into build.sh (#2869)
* Integrate CycloneDX API into build.sh to generate SBOM Signed-off-by: Andrew Leonard <[email protected]> * Integrate CycloneDX SBOM API into build.sh Signed-off-by: Andrew Leonard <[email protected]>
1 parent cc74947 commit c843512

File tree

3 files changed

+167
-13
lines changed

3 files changed

+167
-13
lines changed

cyclonedx-lib/build.xml

Lines changed: 26 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -111,8 +111,9 @@
111111
</jar>
112112
</target>
113113

114-
<target name="run">
114+
<target name="run">
115115
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
116+
<arg value="--verbose"/>
116117
<arg value="--createNewSBOM"/>
117118
<arg value="--name"/>
118119
<arg value="Temurin"/>
@@ -123,13 +124,15 @@
123124
</java>
124125

125126
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
127+
<arg value="--verbose"/>
126128
<arg value="--addComponent"/>
127129
<arg value="--compName"/>
128130
<arg value="JDK-info"/>
129131
<arg value="--jsonFile"/>
130132
<arg value="testSBOM.json"/>
131133
</java>
132134
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
135+
<arg value="--verbose"/>
133136
<arg value="--addComponentProp"/>
134137
<arg value="--compName"/>
135138
<arg value="JDK-info"/>
@@ -141,6 +144,7 @@
141144
<arg value="testSBOM.json"/>
142145
</java>
143146
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
147+
<arg value="--verbose"/>
144148
<arg value="--addComponentProp"/>
145149
<arg value="--compName"/>
146150
<arg value="JDK-info"/>
@@ -152,6 +156,7 @@
152156
<arg value="testSBOM.json"/>
153157
</java>
154158
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
159+
<arg value="--verbose"/>
155160
<arg value="--addComponentProp"/>
156161
<arg value="--compName"/>
157162
<arg value="JDK-info"/>
@@ -163,6 +168,7 @@
163168
<arg value="testSBOM.json"/>
164169
</java>
165170
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
171+
<arg value="--verbose"/>
166172
<arg value="--addComponentProp"/>
167173
<arg value="--compName"/>
168174
<arg value="JDK-info"/>
@@ -174,13 +180,15 @@
174180
<arg value="testSBOM.json"/>
175181
</java>
176182
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
183+
<arg value="--verbose"/>
177184
<arg value="--addComponent"/>
178185
<arg value="--compName"/>
179186
<arg value="Temurin Build"/>
180187
<arg value="--jsonFile"/>
181188
<arg value="testSBOM.json"/>
182189
</java>
183190
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
191+
<arg value="--verbose"/>
184192
<arg value="--addComponentProp"/>
185193
<arg value="--compName"/>
186194
<arg value="Temurin Build"/>
@@ -192,6 +200,7 @@
192200
<arg value="testSBOM.json"/>
193201
</java>
194202
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
203+
<arg value="--verbose"/>
195204
<arg value="--addComponentProp"/>
196205
<arg value="--compName"/>
197206
<arg value="Temurin Build"/>
@@ -203,6 +212,7 @@
203212
<arg value="testSBOM.json"/>
204213
</java>
205214
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
215+
<arg value="--verbose"/>
206216
<arg value="--addComponent"/>
207217
<arg value="--compName"/>
208218
<arg value="make-arguments"/>
@@ -212,6 +222,7 @@
212222
<arg value="testSBOM.json"/>
213223
</java>
214224
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
225+
<arg value="--verbose"/>
215226
<arg value="--addComponentProp"/>
216227
<arg value="--compName"/>
217228
<arg value="make-arguments"/>
@@ -223,6 +234,7 @@
223234
<arg value="testSBOM.json"/>
224235
</java>
225236
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
237+
<arg value="--verbose"/>
226238
<arg value="--addComponentProp"/>
227239
<arg value="--compName"/>
228240
<arg value="make-arguments"/>
@@ -234,6 +246,7 @@
234246
<arg value="testSBOM.json"/>
235247
</java>
236248
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
249+
<arg value="--verbose"/>
237250
<arg value="--addComponent"/>
238251
<arg value="--compName"/>
239252
<arg value="configure_arguments"/>
@@ -243,6 +256,7 @@
243256
<arg value="testSBOM.json"/>
244257
</java>
245258
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
259+
<arg value="--verbose"/>
246260
<arg value="--addComponentProp"/>
247261
<arg value="--compName"/>
248262
<arg value="configure_arguments"/>
@@ -254,13 +268,15 @@
254268
<arg value="testSBOM.json"/>
255269
</java>
256270
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
271+
<arg value="--verbose"/>
257272
<arg value="--addComponent"/>
258273
<arg value="--compName"/>
259274
<arg value="Temurin build scripts/source"/>
260275
<arg value="--jsonFile"/>
261276
<arg value="testSBOM.json"/>
262277
</java>
263278
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
279+
<arg value="--verbose"/>
264280
<arg value="--addComponentProp"/>
265281
<arg value="--compName"/>
266282
<arg value="Temurin build scripts/source"/>
@@ -272,6 +288,7 @@
272288
<arg value="testSBOM.json"/>
273289
</java>
274290
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
291+
<arg value="--verbose"/>
275292
<arg value="--addComponentProp"/>
276293
<arg value="--compName"/>
277294
<arg value="Temurin build scripts/source"/>
@@ -283,6 +300,7 @@
283300
<arg value="testSBOM.json"/>
284301
</java>
285302
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
303+
<arg value="--verbose"/>
286304
<arg value="--addComponent"/>
287305
<arg value="--compName"/>
288306
<arg value="docker container built"/>
@@ -292,6 +310,7 @@
292310
<arg value="testSBOM.json"/>
293311
</java>
294312
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
313+
<arg value="--verbose"/>
295314
<arg value="--addComponentProp"/>
296315
<arg value="--compName"/>
297316
<arg value="docker container built"/>
@@ -303,13 +322,15 @@
303322
<arg value="testSBOM.json"/>
304323
</java>
305324
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
325+
<arg value="--verbose"/>
306326
<arg value="--addComponent"/>
307327
<arg value="--compName"/>
308328
<arg value="Built binary java-version string"/>
309329
<arg value="--jsonFile"/>
310330
<arg value="testSBOM.json"/>
311331
</java>
312332
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
333+
<arg value="--verbose"/>
313334
<arg value="--addComponentProp"/>
314335
<arg value="--compName"/>
315336
<arg value="Built binary java-version string"/>
@@ -321,6 +342,7 @@
321342
<arg value="testSBOM.json"/>
322343
</java>
323344
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
345+
<arg value="--verbose"/>
324346
<arg value="--addExternalReference"/>
325347
<arg value="--url"/>
326348
<arg value="https://github.com/adoptium/jdk17/commit/a5afad28437"/>
@@ -332,6 +354,7 @@
332354
<arg value="testSBOM.json"/>
333355
</java>
334356
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
357+
<arg value="--verbose"/>
335358
<arg value="--addExternalReference"/>
336359
<arg value="--url"/>
337360
<arg value="https://ftp.osuosl.org/pub/blfs/conglomeration/alsa-lib/alsa-lib-1.1.6.tar.bz2"/>
@@ -342,7 +365,8 @@
342365
<arg value="--jsonFile"/>
343366
<arg value="testSBOM.json"/>
344367
</java>
345-
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
368+
<java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
369+
<arg value="--verbose"/>
346370
<arg value="--addMetadata"/>
347371
<arg value="--metadataName"/>
348372
<arg value="Eclipse Adoptium"/>

cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,8 @@
3535
*/
3636
public final class TemurinGenSBOM {
3737

38+
private static boolean verbose = false;
39+
3840
private TemurinGenSBOM() {
3941
}
4042
/**
@@ -87,6 +89,8 @@ public static void main(final String[] args) {
8789
cmd = "addExternalReference";
8890
} else if (args[i].equals("--addComponentExtRef")) {
8991
cmd = "addComponentExternalReference";
92+
} else if (args[i].equals("--verbose")) {
93+
verbose = true;
9094
}
9195
}
9296
switch (cmd) {
@@ -221,7 +225,11 @@ static String generateBomJson(final Bom bom) {
221225
static void writeJSONfile(final Bom bom, final String fileName) { // Creates testJson.json file
222226
FileWriter file;
223227
String json = generateBomJson(bom);
224-
System.out.println("SBOM: " + json);
228+
229+
if (verbose) {
230+
System.out.println("SBOM: " + json);
231+
}
232+
225233
try {
226234
file = new FileWriter(fileName);
227235
file.write(json);

sbin/build.sh

Lines changed: 132 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -668,12 +668,131 @@ generateSBoM() {
668668
classpath="${classpath//jar:/jar;}"
669669
fi
670670

671-
# Run app to generate SBoM
671+
# Run a series of SBOM API commands to generate the required SBOM
672+
local sbomJson="${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/sbom.json"
673+
# Clean any old json
674+
rm -f $sbomJson
672675

673-
# Examples..
674-
"${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --create temurin_sbom.json --name "Temurin SBOM" --version "1.2.3" --type "application" --author "Adoptium"
675-
"${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --add_component temurin_sbom.json --name "openjdk" --version "1.0.0" --hash "abcdefg123456"
676-
"${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --add_dependency temurin_sbom.json --name "gcc" --version "8.5.0"
676+
JAVA_LOC="$PRODUCT_HOME/bin/java"
677+
local fullVer=$($JAVA_LOC -XshowSettings:properties -version 2>&1 | grep 'java.runtime.version' | sed 's/^.*= //' | tr -d '\r')
678+
local fullVerOutput=$($JAVA_LOC -version 2>&1)
679+
680+
# Create initial SBOM json
681+
"${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --createNewSBOM --jsonFile "$sbomJson" --name "${BUILD_CONFIG[BUILD_VARIANT]^}" --version "$fullVer"
682+
683+
# Add Metadata object
684+
"${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addMetadata --jsonFile "$sbomJson" --name "${BUILD_CONFIG[BUILD_VARIANT]^}"
685+
686+
# Add JDK Component
687+
"${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addComponent --jsonFile "$sbomJson" --compName "JDK" --description "${BUILD_CONFIG[BUILD_VARIANT]^} JDK Component"
688+
689+
# Add scmRef JDK Component Property
690+
addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "JDK" "scmRef" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/scmref.txt"
691+
692+
# Add OpenJDK source ref commit JDK Component Property
693+
addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "JDK" "openjdkSourceCommit" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/openjdkSource.txt"
694+
695+
# Add buildRef JDK Component Property
696+
addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "JDK" "buildRef" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/buildSource.txt"
697+
698+
# Add builtConfig JDK Component Property
699+
addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "JDK" "builtConfig" "${BUILD_CONFIG[WORKSPACE_DIR]}/config/built_config.cfg"
700+
701+
# Add full_version_output JDK Component Property
702+
addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "JDK" "full_version_output" "${fullVerOutput}"
703+
704+
# Add makejdk_any_platform_args JDK Component Property
705+
addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "JDK" "makejdk_any_platform_args" "${BUILD_CONFIG[WORKSPACE_DIR]}/config/makejdk-any-platform.args"
706+
707+
# Add make_command_args JDK Component Property
708+
addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "JDK" "make_command_args" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/makeCommandArg.txt"
