Merge branch 'master' into solarisfixes

.github/linters/.gitleaks.toml

@@ -0,0 +1,5 @@
+title = "gitleaks config"
+[allowlist]
+files = [
+    "cyclonedx-lib/dependency_data/dependency_data.properties"
+]

.github/linters/suppressed-java.xml

@@ -28,4 +28,5 @@
     <suppress files="." checks="LineLength" />
     <suppress files="." checks="Header" /> <!-- Disabled as we don't use headers in our project for the test files -->
     <suppress files="." checks="FileTabCharacter" /> <!-- Disabled as it generally doesn't matter if tabs are disabled or not -->
-</suppressions>
+    <suppress files="." checks="ParameterNumber" />
+</suppressions>

.github/workflows/build.yml

@@ -35,10 +35,6 @@ jobs:
   build_linux:
     name: Linux
     runs-on: ubuntu-latest
-    env:
-      ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: 'true'
-    container:
-      image: ${{ matrix.image }}
     strategy:
       fail-fast: false
       matrix:
@@ -80,24 +76,23 @@ jobs:
             variant: bisheng
             image: adoptopenjdk/centos7_build_image
     steps:
-    # pinned at v3 to as Node.js 20.x is not supported on Centos 7
-    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+    - uses: actions/checkout@v4
 
-    - name: Build Linux
-      run: ./build-farm/make-adopt-build-farm.sh
-      env:
-        JAVA_TO_BUILD: ${{ matrix.version }}
-        ARCHITECTURE: x64
-        VARIANT: ${{ matrix.variant }}
-        TARGET_OS: ${{ matrix.os }}
-        FILENAME: OpenJDK.tar.gz
-        # Don't set the OS as we use both linux and alpine-linux
-        PLATFORM_CONFIG_LOCATION: adoptium/temurin-build/master/build-farm/platform-specific-configurations
-        BUILD_ARGS: --create-sbom
-        CONFIGURE_ARGS: --with-native-debug-symbols=none
-
-    # pinned at v3 to as Node.js 20.x is not supported on Centos 7
-    - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+    - name: Build Linux within container image "${{ matrix.image }}"
+      run: |
+          docker run --rm -w /home/jenkins -v "$PWD":"/home/jenkins" \
+                      -e "JAVA_TO_BUILD=${{ matrix.version }}" \
+                      -e "ARCHITECTURE=x64" \
+                      -e "VARIANT=${{ matrix.variant }}" \
+                      -e "TARGET_OS=${{ matrix.os }}" \
+                      -e "FILENAME=OpenJDK.tar.gz" \
+                      -e "PLATFORM_CONFIG_LOCATION=adoptium/temurin-build/master/build-farm/platform-specific-configurations" \
+                      -e "BUILD_ARGS=--create-sbom" \
+                      -e "CONFIGURE_ARGS=--with-native-debug-symbols=none" \
+                      "${{ matrix.image }}" \
+                      ./build-farm/make-adopt-build-farm.sh
+
+    - uses: actions/upload-artifact@v4
       name: Collect and Archive Artifacts
       with:
         name: ${{matrix.version}}-${{matrix.os}}-${{matrix.variant}}
@@ -110,17 +105,33 @@ jobs:
     - name: Set root of jdk image dir
       run: |
         imageroot=$(find "${HOME}/JDK" -name release -type f)
-        echo "TEST_JDK_HOME=$(dirname "${imageroot}")" >> "$GITHUB_ENV"
-    - name: Smoke test
-      uses: adoptium/run-aqa@6bacb4e732ad546eda1b09665b9067cdc87651f4 # v2
+        # TEST_JDK_HOME needs to be mapped to the docker container /home/jenkins mapping
+        echo "TEST_JDK_HOME=$(dirname "${imageroot}")" | sed "s,${HOME},/home/jenkins," >> "$GITHUB_ENV"
+
+    - name: Checkout aqa-tests repo
+      uses: actions/checkout@v4
       with:
-        build_list: 'functional/buildAndPackage'
-        target: '_extended.functional'
-        vendor_testRepos: "${{ github.event.pull_request.head.repo.html_url }}.git"
-        vendor_testBranches: "${{ github.head_ref }}"
-        vendor_testDirs: "/test/functional"
-    # pinned at v3 to as Node.js 20.x is not supported on Centos 7
-    - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        repository: adoptium/aqa-tests
+        path: aqa-tests
+    - name: Run Smoke test within container image "${{ matrix.image }}"
+      env:
+        VENDOR_REPOS: ${{ github.event.pull_request.head.repo.html_url }}.git
+        VENDOR_BRANCH: ${{ github.head_ref }}
+      run: |
+        WORK_DIR="${PWD//${HOME}//home/jenkins}"
+        docker run --rm -w /home/jenkins -v "$HOME":"/home/jenkins" \
+            -e "TEST_JDK_HOME=${TEST_JDK_HOME}" \
+            -e "BUILD_LIST=functional/buildAndPackage" \
+            "${{ matrix.image }}" \
+            sh -c "cd ${WORK_DIR}/aqa-tests && \
+             ./get.sh --vendor_repos ${VENDOR_REPOS} \
+                      --vendor_branches ${VENDOR_BRANCH} \
+                      --vendor_dirs /test/functional && \
+             cd TKG && \
+             make compile && \
+             make _extended.functional"
+        
+    - uses: actions/upload-artifact@v4
       name: Collect and Archive SmokeTest Results
       if: failure()
       with:

