From 703bdc2fe789264b7b4410431845dfe16c9d8b92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Volkan=20Yaz=C4=B1c=C4=B1?= <volkan@yazi.ci>
Date: Fri, 20 Oct 2023 15:57:05 +0200
Subject: [PATCH] Update `logging-parent` to version `10.2.0` and implement
 SBOM (apache/logging-log4j2#1707)

---
 pom.xml                                       | 28 ++++------------
 src/changelog/.0.x.x/add-sbom.xml             | 24 ++++++++++++++
 src/changelog/.0.x.x/add-website.xml          |  2 +-
 .../.0.x.x/logging-parent-update.xml          |  4 +--
 .../.0.x.x/update_org_ow2_asm_asm_bom.xml     |  2 +-
 src/changelog/0.1.0/.release.xml              |  2 +-
 ...rovide_Maven_plugin_to_inline_location.xml |  2 +-
 ...2-673_Maven_Shade_resource_transformer.xml |  2 +-
 src/site/_release-notes/_0.x.x.adoc           |  3 +-
 src/site/index.adoc                           | 32 +++++++++++++++++++
 10 files changed, 72 insertions(+), 29 deletions(-)
 create mode 100644 src/changelog/.0.x.x/add-sbom.xml

diff --git a/pom.xml b/pom.xml
index b09be1b..73d0ac7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -15,7 +15,7 @@
   ~ See the License for the specific language governing permissions and
   ~ limitations under the License.
   -->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" child.project.url.inherit.append.path="false" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
 
   <!-- ██     ██  █████  ██████  ███    ██ ██ ███    ██  ██████  ██
        ██     ██ ██   ██ ██   ██ ████   ██ ██ ████   ██ ██       ██
@@ -31,7 +31,7 @@
   <parent>
     <groupId>org.apache.logging</groupId>
     <artifactId>logging-parent</artifactId>
-    <version>10.1.1</version>
+    <version>10.2.0</version>
   </parent>
 
   <groupId>org.apache.logging.log4j</groupId>
@@ -79,7 +79,7 @@
 
   </modules>
 
-  <scm>
+  <scm child.scm.connection.inherit.append.path="false" child.scm.developerConnection.inherit.append.path="false" child.scm.url.inherit.append.path="false">
     <connection>scm:git:git@github.com:apache/logging-log4j-transform.git</connection>
     <developerConnection>scm:git:git@github.com:apache/logging-log4j-transform.git</developerConnection>
     <tag>HEAD</tag>
@@ -96,6 +96,10 @@
     <url>https://github.com/apache/logging-log4j-transform/actions</url>
   </ciManagement>
 
+  <distributionManagement>
+    <downloadUrl>https://logging.apache.org/log4j/transform/latest/#distribution</downloadUrl>
+  </distributionManagement>
+
   <properties>
 