709+
710+
# Add OS
711+
addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "OS_KERNEL" "${BUILD_CONFIG[OS_KERNEL_NAME]^}"
712+
713+
# Add ARCHITECTURE
714+
addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "OS_ARCHITECTURE" "${BUILD_CONFIG[OS_ARCHITECTURE]^}"
715+
716+
# Add VARIANT
717+
addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "VARIANT" "${BUILD_CONFIG[BUILD_VARIANT]^}"
718+
719+
# Add ALSA 3rd party component
720+
addSBOMComponentFromFile "${javaHome}" "${classpath}" "${sbomJson}" "ALSA" "dependency_version_alsa" "url" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/dependency_version_alsa.txt"
721+
722+
# Add FreeType 3rd party component
723+
addSBOMComponentFromFile "${javaHome}" "${classpath}" "${sbomJson}" "FreeType" "dependency_version_freetype" "url" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/dependency_version_freetype.txt"
724+
725+
# Add FreeMarker 3rd party component
726+
addSBOMComponentFromFile "${javaHome}" "${classpath}" "${sbomJson}" "FreeMarker" "dependency_version_freemarker" "url" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/dependency_version_freemarker.txt"
727+
728+
# Print SBOM json
729+
echo "CycloneDX SBOM:"
730+
cat "${sbomJson}"
731+
echo ""
732+
}
733+
734+
# Add the given Property name & value to the SBOM Metadata
735+
addSBOMMetadataProperty() {
736+
local javaHome="${1}"
737+
local classpath="${2}"
738+
local jsonFile="${3}"
739+
local name="${4}"
740+
local value="${5}"
741+
"${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addMetadataProp --jsonFile "${jsonFile}" --name "${name}" --value "${value}"
742+
}
743+
744+
# If the given property file exists, then add the given Property name with the given file contents value to the SBOM Metadata
745+
addSBOMMetadataPropertyFromFile() {
746+
local javaHome="${1}"
747+
local classpath="${2}"
748+
local jsonFile="${3}"
749+
local name="${4}"
750+
local propFile="${5}"
751+
if [ -e "${propFile}" ]; then
752+
local value=$(cat "${propFile}")
753+
"${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addMetadataProp --jsonFile "${jsonFile}" --name "${name}" --value "${value}"
754+
fi
755+
}
756+
757+
# If the given property file exists, then add the given Component and Property with the given file contents value
758+
addSBOMComponentFromFile() {
759+
local javaHome="${1}"
760+
local classpath="${2}"
761+
local jsonFile="${3}"
762+
local compName="${4}"
763+
local description="${5}"
764+
local name="${6}"
765+
local propFile="${7}"
766+
if [ -e "${propFile}" ]; then
767+
local value=$(cat "${propFile}")
768+
"${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addComponent --jsonFile "${jsonFile}" --compName "${compName}" --description "${description}"
769+
"${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addComponentProp --jsonFile "${jsonFile}" --compName "${compName}" --name "${name}" --value "${value}"
770+
fi
771+
}
772+
773+
# Add the given Property name & value to the given SBOM Component
774+
addSBOMComponentProperty() {
775+
local javaHome="${1}"
776+
local classpath="${2}"
777+
local jsonFile="${3}"
778+
local compName="${4}"
779+
local name="${5}"
780+
local value="${6}"
781+
"${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addComponentProp --jsonFile "${jsonFile}" --compName "${compName}" --name "${name}" --value "${value}"
782+
}
783+
784+
# If the given property file exists, then add the given Property name with the given file contents value to the given SBOM Component
785+
addSBOMComponentPropertyFromFile() {
786+
local javaHome="${1}"
787+
local classpath="${2}"
788+
local jsonFile="${3}"
789+
local compName="${4}"
790+
local name="${5}"
791+
local propFile="${6}"
792+
if [ -e "${propFile}" ]; then
793+
local value=$(cat "${propFile}")
794+
"${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addComponentProp --jsonFile "${jsonFile}" --compName "${compName}" --name "${name}" --value "${value}"
795+
fi
677796
}
678797