.github/workflows/ca-cert-updater.yml

@@ -35,7 +35,7 @@ jobs:
         working-directory: ./security
         run: "./mk-ca-bundle.pl"
 
-      - uses: gr2m/create-or-update-pull-request-action@488876a65a2ca38b7eb05e9086166337087f5323 # v1.10.0
+      - uses: gr2m/create-or-update-pull-request-action@b65137ca591da0b9f43bad7b24df13050ea45d1b # v1.10.1
         env:
           GITHUB_TOKEN: ${{ secrets.ADOPTIUM_TEMURIN_BOT_TOKEN }}
         with:

.github/workflows/codeql.yml

@@ -58,7 +58,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3
+        uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -68,7 +68,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3
+        uses: github/codeql-action/autobuild@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -81,6 +81,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3
+        uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/ossf-scorecard.yml

@@ -46,6 +46,6 @@ jobs:
         name: SARIF file
         path: results.sarif
         retention-days: 5
-    - uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v2.13.4
+    - uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v2.13.4
       with:
         sarif_file: results.sarif

.github/workflows/testsbom.yml → .github/workflows/testcyclonedx.yml

@@ -1,5 +1,5 @@
 # ********************************************************************************
-# Copyright (c) 2023 Contributors to the Eclipse Foundation
+# Copyright (c) 2023, 2024 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) with this work for additional
 # information regarding copyright ownership.
@@ -12,7 +12,7 @@
 # ********************************************************************************
 
 ---
-name: TestSBOM
+name: TestCycloneDX
 
 on:
   pull_request:
@@ -30,30 +30,49 @@ permissions:
   contents: read
 
 jobs:
-  test_sbom_gen:
-    name: gen_sbom
+  test_cyclonedx_gen:
+    name: gen_cyclonedx
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      # Build with jdk8 to ensure TemurinGenSBOM meets min compatibility
+      # Build with jdk8 to ensure TemurinGen* meets min compatibility
       - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
         id: setup-java
         with:
           java-version: 8
           distribution: 'temurin'
 
-      - name: Build TemurinGenSBOM.java
+      - name: Build TemurinGenSBOM.java and TemurinGenCDXA.java
         run: |
           ant -noinput -buildfile cyclonedx-lib/build.xml clean
           ant -noinput -buildfile cyclonedx-lib/build.xml build
 
       - name: Run TemurinGenSBOM Unit test
         run: ant -noinput -buildfile cyclonedx-lib/build.xml run
 
