From 28794f3cf5aac95f8e81e555b430edb2f22f658a Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Wed, 4 Dec 2024 13:41:22 +0000 Subject: [PATCH 1/2] Generate XML SBOM --- sbin/build.sh | 94 ++++++++++++++++++++++----------------------- sbin/common/sbom.sh | 72 +++++++++++++++++----------------- 2 files changed, 83 insertions(+), 83 deletions(-) diff --git a/sbin/build.sh b/sbin/build.sh index 46dded89e..1c7fe834c 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -969,41 +969,41 @@ generateSBoM() { sbomTargetName=$(echo "${sbomTargetName}.json" | sed "s/\.tar\.gz//") fi - local sbomJson="$(joinPathOS ${BUILD_CONFIG[WORKSPACE_DIR]} ${BUILD_CONFIG[TARGET_DIR]} ${sbomTargetName})" - echo "OpenJDK SBOM will be ${sbomJson}." + local sbomXML="$(joinPathOS ${BUILD_CONFIG[WORKSPACE_DIR]} ${BUILD_CONFIG[TARGET_DIR]} ${sbomTargetName})" + echo "OpenJDK SBOM will be ${sbomXML}." # Clean any old json - rm -f "${sbomJson}" + rm -f "${sbomXML}" local fullVer=$(cat "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/productVersion.txt") local fullVerOutput=$(cat "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/productVersionOutput.txt") # Create initial SBOM json - createSBOMFile "${javaHome}" "${classpath}" "${sbomJson}" + createSBOMFile "${javaHome}" "${classpath}" "${sbomXML}" # Set default SBOM metadata - addSBOMMetadata "${javaHome}" "${classpath}" "${sbomJson}" + addSBOMMetadata "${javaHome}" "${classpath}" "${sbomXML}" # Create component to metadata in SBOM - addSBOMMetadataComponent "${javaHome}" "${classpath}" "${sbomJson}" "Eclipse Temurin" "framework" "${fullVer}" "Eclipse Temurin components" + addSBOMMetadataComponent "${javaHome}" "${classpath}" "${sbomXML}" "Eclipse Temurin" "framework" "${fullVer}" "Eclipse Temurin components" # Below add property to metadata # Add OS full version (Kernel is covered in the first field) - addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "OS version" "${BUILD_CONFIG[OS_FULL_VERSION]^}" + addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXML}" "OS version" "${BUILD_CONFIG[OS_FULL_VERSION]^}" # TODO: Replace this "if" with its predecessor (commented out below) once # OS_ARCHITECTURE has been replaced by the new target architecture variable. # This is because OS_ARCHITECTURE is currently the build arch, not the target arch, # and that confuses things when cross-compiling an x64 mac build on arm mac. - # addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "OS architecture" "${BUILD_CONFIG[OS_ARCHITECTURE]^}" + # addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXML}" "OS architecture" "${BUILD_CONFIG[OS_ARCHITECTURE]^}" if [[ "${BUILD_CONFIG[TARGET_FILE_NAME]}" =~ .*_x64_.* ]]; then - addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "OS architecture" "x86_64" + addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXML}" "OS architecture" "x86_64" else - addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "OS architecture" "${BUILD_CONFIG[OS_ARCHITECTURE]^}" + addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXML}" "OS architecture" "${BUILD_CONFIG[OS_ARCHITECTURE]^}" fi # Set default SBOM formulation - addSBOMFormulation "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" - addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs" - addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar versions" + addSBOMFormulation "${javaHome}" "${classpath}" "${sbomXML}" "CycloneDX" + addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomXML}" "CycloneDX" "CycloneDX jar SHAs" + addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomXML}" "CycloneDX" "CycloneDX jar versions" # Below add build tools into metadata tools if [ "${BUILD_CONFIG[OS_KERNEL_NAME]}" == "linux" ]; then @@ -1030,7 +1030,7 @@ generateSBoM() { # Add FreeMarker 3rd party (openj9) local freemarker_version="$(joinPathOS ${BUILD_CONFIG[WORKSPACE_DIR]} ${BUILD_CONFIG[TARGET_DIR]} 'metadata/dependency_version_freemarker.txt')" if [ -f "${freemarker_version}" ]; then - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "FreeMarker" "$(cat ${freemarker_version})" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "FreeMarker" "$(cat ${freemarker_version})" fi # Add CycloneDX versions addCycloneDXVersions @@ -1039,10 +1039,10 @@ generateSBoM() { local buildimagesha=$(cat ${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/docker.txt) # ${BUILD_CONFIG[CONTAINER_COMMAND]^} always set to false cannot rely on it. if [ -n "${buildimagesha}" ] && [ "${buildimagesha}" != "N.A" ]; then - addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "Use Docker for build" "true" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "Docker image SHA1" "${buildimagesha}" + addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXML}" "Use Docker for build" "true" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "Docker image SHA1" "${buildimagesha}" else - addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "Use Docker for build" "false" + addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomXML}" "Use Docker for build" "false" fi checkingToolSummary @@ -1079,41 +1079,41 @@ generateSBoM() { local sha=$(sha256File "${archiveFile}") # Create JDK Component - addSBOMComponent "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "${fullVer}" "${BUILD_CONFIG[BUILD_VARIANT]^} ${component} Component" + addSBOMComponent "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "${fullVer}" "${BUILD_CONFIG[BUILD_VARIANT]^} ${component} Component" # Add SHA256 hash for the component - addSBOMComponentHash "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "${sha}" + addSBOMComponentHash "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "${sha}" # Below add different properties to JDK component # Add target archive name as JDK Component Property - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Filename" "${archiveName}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "Filename" "${archiveName}" # Add variant as JDK Component Property - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "JDK Variant" "${BUILD_CONFIG[BUILD_VARIANT]^}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "JDK Variant" "${BUILD_CONFIG[BUILD_VARIANT]^}" # Add scmRef as JDK Component Property - addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "SCM Ref" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/scmref.txt" + addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "SCM Ref" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/scmref.txt" # Add OpenJDK source ref commit as JDK Component Property - addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "OpenJDK Source Commit" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/openjdkSource.txt" + addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "OpenJDK Source Commit" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/openjdkSource.txt" # Add buildRef as JDK Component Property - addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Temurin Build Ref" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/buildSource.txt" + addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "Temurin Build Ref" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/buildSource.txt" # Add jenkins job ID as JDK Component Property - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Builder Job Reference" "${BUILD_URL:-N.A}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "Builder Job Reference" "${BUILD_URL:-N.A}" # Add jenkins builder (agent/machine name) as JDK Component Property - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Builder Name" "${NODE_NAME:-N.A}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "Builder Name" "${NODE_NAME:-N.A}" # Add build timestamp - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Build Timestamp" "${BUILD_CONFIG[BUILD_TIMESTAMP]}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "Build Timestamp" "${BUILD_CONFIG[BUILD_TIMESTAMP]}" # Add Tool Summary section from configure.txt - addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Build Tools Summary" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/dependency_tool_sum.txt" + addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "Build Tools Summary" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/dependency_tool_sum.txt" # Add builtConfig JDK Component Property, load as Json string built_config=$(createConfigToJsonString) - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Build Config" "${built_config}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "Build Config" "${built_config}" # Add full_version_output JDK Component Property - addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "full_version_output" "${fullVerOutput}" + addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "full_version_output" "${fullVerOutput}" # Add makejdk_any_platform_args JDK Component Property - addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "makejdk_any_platform_args" "${BUILD_CONFIG[WORKSPACE_DIR]}/config/makejdk-any-platform.args" + addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "makejdk_any_platform_args" "${BUILD_CONFIG[WORKSPACE_DIR]}/config/makejdk-any-platform.args" # Add make_command_args JDK Component Property - addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "make_command_args" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/makeCommandArg.txt" + addSBOMComponentPropertyFromFile "${javaHome}" "${classpath}" "${sbomXML}" "${componentName}" "make_command_args" "${BUILD_CONFIG[WORKSPACE_DIR]}/${BUILD_CONFIG[TARGET_DIR]}/metadata/makeCommandArg.txt" done @@ -1158,11 +1158,11 @@ generateSBoM() { devkit_path=$(echo ${devkit_path} | sed 's,\./,,' | sed 's,//,/,') bootjdk_path=$(echo ${bootjdk_path} | sed 's,\./,,' | sed 's,//,/,') - bash "$SCRIPT_DIR/../tooling/strace_analysis.sh" "${straceOutputDir}" "${temurinBuildDir}" "${bootjdk_path}" "${classpath}" "${sbomJson}" "${buildOutputDir}" "${openjdkSrcDir}" "${javaHome}" "${toolchain_path}" + bash "$SCRIPT_DIR/../tooling/strace_analysis.sh" "${straceOutputDir}" "${temurinBuildDir}" "${bootjdk_path}" "${classpath}" "${sbomXML}" "${buildOutputDir}" "${openjdkSrcDir}" "${javaHome}" "${toolchain_path}" fi # Print SBOM location - echo "CycloneDX SBOM has been created in ${sbomJson}" + echo "CycloneDX SBOM has been created in ${sbomXML}" } # Generate build tools info into dependency file @@ -1233,7 +1233,7 @@ addFreeTypeVersionInfo() { version="${ver_major}.${ver_minor}.${ver_patch}" fi - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "FreeType" "${version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "FreeType" "${version}" } # Determine and store CycloneDX SHAs that have been used to provide the SBOMs @@ -1249,12 +1249,12 @@ addCycloneDXVersions() { else JarSha=$(sha256sum "$JAR" | cut -d' ' -f1) fi - addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs" "${JarName}.jar" "${JarSha}" + addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomXML}" "CycloneDX" "CycloneDX jar SHAs" "${JarName}.jar" "${JarSha}" # Now the jar's SHA has been added, we add the version string. JarDepsFile="$(joinPath ${CYCLONEDB_DIR} dependency_data/dependency_data.properties)" JarVersionString=$(grep "${JarName}\.version=" "${JarDepsFile}" | cut -d'=' -f2) if [ -n "${JarVersionString}" ]; then - addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar versions" "${JarName}.jar" "${JarVersionString}" + addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomXML}" "CycloneDX" "CycloneDX jar versions" "${JarName}.jar" "${JarVersionString}" elif [ "${JarName}" != "temurin-gen-sbom" ]; then echo "ERROR: Cannot determine jar version from ${JarDepsFile} for SBOM creation dependency ${JarName}.jar." fi @@ -1295,7 +1295,7 @@ addALSAVersion() { fi echo "Adding ALSA version to SBOM: ${ALSA_VERSION}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "ALSA" "${ALSA_VERSION}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "ALSA" "${ALSA_VERSION}" fi } @@ -1354,7 +1354,7 @@ addGLIBCforLinux() { # Get musl build ldd version local MUSL_VERSION="$(ldd --version 2>&1 | grep "Version" | tr -s " " | cut -d" " -f2)" echo "Adding MUSL version to SBOM: ${MUSL_VERSION}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MUSL" "${MUSL_VERSION}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "MUSL" "${MUSL_VERSION}" else # Get GLIBC from configured build spec.gmk sysroot and features.h definitions local GLIBC_MAJOR=$(getHeaderPropertyUsingCompiler "features.h" "#define[ ]+__GLIBC__") @@ -1362,7 +1362,7 @@ addGLIBCforLinux() { local GLIBC_VERSION="${GLIBC_MAJOR}.