refactoring/527_spdx-sbom#542
Conversation
| - name: Upload SPDX SBOM | ||
| uses: actions/upload-artifact@v7 | ||
| if: ${{ env.DEFAULT_OS == matrix.os && env.DEFAULT_JAVA == matrix.java }} | ||
| with: | ||
| name: openfasttrace-spdx | ||
| path: product/target/site/*.spdx.json | ||
| if-no-files-found: error |
There was a problem hiding this comment.
👍
Also generate this in the release workflow, calculate checksum and attach it with the checksum to the GitHub release (see shell script).
| - name: Generate SPDX SBOM | ||
| if: ${{ env.DEFAULT_OS == matrix.os && env.DEFAULT_JAVA == matrix.java }} | ||
| run: | | ||
| mvn --batch-mode -pl product spdx:createSPDX \ | ||
| -Dossindex.skip=true \ | ||
| -Djava.version=${{ matrix.java }} |
There was a problem hiding this comment.
Would it be possible to run the plugin with mvn install? Then you don't need a separate build step.
| <!-- The following section is unfortunately necessary because the Maven SPDX plugin has problems | ||
| with OFT's multi-module project | ||
| --> | ||
| <licenseOverwrites> |
There was a problem hiding this comment.
We really need to find a workaround for this ;)
| <configuration> | ||
| <sbomType>build</sbomType> | ||
| <includeTestScope>false</includeTestScope> | ||
| <licenseDeclared>GPL-3.0-only</licenseDeclared> | ||
| <licenseConcluded>GPL-3.0-only</licenseConcluded> | ||
| <copyrightText>Copyright (c) itsallcode.org</copyrightText> | ||
| <createExternalRefs>false</createExternalRefs> | ||
| <defaultFileConcludedLicense>GPL-3.0-only</defaultFileConcludedLicense> | ||
| <defaultLicenseInformationInFile>GPL-3.0-only</defaultLicenseInformationInFile> | ||
| <defaultFileCopyright>Copyright (c) itsallcode.org</defaultFileCopyright> | ||
| </configuration> | ||
| </plugin> |
There was a problem hiding this comment.
Duplicated in parent pom. Is this really necessary as the root is only an aggregator pom without code?
Co-authored-by: Christoph Pirkl <4711730+kaklakariada@users.noreply.github.com>
|
There was a problem hiding this comment.
Pull request overview
This PR introduces initial SPDX SBOM generation for OpenFastTrace using the SPDX Maven Plugin, and updates module metadata/documentation to support publishing/consumption expectations around SBOMs and licensing.
Changes:
- Add SPDX SBOM generation via
org.spdx:spdx-maven-plugin(module + aggregation) and upload SBOM artifacts in CI. - Add/standardize Maven module
<description>metadata and SPDX-aligned license metadata. - Update documentation/release notes and add
SECURITY.md, alongside a version bump to4.6.0.
Reviewed changes
Copilot reviewed 23 out of 23 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
pom.xml |
Adds SPDX plugin configuration at the root (aggregation goal + basic SPDX metadata). |
parent/pom.xml |
Bumps revision to 4.6.0, introduces SPDX metadata properties, updates license metadata, and adds SPDX plugin configuration for modules. |
product/pom.xml |
Configures SPDX aggregation for the product build, including license overwrites for OFT modules. |
.github/workflows/build.yml |
Generates and uploads an SPDX SBOM artifact as part of CI. |
SECURITY.md |
Adds a security policy and SBOM disclosure statement. |
doc/developer_guide.md |
Documents how to generate the SBOM locally (build/install then spdx:createSPDX). |
doc/changes/changes_4.6.0.md |
Mentions SBOM availability in the 4.6.0 changelog summary/refactoring notes. |
openfasttrace-mc-deployable-parent/pom.xml |
Adds a description for the Maven Central deployable parent POM. |
api/pom.xml |
Adds module description metadata. |
core/pom.xml |
Adds module description metadata. |
testutil/pom.xml |
Adds module description metadata. |
exporter/common/pom.xml |
Adds module description metadata. |
exporter/specobject/pom.xml |
Adds module description metadata. |
importer/lightweightmarkup/pom.xml |
Adds module description metadata. |
importer/markdown/pom.xml |
Adds module description metadata. |
importer/restructuredtext/pom.xml |
Adds module description metadata. |
importer/specobject/pom.xml |
Adds module description metadata. |
importer/tag/pom.xml |
Adds module description metadata. |
importer/xmlparser/pom.xml |
Adds module description metadata. |
importer/zip/pom.xml |
Adds module description metadata. |
reporter/aspec/pom.xml |
Adds module description metadata. |
reporter/html/pom.xml |
Adds module description metadata. |
reporter/plaintext/pom.xml |
Adds module description metadata. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <executions> | ||
| <execution> | ||
| <id>build-spdx</id> | ||
| <goals> | ||
| <goal>createSPDX</goal> | ||
| </goals> | ||
| <phase> | ||
| none | ||
| </phase> | ||
| </execution> | ||
| </executions> |
|
|
||
| ## Software Bill of Materials (SBOM) | ||
|
|
||
| To enhance transparency and security, SPDX SBOMs (Software Bill of Materials) are included with the GitHub releases starting from version 4.6.0. These files provide a comprehensive list of all components and dependencies used in the project. |
| We moved some GitHub action permissions from workflow-level to job-level. | ||
| We moved some GitHub action permissions from workflow-level to job-level and fixed a number of Sonar findings that we accumulated with Sonar introducing new rules. | ||
|
|
||
| And, we now create an SPDX SBOM. You can find the SBOM of the product JAR attached to all new GitHub releases. |



This is our first shot at creating an SBOM. OFT's SBOM is not very thrilling, since OFT has only a single runtime dependency (the JRE) and that is not included in the distribution JAR because it is on the user's machine.
That leaves only a list of internal OFT packages in the SBOM, which all have the same license: GPL 3.0.
Closes #527.