Merge pull request #1502 from DependencyTrack/quarkus-cyclonedx

Migrate to Quarkus-native CycloneDX SBOM generation
DependencyTrack · Sep 12, 2024 · f53d2be · f53d2be
2 parents a84682c + 90bc362
commit f53d2be
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 14 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -70,7 +70,7 @@ jobs:
         )
         
         mvn -B --no-transfer-progress release:prepare \
-          -DpreparationGoals="clean cyclonedx:makeBom verify" \
+          -DpreparationGoals="clean verify" \
           -Darguments="${BUILD_ARGS[*]}" \
           -DpushChanges=false
     - name: Push Changes
@@ -96,5 +96,7 @@ jobs:
       env:
         GITHUB_TOKEN: "${{ secrets.BOT_RELEASE_TOKEN }}"
       run: |-
+        find . -name quarkus-run-cyclonedx.json -exec \
+          sh -c 'mv {} "$(echo {} | cut -d "/" -f 2)-${{ steps.determine-release-tag.outputs.TAG_NAME }}.cdx.json"' \;
         gh release upload "${{ steps.determine-release-tag.outputs.TAG_NAME }}" \
-          ./*/target/*.cdx.json --clobber
+          ./*.cdx.json --clobber
diff --git a/mirror-service/pom.xml b/mirror-service/pom.xml
@@ -77,6 +77,10 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-container-image-docker</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-cyclonedx</artifactId>
+        </dependency>
         <dependency>
             <groupId>io.github.jeremylong</groupId>
             <artifactId>open-vulnerability-clients</artifactId>

diff --git a/notification-publisher/pom.xml b/notification-publisher/pom.xml
@@ -49,6 +49,10 @@
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-container-image-docker</artifactId>
     </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-cyclonedx</artifactId>
+    </dependency>
     <dependency>
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-resteasy</artifactId>

diff --git a/pom.xml b/pom.xml
@@ -96,7 +96,6 @@
     <lib.versatile.version>0.7.0</lib.versatile.version>
 
     <!-- Plugin Versions -->
-    <plugin.cyclonedx.version>2.8.1</plugin.cyclonedx.version>
     <plugin.jacoco.version>0.8.12</plugin.jacoco.version>
     <plugin.protoc-jar.version>3.11.4</plugin.protoc-jar.version>
 
@@ -498,17 +497,6 @@
           </executions>
         </plugin>
 
-        <plugin>
-          <groupId>org.cyclonedx</groupId>
-          <artifactId>cyclonedx-maven-plugin</artifactId>
-          <version>${plugin.cyclonedx.version}</version>
-          <configuration>
-            <outputFormat>json</outputFormat>
-            <outputName>${project.name}-${project.version}.cdx</outputName>
-            <projectType>application</projectType>
-          </configuration>
-        </plugin>
-
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-release-plugin</artifactId>

diff --git a/repository-meta-analyzer/pom.xml b/repository-meta-analyzer/pom.xml
@@ -58,6 +58,10 @@
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-container-image-docker</artifactId>
     </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-cyclonedx</artifactId>
+    </dependency>
     <dependency>
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-cache</artifactId>

diff --git a/vulnerability-analyzer/pom.xml b/vulnerability-analyzer/pom.xml
@@ -52,6 +52,10 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-container-image-docker</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-cyclonedx</artifactId>
+        </dependency>
         <dependency>
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-kafka-streams</artifactId>