${GLIBC_MINOR}" echo "Adding GLIBC version to SBOM: ${GLIBC_VERSION}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "GLIBC" "${GLIBC_VERSION}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "GLIBC" "${GLIBC_VERSION}" fi } @@ -1372,7 +1372,7 @@ addGCC() { local gcc_version="$(sed -n '/^Tools summary:$/,$p' "${inputConfigFile}" | tr -s " " | grep "C Compiler: Version" | cut -d" " -f5)" echo "Adding GCC version to SBOM: ${gcc_version}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "GCC" "${gcc_version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "GCC" "${gcc_version}" } addCompilerWindows() { @@ -1392,13 +1392,13 @@ addCompilerWindows() { local msvs_cpp_version="$(grep -o -P '\* C\+\+ Compiler:\s+\K[^"]+' "${inputConfigFile}" | awk '{print $2}')" echo "Adding Windows Compiler versions to SBOM: ${msvs_version}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MSVS Windows Compiler Version" "${msvs_version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "MSVS Windows Compiler Version" "${msvs_version}" echo "Adding Windows C Compiler version to SBOM: ${msvs_c_version}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MSVS C Compiler Version" "${msvs_c_version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "MSVS C Compiler Version" "${msvs_c_version}" echo "Adding Windows C++ Compiler version to SBOM: ${msvs_cpp_version}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MSVS C++ Compiler Version" "${msvs_cpp_version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "MSVS C++ Compiler Version" "${msvs_cpp_version}" echo "Adding Windows SDK version to SBOM: ${ucrt_version}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MS Windows SDK Version" "${ucrt_version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "MS Windows SDK Version" "${ucrt_version}" } addCompilerMacOS() { @@ -1408,7 +1408,7 @@ addCompilerMacOS() { local macx_version="$(grep ".* Toolchain:" "${inputConfigFile}" | awk -F ':' '{print $2}' | sed -e 's/^[ \t]*//')" echo "Adding MacOS compiler version to SBOM: ${macx_version}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "MacOS Compiler" "${macx_version}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "MacOS Compiler" "${macx_version}" } addBootJDK() { @@ -1423,7 +1423,7 @@ addBootJDK() { local bootjdk="$("${bootjava}" -XshowSettings 2>&1 | grep "java\.runtime\.version" | tr -s " " | cut -d" " -f4 | sed "s/\"//g")" echo "Adding BOOTJDK to SBOM: ${bootjdk}" - addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomJson}" "BOOTJDK" "${bootjdk}" + addSBOMMetadataTools "${javaHome}" "${classpath}" "${sbomXML}" "BOOTJDK" "${bootjdk}" } getGradleJavaHome() { diff --git a/sbin/common/sbom.sh b/sbin/common/sbom.sh index 7fd7869aa..5ae2024d5 100755 --- a/sbin/common/sbom.sh +++ b/sbin/common/sbom.sh @@ -12,36 +12,36 @@ # SPDX-License-Identifier: Apache-2.0 # ******************************************************************************** -# Create a default SBOM json file: sbomJson +# Create a default SBOM xml file: sbomXML createSBOMFile() { local javaHome="${1}" local classpath="${2}" - local jsonFile="${3}" - "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --createNewSBOM --jsonFile "${jsonFile}" + local xmlFile="${3}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --createNewSBOM --xmlFile "${xmlFile}" } signSBOMFile() { local javaHome="${1}" local classpath="${2}" - local jsonFile="${3}" + local xmlFile="${3}" local privateKeyFile="${4}" - "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinSignSBOM --signSBOM --jsonFile "${jsonFile}" --privateKeyFile "${privateKeyFile}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinSignSBOM --signSBOM --xmlFile "${xmlFile}" --privateKeyFile "${privateKeyFile}" } verifySBOMSignature() { local javaHome="${1}" local classpath="${2}" - local jsonFile="${3}" + local xmlFile="${3}" local publicKeyFile="${4}" - "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinSignSBOM --verifySBOMSignature --jsonFile "${jsonFile}" --publicKeyFile "${publicKeyFile}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinSignSBOM --verifySBOMSignature --xmlFile "${xmlFile}" --publicKeyFile "${publicKeyFile}" } -# Set basic SBOM metadata with timestamp, authors, manufacture to ${sbomJson} +# Set basic SBOM metadata with timestamp, authors, manufacture to ${sbomXML} addSBOMMetadata() { local javaHome="${1}" local classpath="${2}" - local jsonFile="${3}" - "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addMetadata --jsonFile "${jsonFile}" + local xmlFile="${3}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addMetadata --xmlFile "${xmlFile}" } # Ref: https://cyclonedx.org/docs/1.4/json/#metadata @@ -49,31 +49,31 @@ addSBOMMetadata() { addSBOMMetadataProperty() { local javaHome="${1}" local