     <!-- project version -->
@@ -149,24 +153,6 @@
             </goals>
             <phase>process-resources</phase>
             <inherited>false</inherited>
-            <configuration>
-              <pomElements>
-                <!-- Keep the `parent`!
-
-                     This is necessary, since...
-                     1. `-parent` depends on `-bom`
-                     2. `-bom` depends on `logging-parent`
-                     3. `logging-parent` contains `dependencyManagement`, etc. that are used by `-maven-plugin` et al.
-                     4. Dependencies of `-maven-plugin` et al. is resolved *at runtime*.
-                     5. Though at runtime, the deployed `-bom` is used, which is flattened and hence doesn't have a parent!
-                     6. Hence, at runtime, all `logging-parent` logic is lost.
-                     7. To avoid this, we override the `flatten-bom` configuration to retain the parent.
-
-                     This should ideally be fixed in the `flatten-bom` configuration provided by `logging-parent`.
-                     You can remove `<parent>keep`, if https://github.com/apache/logging-parent/issues/37 is resolved. -->
-                <parent>keep</parent>
-              </pomElements>
-            </configuration>
           </execution>
         </executions>
       </plugin>
diff --git a/src/changelog/.0.x.x/add-sbom.xml b/src/changelog/.0.x.x/add-sbom.xml
new file mode 100644
index 0000000..3a9235e
--- /dev/null
+++ b/src/changelog/.0.x.x/add-sbom.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to you under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns="http://logging.apache.org/log4j/changelog"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
+       type="added">
+  <author id="github:vy"/>
+  <description format="asciidoc">Started generating CycloneDX SBOM with the recent update of `logging-parent` to version `10.2.0`</description>
+</entry>
diff --git a/src/changelog/.0.x.x/add-website.xml b/src/changelog/.0.x.x/add-website.xml
index 1de2aa9..591b561 100644
--- a/src/changelog/.0.x.x/add-website.xml
+++ b/src/changelog/.0.x.x/add-website.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns="http://logging.apache.org/log4j/changelog"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="added">
   <author id="github:vy"/>
   <description format="asciidoc">Started publishing https://logging.apache.org/log4j/transform[the project website]</description>
diff --git a/src/changelog/.0.x.x/logging-parent-update.xml b/src/changelog/.0.x.x/logging-parent-update.xml
index 26fb730..82437f5 100644
--- a/src/changelog/.0.x.x/logging-parent-update.xml
+++ b/src/changelog/.0.x.x/logging-parent-update.xml
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns="http://logging.apache.org/log4j/changelog"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="changed">
   <author id="github:ppkarwasz"/>
   <author id="github:vy"/>
-  <description format="asciidoc">Migrated to `logging-parent` 10.1.1 and adopted its CI and `pom.xml` infrastructure</description>
+  <description format="asciidoc">Migrated `logging-parent` to version `10.2.0` and adopted its CI and `pom.xml` infrastructure</description>
 </entry>
diff --git a/src/changelog/.0.x.x/update_org_ow2_asm_asm_bom.xml b/src/changelog/.0.x.x/update_org_ow2_asm_asm_bom.xml
index 5ac15cb..8fa5e2d 100644
--- a/src/changelog/.0.x.x/update_org_ow2_asm_asm_bom.xml
+++ b/src/changelog/.0.x.x/update_org_ow2_asm_asm_bom.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns="http://logging.apache.org/log4j/changelog"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="changed">
   <author id="github:dependabot"/>
   <description format="asciidoc">Update `org.ow2.asm:asm-bom` to version `9.6`</description>
diff --git a/src/changelog/0.1.0/.release.xml b/src/changelog/0.1.0/.release.xml
index f51cb70..d082eec 100644
--- a/src/changelog/0.1.0/.release.xml
+++ b/src/changelog/0.1.0/.release.xml
@@ -17,5 +17,5 @@
   -->
 <release xmlns="http://logging.apache.org/log4j/changelog"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+         xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
          date="2023-05-05" version="0.1.0"/>
diff --git a/src/changelog/0.1.0/LOG4J2-3638_Provide_Maven_plugin_to_inline_location.xml b/src/changelog/0.1.0/LOG4J2-3638_Provide_Maven_plugin_to_inline_location.xml
index 6a3986a..6c67752 100644
--- a/src/changelog/0.1.0/LOG4J2-3638_Provide_Maven_plugin_to_inline_location.xml
+++ b/src/changelog/0.1.0/LOG4J2-3638_Provide_Maven_plugin_to_inline_location.xml
@@ -17,7 +17,7 @@
   -->
 <entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns="http://logging.apache.org/log4j/changelog"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="added">
   <issue id="LOG4J2-3638" link="https://issues.apache.org/jira/browse/LOG4J2-3638"/>
   <author id="github:ppkarwasz"/>
diff --git a/src/changelog/0.1.0/LOG4J2-673_Maven_Shade_resource_transformer.xml b/src/changelog/0.1.0/LOG4J2-673_Maven_Shade_resource_transformer.xml
index bcdd328..277e99a 100644
--- a/src/changelog/0.1.0/LOG4J2-673_Maven_Shade_resource_transformer.xml
+++ b/src/changelog/0.1.0/LOG4J2-673_Maven_Shade_resource_transformer.xml
@@ -17,7 +17,7 @@
   -->
 <entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns="http://logging.apache.org/log4j/changelog"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="added">
   <issue id="LOG4J2-673" link="https://issues.apache.org/jira/browse/LOG4J2-673"/>
   <author id="github:edwgiz" name="Eduard Gizatullin"/>
diff --git a/src/site/_release-notes/_0.x.x.adoc b/src/site/_release-notes/_0.x.x.adoc
index 560662d..4f7c4b6 100644
--- a/src/site/_release-notes/_0.x.x.adoc
+++ b/src/site/_release-notes/_0.x.x.adoc
@@ -43,9 +43,10 @@ This is the second release of the project.
 
 ==== Added
 
+* Started generating CycloneDX SBOM with the recent update of `logging-parent` to version `10.2.0`
 * Started publishing https://logging.apache.org/log4j/transform[the project website]
 
 ==== Changed
 
-* Migrated to `logging-parent` 10.1.1 and adopted its CI and `pom.xml` infrastructure
+* Migrated `logging-parent` to version `10.2.0` and adopted its CI and `pom.xml` infrastructure
 * Update `org.ow2.asm:asm-bom` to version `9.6`
diff --git a/src/site/index.adoc b/src/site/index.adoc
index dedb768..4ae4b4d 100644
--- a/src/site/index.adoc
+++ b/src/site/index.adoc
@@ -57,6 +57,38 @@ In accordance with the Apache Software Foundation's release https://infra.apache
 
 See xref:#release-instructions[the release instructions] for details.
 
+[#maven-bom]
+=== Maven Bill of Materials (BOM)
+
+To keep your {project-name} module versions aligned, a https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#bill-of-materials-bom-poms[Maven Bill of Materials (BOM) POM] is provided for your convenience.
+
+To use this with Maven, add the dependency listed below to your `pom.xml` file.
+Note that the `<dependencyManagement>` nesting and the `<scope>import</scope>` instruction.
+This will _import_ all modules bundled with the associated Log4j release to your `dependencyManagement`.
+As a result, you don't have to specify versions of the imported modules (`log4j-weaver`, etc.) while using them as a `<dependency>`.
+
+.`pom.xml` snippet importing `log4j-transform-bom`
+[source,subs="+attributes"]
+----
+<dependencyManagement>
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-transform-bom</artifactId>
+      <version>{project-version}</version>
+      <scope>import</scope>
+      <type>pom</type>
+    </dependency>
+  </dependencies>
+</dependencyManagement>
+----
+
+[#cyclonedx-sbom]
+=== CycloneDX Software Bill of Materials (SBOM)
+
+Starting with version `0.2.0`, {project-name} distributes https://cyclonedx.org/capabilities/sbom/[CyclenoDX Software Bill of Materials (SBOM)] along with each deployed artifact.
+This is streamlined by `logging-parent`, see https://logging.apache.org/logging-parent/latest/#cyclonedx-sbom[its website] for details.
+
 [#support]
 == Support