refactoring/527_spdx-sbom#542
Conversation
| - name: Upload SPDX SBOM | ||
| uses: actions/upload-artifact@v7 | ||
| if: ${{ env.DEFAULT_OS == matrix.os && env.DEFAULT_JAVA == matrix.java }} | ||
| with: | ||
| name: openfasttrace-spdx | ||
| path: product/target/site/*.spdx.json | ||
| if-no-files-found: error |
There was a problem hiding this comment.
👍
Also generate this in the release workflow, calculate checksum and attach it with the checksum to the GitHub release (see shell script).
| - name: Generate SPDX SBOM | ||
| if: ${{ env.DEFAULT_OS == matrix.os && env.DEFAULT_JAVA == matrix.java }} | ||
| run: | | ||
| mvn --batch-mode -pl product spdx:createSPDX \ | ||
| -Dossindex.skip=true \ | ||
| -Djava.version=${{ matrix.java }} |
There was a problem hiding this comment.
Would it be possible to run the plugin with mvn install? Then you don't need a separate build step.
| <!-- The following section is unfortunately necessary because the Maven SPDX plugin has problems | ||
| with OFT's multi-module project | ||
| --> | ||
| <licenseOverwrites> |
There was a problem hiding this comment.
We really need to find a workaround for this ;)
| <configuration> | ||
| <sbomType>build</sbomType> | ||
| <includeTestScope>false</includeTestScope> | ||
| <licenseDeclared>GPL-3.0-only</licenseDeclared> | ||
| <licenseConcluded>GPL-3.0-only</licenseConcluded> | ||
| <copyrightText>Copyright (c) itsallcode.org</copyrightText> | ||
| <createExternalRefs>false</createExternalRefs> | ||
| <defaultFileConcludedLicense>GPL-3.0-only</defaultFileConcludedLicense> | ||
| <defaultLicenseInformationInFile>GPL-3.0-only</defaultLicenseInformationInFile> | ||
| <defaultFileCopyright>Copyright (c) itsallcode.org</defaultFileCopyright> | ||
| </configuration> | ||
| </plugin> |
There was a problem hiding this comment.
Duplicated in parent pom. Is this really necessary as the root is only an aggregator pom without code?
Co-authored-by: Christoph Pirkl <4711730+kaklakariada@users.noreply.github.com>
|
There was a problem hiding this comment.
Pull request overview
This PR introduces initial SPDX SBOM generation for OpenFastTrace using the SPDX Maven Plugin, and updates module metadata/documentation to support publishing/consumption expectations around SBOMs and licensing.
Changes:
- Add SPDX SBOM generation via
org.spdx:spdx-maven-plugin(module + aggregation) and upload SBOM artifacts in CI. - Add/standardize Maven module
<description>metadata and SPDX-aligned license metadata. - Update documentation/release notes and add
SECURITY.md, alongside a version bump to4.6.0.
Reviewed changes
Copilot reviewed 23 out of 23 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
pom.xml |
Adds SPDX plugin configuration at the root (aggregation goal + basic SPDX metadata). |
parent/pom.xml |
Bumps revision to 4.6.0, introduces SPDX metadata properties, updates license metadata, and adds SPDX plugin configuration for modules. |
product/pom.xml |
Configures SPDX aggregation for the product build, including license overwrites for OFT modules. |
.github/workflows/build.yml |
Generates and uploads an SPDX SBOM artifact as part of CI. |
SECURITY.md |
Adds a security policy and SBOM disclosure statement. |
doc/developer_guide.md |
Documents how to generate the SBOM locally (build/install then spdx:createSPDX). |
doc/changes/changes_4.6.0.md |
Mentions SBOM availability in the 4.6.0 changelog summary/refactoring notes. |
openfasttrace-mc-deployable-parent/pom.xml |
Adds a description for the Maven Central deployable parent POM. |
api/pom.xml |
Adds module description metadata. |
core/pom.xml |
Adds module description metadata. |
testutil/pom.xml |
Adds module description metadata. |
exporter/common/pom.xml |
Adds module description metadata. |
exporter/specobject/pom.xml |
Adds module description metadata. |
importer/lightweightmarkup/pom.xml |
Adds module description metadata. |
importer/markdown/pom.xml |
Adds module description metadata. |
importer/restructuredtext/pom.xml |
Adds module description metadata. |
importer/specobject/pom.xml |
Adds module description metadata. |
importer/tag/pom.xml |
Adds module description metadata. |
importer/xmlparser/pom.xml |
Adds module description metadata. |
importer/zip/pom.xml |
Adds module description metadata. |
reporter/aspec/pom.xml |
Adds module description metadata. |
reporter/html/pom.xml |
Adds module description metadata. |
reporter/plaintext/pom.xml |
Adds module description metadata. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <executions> | ||
| <execution> | ||
| <id>build-spdx</id> | ||
| <goals> | ||
| <goal>createSPDX</goal> | ||
| </goals> | ||
| <phase> | ||
| none | ||
| </phase> | ||
| </execution> | ||
| </executions> |
| <includeCompileScope>true</includeCompileScope> | ||
| <includeTestScope>false</includeTestScope> | ||
| <includeTransitiveDependencies>true</includeTransitiveDependencies> |
| <modelVersion>4.0.0</modelVersion> | ||
| <artifactId>openfasttrace-importer-tag</artifactId> | ||
| <name>OpenFastTrace Tag Importer</name> | ||
| <description>Importer for OpenFastTrace specification items embedded source code marker tags</description> |
|
|
||
| ## SBOM | ||
|
|
||
| The Project generates and [SPDX](https://spdx.dev/) SBOM using the [SPDX Maven Plugin](https://github.com/spdx/spdx-maven-plugin). |
| The build order is very important when creating the SBOM. Since the plugin tries to extract the metadata of the submodules from POM files of installed Maven packages, those POM files need to be in the local Maven repository first. We don't want to download them during the build, since the latest ones are on the local machine. That means, we build the modules, install them in the local Maven cache and then create the SBOM. | ||
|
|
||
|
|
||
| You can create the SBOM with the following sequence of Maven commands module: |
|
|
||
| ## Software Bill of Materials (SBOM) | ||
|
|
||
| To enhance transparency and security, SPDX SBOMs (Software Bill of Materials) are included with the GitHub releases starting from version 4.6.0. These files provide a comprehensive list of all components and dependencies used in the project. |
| We moved some GitHub action permissions from workflow-level to job-level. | ||
| We moved some GitHub action permissions from workflow-level to job-level and fixed a number of Sonar findings that we accumulated with Sonar introducing new rules. | ||
|
|
||
| And, we now create an SPDX SBOM. You can find the SBOM of the product JAR attached to all new GitHub releases. |



This is our first shot at creating an SBOM. OFT's SBOM is not very thrilling, since OFT has only a single runtime dependency (the JRE) and that is not included in the distribution JAR because it is on the user's machine.
That leaves only a list of internal OFT packages in the SBOM, which all have the same license: GPL 3.0.
Closes #527.