You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<h1>Creating SBOMs for Tycho artifacts</h1><section><aid="What_is_an_SBOM.3F"></a>
110
+
<h2>What is an SBOM?</h2>
111
+
<p>A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships. SBOMs are essential for:</p>
112
+
<ul>
113
+
114
+
<li><strong>Security</strong>: Understanding your software supply chain and identifying vulnerable components</li>
115
+
<li><strong>Compliance</strong>: Meeting regulatory requirements and license obligations</li>
116
+
<li><strong>Transparency</strong>: Documenting what's in your software for customers and stakeholders</li>
117
+
</ul>
118
+
<p>Tycho supports generating SBOMs in industry-standard formats like CycloneDX, making it easier to maintain visibility into your Eclipse-based applications.</p></section><section><aid="SBOM_Generation_Approaches"></a>
119
+
<h2>SBOM Generation Approaches</h2>
110
120
<p>Tycho has two ways of creating an SBOM for your artifacts one local using an extension for the <ahref="https://github.com/CycloneDX/cyclonedx-maven-plugin" class="externalLink">cyclone-dx plugin</a>
111
-
and one more global approach using a prebuild products.</p><section><aid="Using_the_cyclone-dx_extension"></a>
121
+
and one more global approach using a prebuild products.</p></section><section><aid="Using_the_cyclone-dx_extension"></a>
112
122
<h2>Using the cyclone-dx extension</h2>
123
+
<p>The <ahref="https://github.com/CycloneDX/cyclonedx-maven-plugin" class="externalLink">CycloneDX Maven Plugin</a> creates SBOMs for individual Maven projects during the build lifecycle. Tycho provides an extension (<code>tycho-sbom</code>) that enables the CycloneDX plugin to properly understand and include OSGi/Eclipse-specific artifacts in the generated SBOM.</p>
124
+
<p>This approach is ideal for:</p>
125
+
<ul>
126
+
127
+
<li>Generating SBOMs as part of your regular Maven build</li>
128
+
<li>Creating per-module SBOMs for individual components</li>
129
+
<li>Integration with CI/CD pipelines</li>
130
+
</ul>
131
+
<p>To use this extension, add the CycloneDX Maven Plugin with the Tycho SBOM dependency:</p>
@@ -123,12 +142,29 @@ <h2>Using the cyclone-dx extension</h2>
123
142
</dependencies>
124
143
</plugin>
125
144
</code></pre>
126
-
<p>see also this demo:</p>
145
+
<p>For more information about the CycloneDX Maven Plugin, including configuration options and best practices, see the <ahref="https://github.com/CycloneDX/cyclonedx-maven-plugin" class="externalLink">official CycloneDX Maven Plugin documentation</a>.</p>
<h2>Using a prebuild product</h2><section><aid="calling_from_CLI"></a>
151
+
<h2>Using a prebuild product</h2>
152
+
<p>The <code>tycho-sbom:generator</code> mojo wraps the <ahref="https://github.com/eclipse-cbi/p2repo-sbom" class="externalLink">Eclipse CBI p2repo-sbom tool</a> as a Maven plugin, enabling SBOM generation for complete Eclipse products and installations. This tool is particularly powerful as it:</p>
153
+
<ul>
154
+
155
+
<li>Analyzes complete product installations rather than individual build artifacts</li>
156
+
<li>Gathers metadata from multiple sources including Maven Central and ClearlyDefined</li>
157
+
<li>Provides enhanced license identification and dependency mapping</li>
158
+
<li>Generates comprehensive SBOMs that can be extended with additional metadata</li>
159
+
</ul>
160
+
<p>This approach is ideal for:</p>
161
+
<ul>
162
+
163
+
<li>Generating SBOMs for final, assembled products</li>
164
+
<li>Post-build SBOM generation from existing installations</li>
165
+
<li>Creating SBOMs with enriched metadata from external sources</li>
166
+
</ul>
167
+
<p>For detailed information about the underlying tool, see the <ahref="https://github.com/eclipse-cbi/p2repo-sbom/blob/main/docs/index.md" class="externalLink">p2repo-sbom documentation</a>.</p><section><aid="calling_from_CLI"></a>
<p>The <code>tycho-sbom:generator</code> mojo supports the following configuration parameters:</p>
191
+
<ul>
192
+
193
+
<li><strong><code>installations</code></strong> (File): Specify a folder where multiple packaged products are located to be analyzed</li>
194
+
<li><strong><code>installation</code></strong> (File): Specify a single installation directory or update-site to analyze</li>
195
+
<li><strong><code>cache</code></strong> (File): Specify a cache location for downloaded metadata. If not specified, Tycho uses its global cache location in the Maven local repository</li>
196
+
<li><strong><code>central-search</code></strong> (boolean, property: <code>central-search</code>): If enabled, artifacts are mapped to Maven Central using file hashcodes. When a unique match is found, it's assumed to be the real source even if P2 has not recorded any GAVs</li>
197
+
<li><strong><code>advisory</code></strong> (boolean, property: <code>advisory</code>): If enabled, queries the Open Source Vulnerabilities (OSV) distributed vulnerability database for known vulnerabilities in Open Source components and adds them as external references to the components</li>
198
+
<li><strong><code>p2sources</code></strong> (List of String): A list of URIs that should be used to match against P2 units. These are typically the repositories used during product build</li>
199
+
<li><strong><code>verbose</code></strong> (boolean, property: <code>sbom.verbose</code>): Enable verbose logging output from the generator</li>
200
+
<li><strong><code>xmlOutputs</code></strong> (File, property: <code>xml-outputs</code>, default: <code>${project.build.directory}</code>): Directory where XML SBOM files will be written</li>
201
+
<li><strong><code>jsonOutputs</code></strong> (File, property: <code>json-outputs</code>, default: <code>${project.build.directory}</code>): Directory where JSON SBOM files will be written</li>
202
+
<li><strong><code>index</code></strong> (File, property: <code>index</code>, default: <code>${project.build.directory}/index.html</code>): Path where the HTML index file will be written</li>
203
+
<li><strong><code>generatorRepository</code></strong> (Repository): The repository where the generator application should be sourced from</li>
0 commit comments