You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: sbom-github.md
+5-8Lines changed: 5 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -45,7 +45,7 @@ By the end of this post, you will clearly understand how to add SBOMs to your so
45
45
46
46
This will generate a bom.xml file in the target directory. We use the `makeAggregateBom` goal to have a single sbom for all the modules of our project.
47
47
48
-
2. Add the bom.xml and bom.json to your release script.
48
+
2.(GitHub) Add the bom.xml and bom.json to your release script.
49
49
If you have the JReleaser YAML file, you can add the bom.xml to the files section of the release section.
50
50
51
51
```yaml
@@ -58,12 +58,7 @@ By the end of this post, you will clearly understand how to add SBOMs to your so
58
58
59
59
This adds the bom.xml and bom.json to the release assets.
60
60
61
-
3. Make a release :)
62
-
The final result looks like this: https://github.com/chains-project/maven-lockfile/releases/tag/v3.0.0
63
-
64
-
### (Maven Central)
65
-
66
-
4. JReleaser can also upload the SBOMs to Maven Central from version 1.6.0.
61
+
3. (Maven Central) JReleaser can also upload the SBOMs to Maven Central from version 1.6.0.
67
62
If running JReleaser locally, make sure to use atleast version 1.6.0 and the SBOMs generated by `cyclonedx-maven-plugin` will be uploaded to Maven Central.
68
63
If using the `jreleaser/release-action` action, be aware that even if you use the latest version of the action it can pull different versions of JReleaser. If using atleast version 1.6.0 it will upload the SBOMs to Maven Central.
69
64
@@ -78,7 +73,9 @@ By the end of this post, you will clearly understand how to add SBOMs to your so
78
73
[...]
79
74
```
80
75
81
-
The final result looks like this: https://repo1.maven.org/maven2/io/github/chains-project/maven-lockfile/5.3.5/
76
+
4. Make a release :)
77
+
The final result looks like this on GitHub: https://github.com/chains-project/maven-lockfile/releases/tag/v5.3.5
78
+
The final result looks like this on Maven Central: https://repo1.maven.org/maven2/io/github/chains-project/maven-lockfile/5.3.5/
82
79
83
80
## Conclusion
84
81
In conclusion, adding SBOMs to your GitHub and Maven Central releases is a simple and effective way to improve the security and integrity of your software products. Following the steps outlined in this blog post, you can easily generate and add an SBOM to your GitHub and Maven Central release using Maven and JReleaser. With an SBOM, you can identify and remediate vulnerabilities in your software products on time, reducing the risk of security breaches and ensuring the trust of your users. We hope this post has helped guide you through adding SBOMs to your GitHub and Maven Central releases, and we encourage you to continue exploring ways to improve the security and quality of your software products.
0 commit comments