classpath="${2}" - local jsonFile="${3}" + local xmlFile="${3}" local name="${4}" local value="${5}" if [ -z "${value}" ]; then value="N.A" fi - "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addMetadataProp --jsonFile "${jsonFile}" --name "${name}" --value "${value}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addMetadataProp --xmlFile "${xmlFile}" --name "${name}" --value "${value}" } # Set basic SBoM formulation addSBOMFormulation() { local javaHome="${1}" local classpath="${2}" - local jsonFile="${3}" + local xmlFile="${3}" local formulaName="${4}" - "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addFormulation --formulaName "${formulaName}" --jsonFile "${jsonFile}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addFormulation --formulaName "${formulaName}" --xmlFile "${xmlFile}" } addSBOMFormulationComp() { local javaHome="${1}" local classpath="${2}" - local jsonFile="${3}" + local xmlFile="${3}" local formulaName="${4}" local name="${5}" - "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addFormulationComp --jsonFile "${jsonFile}" --formulaName "${formulaName}" --name "${name}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addFormulationComp --xmlFile "${xmlFile}" --formulaName "${formulaName}" --name "${name}" } # Ref: https://cyclonedx.org/docs/1.4/json/#formulation @@ -81,12 +81,12 @@ addSBOMFormulationComp() { addSBOMFormulationComponentProperty() { local javaHome="${1}" local classpath="${2}" - local jsonFile="${3}" + local xmlFile="${3}" local formulaName="${4}" local compName="${5}" local name="${6}" local value="${7}" - "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addFormulationCompProp --jsonFile "${jsonFile}" --formulaName "${formulaName}" --compName "${compName}" --name "${name}" --value "${value}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addFormulationCompProp --xmlFile "${xmlFile}" --formulaName "${formulaName}" --compName "${compName}" --name "${name}" --value "${value}" } @@ -95,7 +95,7 @@ addSBOMFormulationComponentProperty() { addSBOMMetadataPropertyFromFile() { local javaHome="${1}" local classpath="${2}" - local jsonFile="${3}" + local xmlFile="${3}" local name="${4}" local propFile="${5}" local value="N.A" @@ -104,7 +104,7 @@ addSBOMMetadataPropertyFromFile() { value=$(cat "${propFile}") fi fi - "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addMetadataProp --jsonFile "${jsonFile}" --name "${name}" --value "${value}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addMetadataProp --xmlFile "${xmlFile}" --name "${name}" --value "${value}" } # Ref: https://cyclonedx.org/docs/1.4/json/#metadata_tools @@ -112,26 +112,26 @@ addSBOMMetadataPropertyFromFile() { addSBOMMetadataTools() { local javaHome="${1}" local classpath="${2}" - local jsonFile="${3}" + local xmlFile="${3}" local tool="${4}" local version="${5}" if [ -z "${version}" ]; then version="N.A" fi - "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addMetadataTools --jsonFile "${jsonFile}" --tool "${tool}" --version "${version}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addMetadataTools --xmlFile "${xmlFile}" --tool "${tool}" --version "${version}" } # Ref: https://cyclonedx.org/docs/1.4/json/#metadata_component -# Add JDK as component into metadata, this is not a list, i.e cannot be called multiple times for the same ${sbomJson} +# Add JDK as component into metadata, this is not a list, i.e cannot be called multiple times for the same ${sbomXML} addSBOMMetadataComponent() { local javaHome="${1}" local classpath="${2}" - local jsonFile="${3}" + local xmlFile="${3}" local name="${4}" local type="${5}" local version="${6}" local description="${7}" - "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addMetadataComponent --jsonFile "${jsonFile}" --name "${name}" --type "${type}" --version "${version}" --description "${description}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addMetadataComponent --xmlFile "${xmlFile}" --name "${name}" --type "${type}" --version "${version}" --description "${description}" } # Ref: https://cyclonedx.org/docs/1.4/json/#components @@ -139,11 +139,11 @@ addSBOMMetadataComponent() { addSBOMComponent(){ local javaHome="${1}" local classpath="${2}" - local jsonFile="${3}" + local xmlFile="${3}" local compName="${4}" local version="${5}" local