generate sbom as part of release build and upload it to maven central

Signed-off-by: studix <[email protected]>

Author: studix

.github/workflows/release.yaml

@@ -37,6 +37,9 @@ jobs:
       - name: Build
         run: ./gradlew build reckonTagPush -Preckon.stage=final -Preckon.scope=${{ github.event.inputs.releaseType }} --stacktrace
 
+      - name: Generate SBOM
+        run: ./gradlew --init-script init.gradle cyclonedxBom
+
       - name: Release
         run: ./gradlew publish --no-configuration-cache
         env:

datalift-commandline/build.gradle

@@ -48,6 +48,10 @@ mavenPublishing {
             classifier = "bin"
             extension = "tar.gz"
           }
+          artifact(file("$buildDir/reports/bom.json")) {
+            classifier = "sbom"
+            extension = "json"
+          }
         }
       }
     }

datalift-core/build.gradle

@@ -54,6 +54,19 @@ mavenPublishing {
       developerConnection = "scm:git:ssh://[email protected]/BisonSchweizAG/commercetools-datalift.git"
     }
   }
+
+  afterEvaluate {
+    publishing {
+      publications {
+        maven(MavenPublication) {
+          artifact(file("$buildDir/reports/bom.json")) {
+            classifier = "sbom"
+            extension = "json"
+          }
+        }
+      }
+    }
+  }
 }
 
 test {

init.gradle

@@ -0,0 +1,28 @@
+import org.cyclonedx.model.*;
+
+initscript {
+  repositories {
+    maven {
+      url "https://plugins.gradle.org/m2/"
+    }
+  }
+  dependencies {
+    classpath "org.cyclonedx:cyclonedx-gradle-plugin:2.2.0"
+  }
+}
+
+allprojects {
+  apply plugin: org.cyclonedx.gradle.CycloneDxPlugin
+  cyclonedxBom {
+    includeConfigs = ["runtimeClasspath"]
+    // declaration of the Object from OrganizationalContact
+    OrganizationalContact organizationalContact = new OrganizationalContact()
+
+    // passing Data to the plugin
+    organizationalEntity { oe ->
+      oe.name = 'Bison Schweiz AG'
+      oe.url = ['www.bison-group.com']
+      oe.addContact(organizationalContact)
+    }
+  }
+}