+      - name: Run TemurinGenCDXA Unit test
+        run: ant -noinput -buildfile cyclonedx-lib/build.xml runCDXA
+
+      - name: Validate generated SBOM and CDXA documents using cyclonedx-cli validate
+        run: |
+          curl -L -O https://github.com/CycloneDX/cyclonedx-cli/releases/latest/download/cyclonedx-linux-x64
+          chmod +x cyclonedx-linux-x64
+          ./cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testSBOM.json --fail-on-errors --input-version v1_6
+          ./cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testSBOM.xml --fail-on-errors --input-version v1_6
+          ./cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testCDXA.json --fail-on-errors --input-version v1_6
+          ./cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testCDXA.xml --fail-on-errors --input-version v1_6
+
       - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         name: Collect and Archive TemurinGenSBOM Artifacts
         with:
           name: testSBOM
-          path: cyclonedx-lib/build/testSBOM.json
+          path: cyclonedx-lib/build/testSBOM.*
+
+      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        name: Collect and Archive TemurinGenCDXA Artifacts
+        with:
+          name: testCDXA
+          path: cyclonedx-lib/build/testCDXA.*
+

RELEASING.md

@@ -149,7 +149,7 @@ flowchart TD
 
 </details>
 
-Disable nightly testing so the release builds aren't delayed by any nightly test runs (set `enableTests : false` in [defaults.json](https://github.com/adoptium/ci-jenkins-pipelines/blob/master/pipelines/defaults.json)). Ensure the build pipeline generator job runs successfully (<https://ci.adoptium.net/job/build-scripts/job/utils/job/build-pipeline-generator/>), and the flag is disabled by bringing up the Build pipeline job and check the  `enableTests` checkbox is unticked.
+Scheduled pipeline Testing is automatically disabled from the Saturday prior to "release Tuesday", to the Sunday after, see: https://github.com/adoptium/ci-jenkins-pipelines/blob/5bd79eb1d95a033c4ee364a8f9fcc270ad653178/pipelines/build/common/trigger_beta_build.groovy#L51
 
 Add a banner to the website to indicate that the releases are coming in the near future ([Example Changes](https://github.com/adoptium/adoptium.net/blob/main/src/components/Banner.tsx)).
 

SmokeTesting.md

@@ -7,8 +7,9 @@ These are the general steps to execute the Smoke Tests found in[/test/functional
 1. export TEST_JDK_HOME=/someLocation // set test JDK home. On windows, the windows path format is expected. (i.e., TEST_JDK_HOME=C:\someLocation )
 1. git clone [https://github.com/adoptium/aqa-tests.git](https://github.com/adoptium/aqa-tests) to /testLocation
 1. cd aqa-tests
-1. ./get.sh
+1. ./get.sh --vendor_repos https://github.com/adoptium/temurin-build --vendor_branches master --vendor_dirs /test/functional
+1. ( When running get.sh ensure the vendor parameters are passed correctly, the above example shows how to run the smoke tests contained within the temurin-build repository )
 1. cd TKG
-1. Export environment variables suitable for the SDK under test and for the test materials being used (i.e., export BUILD_LIST=functional/buildAndPackage, VENDOR_TEST_REPOS=https://github.com/adoptium/temurin-build, VENDOR_TEST_BRANCHES=master, VENDOR_TEST_DIRS=/test/functional )
+1. Export environment variables suitable for the SDK under test and for the test materials being used (i.e., export BUILD_LIST=functional/buildAndPackage, this value details which test material that should be compiled.
 1. make compile // fetches test material and compiles it, based on build.xml files in the test directories
 1. make _extended.functional // executes the test target (can be test group, level, level.group or specific test). i.e., openjdk (all tests in openjdk group), sanity.functional (all functional tests labelled at sanity level), or in the case of smoke tests which are all tagged to belong to level=extended and group=functional, we use `_extended.functional` and because we have limited BUILD_LIST to the directory where the smoke test material lives, we will only run tests from that directory tagged as extended.functional.