[SPARK-53669] Publish SBOM artifacts

dongjoon-hyun · dongjoon-hyun · commit ad3d2dcbc72f · 2025-09-22T19:47:57.000-07:00
### What changes were proposed in this pull request? Since Apache Spark 3.4.0, Apache Spark main repository has been providing `SBOM` artifact. Like the main repository, this PR aims to publish `SBOM` artifacts of `Apache Spark K8s Operator` artifacts. - apache/spark#39401 - https://repo1.maven.org/maven2/org/apache/spark/spark-core_2.13/4.0.1/spark-core_2.13-4.0.1-cyclonedx.xml ### Why are the changes needed? Here is an article to give some context. - https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/ Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: [CycloneDX](https://cyclonedx.org/), [Software Identification (SWID) tag](https://csrc.nist.gov/projects/Software-Identification-SWID), [Software Package Data Exchange® (SPDX)](https://spdx.dev/). ### Does this PR introduce _any_ user-facing change? No behavior change. ### How was this patch tested? Manually run the following command and check the local Maven directory. **COMMAND** ``` $ gradle publishApachePublicationToMavenLocal -Prelease ``` **BEFORE** ``` $ ls -al ~/.m2/repository/org/apache/spark/spark-operator-api/0.5.0-SNAPSHOT total 976 drwxr-xr-x 15 dongjoon staff 480 Sep 22 16:26 . drwxr-xr-x 4 dongjoon staff 128 Sep 22 16:26 .. -rw-r--r-- 1 dongjoon staff 2632 Sep 22 16:26 maven-metadata-local.xml -rw-r--r-- 1 dongjoon staff 233151 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT-javadoc.jar -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT-javadoc.jar.asc -rw-r--r-- 1 dongjoon staff 52522 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT-sources.jar -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT-sources.jar.asc -rw-r--r-- 1 dongjoon staff 17387 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT-tests.jar -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT-tests.jar.asc -rw-r--r-- 1 dongjoon staff 154249 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT.jar -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT.jar.asc -rw-r--r-- 1 dongjoon staff 2683 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT.module -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT.module.asc -rw-r--r-- 1 dongjoon staff 2289 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT.pom -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:26 spark-operator-api-0.5.0-SNAPSHOT.pom.asc ``` **AFTER** ``` $ ls -al ~/.m2/repository/org/apache/spark/spark-operator-api/0.5.0-SNAPSHOT total 5880 drwxr-xr-x 17 dongjoon staff 544 Sep 22 16:27 . drwxr-xr-x 4 dongjoon staff 128 Sep 22 16:27 .. -rw-r--r-- 1 dongjoon staff 3050 Sep 22 16:27 maven-metadata-local.xml -rw-r--r-- 1 dongjoon staff 2505028 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT-cyclonedx.xml -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT-cyclonedx.xml.asc -rw-r--r-- 1 dongjoon staff 233151 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT-javadoc.jar -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT-javadoc.jar.asc -rw-r--r-- 1 dongjoon staff 52522 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT-sources.jar -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT-sources.jar.asc -rw-r--r-- 1 dongjoon staff 17387 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT-tests.jar -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT-tests.jar.asc -rw-r--r-- 1 dongjoon staff 154249 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT.jar -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT.jar.asc -rw-r--r-- 1 dongjoon staff 2683 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT.module -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT.module.asc -rw-r--r-- 1 dongjoon staff 2289 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT.pom -rw-r--r-- 1 dongjoon staff 833 Sep 22 16:27 spark-operator-api-0.5.0-SNAPSHOT.pom.asc ``` ### Was this patch authored or co-authored using generative AI tooling? No. Closes apache#332 from dongjoon-hyun/SPARK-53669. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
diff --git a/build.gradle b/build.gradle
@@ -26,6 +26,7 @@ buildscript {
     classpath "${libs.spotbugs.gradle.plugin.get()}"
     classpath "${libs.spotless.plugin.gradle.get()}"
     classpath "${libs.shadow.get()}"
+    classpath "${libs.cyclonedx.bom.get()}"
   }
 }
 
diff --git a/deploy.gradle b/deploy.gradle
@@ -22,6 +22,7 @@ if (project.hasProperty('release') && JavaVersion.current().getMajorVersion().to
 }
 
 subprojects {
+  apply plugin: 'org.cyclonedx.bom'
   apply plugin: 'maven-publish'
   apply plugin: 'signing'
   afterEvaluate {
@@ -68,6 +69,11 @@ subprojects {
           artifact sourceJar
           artifact javadocJar
           artifact testJar
+          artifact("$buildDir/reports/bom.xml") {
+            classifier 'cyclonedx'
+            extension 'xml'
+            builtBy tasks.named('cyclonedxBom')
+          }
 
           versionMapping {
             allVariants {
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -36,6 +36,7 @@ spotbugs-plugin = "6.4.2"
 spotless-plugin = "6.25.0"
 
 # Packaging
+cyclonedx = "2.4.1"
 shadow-jar-plugin = "8.3.6"
 
 [libraries]
@@ -65,3 +66,4 @@ junit-platform-launcher = { group = "org.junit.platform", name = "junit-platform
 spotbugs-gradle-plugin = { group = "com.github.spotbugs.snom", name = "spotbugs-gradle-plugin", version.ref = "spotbugs-plugin" }
 spotless-plugin-gradle = { group = "com.diffplug.spotless", name = "spotless-plugin-gradle", version.ref = "spotless-plugin" }
 shadow = { group = "com.gradleup.shadow", name = "shadow-gradle-plugin", version.ref = "shadow-jar-plugin"}
+cyclonedx-bom = { group = "org.cyclonedx.bom", name = "org.cyclonedx.bom.gradle.plugin", version.ref = "cyclonedx" }

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ buildscript {`
`26`	`26`	`classpath "${libs.spotbugs.gradle.plugin.get()}"`
`27`	`27`	`classpath "${libs.spotless.plugin.gradle.get()}"`
`28`	`28`	`classpath "${libs.shadow.get()}"`
	`29`	`+ classpath "${libs.cyclonedx.bom.get()}"`
`29`	`30`	`}`
`30`	`31`	`}`
`31`	`32`