Skip to content

refactoring/527_spdx-sbom#542

Open
redcatbear wants to merge 6 commits into
mainfrom
refactoring/527_spdx-sbom
Open

refactoring/527_spdx-sbom#542
redcatbear wants to merge 6 commits into
mainfrom
refactoring/527_spdx-sbom

Conversation

@redcatbear

@redcatbear redcatbear commented Jun 13, 2026

Copy link
Copy Markdown
Collaborator

This is our first shot at creating an SBOM. OFT's SBOM is not very thrilling, since OFT has only a single runtime dependency (the JRE) and that is not included in the distribution JAR because it is on the user's machine.

That leaves only a list of internal OFT packages in the SBOM, which all have the same license: GPL 3.0.

Closes #527.

@redcatbear redcatbear requested a review from kaklakariada June 13, 2026 09:23
@redcatbear redcatbear self-assigned this Jun 13, 2026
@redcatbear redcatbear added the documentation User guides, turorials, specifications label Jun 13, 2026
Comment on lines +98 to +104
- name: Upload SPDX SBOM
uses: actions/upload-artifact@v7
if: ${{ env.DEFAULT_OS == matrix.os && env.DEFAULT_JAVA == matrix.java }}
with:
name: openfasttrace-spdx
path: product/target/site/*.spdx.json
if-no-files-found: error

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍
Also generate this in the release workflow, calculate checksum and attach it with the checksum to the GitHub release (see shell script).

Comment thread doc/changes/changes_4.6.0.md Outdated
Comment on lines +91 to +96
- name: Generate SPDX SBOM
if: ${{ env.DEFAULT_OS == matrix.os && env.DEFAULT_JAVA == matrix.java }}
run: |
mvn --batch-mode -pl product spdx:createSPDX \
-Dossindex.skip=true \
-Djava.version=${{ matrix.java }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be possible to run the plugin with mvn install? Then you don't need a separate build step.

Comment thread doc/developer_guide.md Outdated
Comment thread parent/pom.xml Outdated
Comment thread product/pom.xml
<!-- The following section is unfortunately necessary because the Maven SPDX plugin has problems
with OFT's multi-module project
-->
<licenseOverwrites>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We really need to find a workaround for this ;)

Comment thread pom.xml
Comment on lines +62 to +73
<configuration>
<sbomType>build</sbomType>
<includeTestScope>false</includeTestScope>
<licenseDeclared>GPL-3.0-only</licenseDeclared>
<licenseConcluded>GPL-3.0-only</licenseConcluded>
<copyrightText>Copyright (c) itsallcode.org</copyrightText>
<createExternalRefs>false</createExternalRefs>
<defaultFileConcludedLicense>GPL-3.0-only</defaultFileConcludedLicense>
<defaultLicenseInformationInFile>GPL-3.0-only</defaultLicenseInformationInFile>
<defaultFileCopyright>Copyright (c) itsallcode.org</defaultFileCopyright>
</configuration>
</plugin>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Duplicated in parent pom. Is this really necessary as the root is only an aggregator pom without code?

Co-authored-by: Christoph Pirkl <4711730+kaklakariada@users.noreply.github.com>
@sonarqubecloud

Copy link
Copy Markdown

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces initial SPDX SBOM generation for OpenFastTrace using the SPDX Maven Plugin, and updates module metadata/documentation to support publishing/consumption expectations around SBOMs and licensing.

Changes:

  • Add SPDX SBOM generation via org.spdx:spdx-maven-plugin (module + aggregation) and upload SBOM artifacts in CI.
  • Add/standardize Maven module <description> metadata and SPDX-aligned license metadata.
  • Update documentation/release notes and add SECURITY.md, alongside a version bump to 4.6.0.

Reviewed changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
pom.xml Adds SPDX plugin configuration at the root (aggregation goal + basic SPDX metadata).
parent/pom.xml Bumps revision to 4.6.0, introduces SPDX metadata properties, updates license metadata, and adds SPDX plugin configuration for modules.
product/pom.xml Configures SPDX aggregation for the product build, including license overwrites for OFT modules.
.github/workflows/build.yml Generates and uploads an SPDX SBOM artifact as part of CI.
SECURITY.md Adds a security policy and SBOM disclosure statement.
doc/developer_guide.md Documents how to generate the SBOM locally (build/install then spdx:createSPDX).
doc/changes/changes_4.6.0.md Mentions SBOM availability in the 4.6.0 changelog summary/refactoring notes.
openfasttrace-mc-deployable-parent/pom.xml Adds a description for the Maven Central deployable parent POM.
api/pom.xml Adds module description metadata.
core/pom.xml Adds module description metadata.
testutil/pom.xml Adds module description metadata.
exporter/common/pom.xml Adds module description metadata.
exporter/specobject/pom.xml Adds module description metadata.
importer/lightweightmarkup/pom.xml Adds module description metadata.
importer/markdown/pom.xml Adds module description metadata.
importer/restructuredtext/pom.xml Adds module description metadata.
importer/specobject/pom.xml Adds module description metadata.
importer/tag/pom.xml Adds module description metadata.
importer/xmlparser/pom.xml Adds module description metadata.
importer/zip/pom.xml Adds module description metadata.
reporter/aspec/pom.xml Adds module description metadata.
reporter/html/pom.xml Adds module description metadata.
reporter/plaintext/pom.xml Adds module description metadata.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread parent/pom.xml
Comment on lines +544 to +554
<executions>
<execution>
<id>build-spdx</id>
<goals>
<goal>createSPDX</goal>
</goals>
<phase>
none
</phase>
</execution>
</executions>
Comment thread parent/pom.xml
Comment on lines +565 to +567
<includeCompileScope>true</includeCompileScope>
<includeTestScope>false</includeTestScope>
<includeTransitiveDependencies>true</includeTransitiveDependencies>
Comment thread importer/tag/pom.xml
<modelVersion>4.0.0</modelVersion>
<artifactId>openfasttrace-importer-tag</artifactId>
<name>OpenFastTrace Tag Importer</name>
<description>Importer for OpenFastTrace specification items embedded source code marker tags</description>
Comment thread doc/developer_guide.md

## SBOM

The Project generates and [SPDX](https://spdx.dev/) SBOM using the [SPDX Maven Plugin](https://github.com/spdx/spdx-maven-plugin).
Comment thread doc/developer_guide.md
The build order is very important when creating the SBOM. Since the plugin tries to extract the metadata of the submodules from POM files of installed Maven packages, those POM files need to be in the local Maven repository first. We don't want to download them during the build, since the latest ones are on the local machine. That means, we build the modules, install them in the local Maven cache and then create the SBOM.


You can create the SBOM with the following sequence of Maven commands module:
Comment thread SECURITY.md

## Software Bill of Materials (SBOM)

To enhance transparency and security, SPDX SBOMs (Software Bill of Materials) are included with the GitHub releases starting from version 4.6.0. These files provide a comprehensive list of all components and dependencies used in the project.
We moved some GitHub action permissions from workflow-level to job-level.
We moved some GitHub action permissions from workflow-level to job-level and fixed a number of Sonar findings that we accumulated with Sonar introducing new rules.

And, we now create an SPDX SBOM. You can find the SBOM of the product JAR attached to all new GitHub releases.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation User guides, turorials, specifications

Projects

None yet

Development

Successfully merging this pull request may close these issues.

SPDX SBOM

3 participants