679798
getGradleJavaHome() {
@@ -1633,6 +1752,10 @@ if [[ "${BUILD_CONFIG[ASSEMBLE_EXPLODED_IMAGE]}" == "true" ]]; then
16331752
printJavaVersionString
16341753
addInfoToReleaseFile
16351754
addInfoToJson
1755+
if [[ "${BUILD_CONFIG[CREATE_SBOM]}" == "true" ]]; then
1756+
buildCyclonedxLib
1757+
generateSBoM
1758+
fi
16361759
removingUnnecessaryFiles
16371760
copyFreeFontForMacOS
16381761
setPlistForMacOS
@@ -1660,18 +1783,17 @@ if [[ "${BUILD_CONFIG[MAKE_EXPLODED]}" != "true" ]]; then
16601783
printJavaVersionString
16611784
addInfoToReleaseFile
16621785
addInfoToJson
1786+
if [[ "${BUILD_CONFIG[CREATE_SBOM]}" == "true" ]]; then
1787+
buildCyclonedxLib
1788+
generateSBoM
1789+
fi
16631790
removingUnnecessaryFiles
16641791
copyFreeFontForMacOS
16651792
setPlistForMacOS
16661793
addNoticeFile
16671794
createOpenJDKTarArchive
16681795
fi
16691796

1670-
if [[ "${BUILD_CONFIG[CREATE_SBOM]}" == "true" ]]; then
1671-
buildCyclonedxLib
1672-
generateSBoM
1673-
fi
1674-
16751797
echo "build.sh : $(date +%T) : All done!"
16761798

16771799
# ccache is not detected properly TODO

0 commit comments

Comments
 (0)