description="${6}" - "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addComponent --jsonFile "${jsonFile}" --compName "${compName}" --version "${version}" --description "${description}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addComponent --xmlFile "${xmlFile}" --compName "${compName}" --version "${version}" --description "${description}" } # Ref: https://cyclonedx.org/docs/1.4/json/#components @@ -152,18 +152,18 @@ addSBOMComponent(){ addSBOMComponentFromFile() { local javaHome="${1}" local classpath="${2}" - local jsonFile="${3}" + local xmlFile="${3}" local compName="${4}" local description="${5}" local name="${6}" local propFile="${7}" # always create component in sbom - "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addComponent --jsonFile "${jsonFile}" --compName "${compName}" --description "${description}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addComponent --xmlFile "${xmlFile}" --compName "${compName}" --description "${description}" local value="N.A" # default set to "N.A" as value for variant does not have $propFile generated in prepareWorkspace.sh if [ -e "${propFile}" ]; then value=$(cat "${propFile}") fi - "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addComponentProp --jsonFile "${jsonFile}" --compName "${compName}" --name "${name}" --value "${value}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addComponentProp --xmlFile "${xmlFile}" --compName "${compName}" --name "${name}" --value "${value}" } # Ref: https://cyclonedx.org/docs/1.4/json/#components_items_hashes @@ -171,10 +171,10 @@ addSBOMComponentFromFile() { addSBOMComponentHash() { local javaHome="${1}" local classpath="${2}" - local jsonFile="${3}" + local xmlFile="${3}" local compName="${4}" local hash="${5}" - "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addComponentHash --jsonFile "${jsonFile}" --compName "${compName}" --hash "${hash}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addComponentHash --xmlFile "${xmlFile}" --compName "${compName}" --hash "${hash}" } # Ref: https://cyclonedx.org/docs/1.4/json/#components_items_properties @@ -182,11 +182,11 @@ addSBOMComponentHash() { addSBOMComponentProperty() { local javaHome="${1}" local classpath="${2}" - local jsonFile="${3}" + local xmlFile="${3}" local compName="${4}" local name="${5}" local value="${6}" - "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addComponentProp --jsonFile "${jsonFile}" --compName "${compName}" --name "${name}" --value "${value}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addComponentProp --xmlFile "${xmlFile}" --compName "${compName}" --name "${name}" --value "${value}" } # Ref: https://cyclonedx.org/docs/1.4/json/#components_items_properties @@ -194,14 +194,14 @@ addSBOMComponentProperty() { addSBOMComponentPropertyFromFile() { local javaHome="${1}" local classpath="${2}" - local jsonFile="${3}" + local xmlFile="${3}" local compName="${4}" local name="${5}" local propFile="${6}" local value="N.A" if [ -e "${propFile}" ]; then value=$(cat "${propFile}") - "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addComponentProp --jsonFile "${jsonFile}" --compName "${compName}" --name "${name}" --value "${value}" + "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addComponentProp --xmlFile "${xmlFile}" --compName "${compName}" --name "${name}" --value "${value}" fi } From 09a7b84737f3d49e26c66698f21bedf030673df3 Mon Sep 17 00:00:00 2001 From: Haroon Khel Date: Thu, 5 Dec 2024 13:21:17 +0000 Subject: [PATCH 2/2] Change .json filetype to .xml --- sbin/build.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sbin/build.sh b/sbin/build.sh index 1c7fe834c..194967533 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -964,9 +964,9 @@ generateSBoM() { local sbomTargetName=$(getTargetFileNameForComponent "sbom") # Remove the tarball / zip extension from the name to be used for the SBOM if [[ "$OSTYPE" == "cygwin" ]] || [[ "$OSTYPE" == "msys" ]]; then - sbomTargetName=$(echo "${sbomTargetName}.json" | sed "s/\.zip//") + sbomTargetName=$(echo "${sbomTargetName}.xml" | sed "s/\.zip//") else - sbomTargetName=$(echo "${sbomTargetName}.json" | sed "s/\.tar\.gz//") + sbomTargetName=$(echo "${sbomTargetName}.xml" | sed "s/\.tar\.gz//") fi local sbomXML="$(joinPathOS ${BUILD_CONFIG[WORKSPACE_DIR]} ${BUILD_CONFIG[TARGET_DIR]} ${sbomTargetName})"