Upgrade TemurinGenSBOM to use CycloneDX v9.0.5 spec 1.0.6 (#3985)

* Upgrade to CycloneDX 1.0.6 spec

Signed-off-by: Andrew Leonard <[email protected]>

* Upgrade to CycloneDX 1.0.6 spec

Signed-off-by: Andrew Leonard <[email protected]>

* Upgrade to CycloneDX 1.0.6 spec

Signed-off-by: Andrew Leonard <[email protected]>

* Upgrade to CycloneDX 1.0.6 spec

Signed-off-by: Andrew Leonard <[email protected]>

* Upgrade to CycloneDX 1.0.6 spec

Signed-off-by: Andrew Leonard <[email protected]>

* Upgrade to CycloneDX 1.0.6 spec

Signed-off-by: Andrew Leonard <[email protected]>

* Upgrade to CycloneDX 1.0.6 spec

Signed-off-by: Andrew Leonard <[email protected]>

* CDX 1.0.6

Signed-off-by: Andrew Leonard <[email protected]>

* CDX 1.0.6

Signed-off-by: Andrew Leonard <[email protected]>

* CDX 1.0.6

Signed-off-by: Andrew Leonard <[email protected]>

* Change CycloneDx dependency jar download to use Maven Central download

Signed-off-by: Andrew Leonard <[email protected]>

* Change CycloneDx dependency jar download to use Maven Central download

Signed-off-by: Andrew Leonard <[email protected]>

* Change CycloneDx dependency jar download to use Maven Central download

Signed-off-by: Andrew Leonard <[email protected]>

* Change CycloneDx dependency jar download to use Maven Central download

Signed-off-by: Andrew Leonard <[email protected]>

* Change CycloneDx dependency jar download to use Maven Central download

Signed-off-by: Andrew Leonard <[email protected]>

* Change CycloneDx dependency jar download to use Maven Central download

Signed-off-by: Andrew Leonard <[email protected]>

* Change CycloneDx dependency jar download to use Maven Central download

Signed-off-by: Andrew Leonard <[email protected]>

* Change CycloneDx dependency jar download to use Maven Central download

Signed-off-by: Andrew Leonard <[email protected]>

* Change CycloneDx dependency jar download to use Maven Central download

Signed-off-by: Andrew Leonard <[email protected]>

* Change CycloneDx dependency jar download to use Maven Central download

Signed-off-by: Andrew Leonard <[email protected]>

* Change CycloneDx dependency jar download to use Maven Central download

Signed-off-by: Andrew Leonard <[email protected]>

* Change CycloneDx dependency jar download to use Maven Central download

Signed-off-by: Andrew Leonard <[email protected]>

* Change CycloneDx dependency jar download to use Maven Central download

Signed-off-by: Andrew Leonard <[email protected]>

* Change CycloneDx dependency jar download to use Maven Central download

Signed-off-by: Andrew Leonard <[email protected]>

---------

Signed-off-by: Andrew Leonard <[email protected]>

README.md

@@ -185,6 +185,13 @@ the one you are trying to build.
 -k, --keep
 if using docker, keep the container after the build.
 
+--local-dependency-cache-dir <Local dependency cache directory>
+specify the location of a local cache of required build dependency jars. If not specified
+the following default locations are searched
+Windows: c:/dependency_cache
+MacOS: ${HOME}/dependency_cache
+Unix: /usr/local/dependency_cache
+
 --make-exploded-image
 creates an exploded image (useful for codesigning jmods). Use --assemble-exploded-image once you have signed the jmods to complete the packaging steps.
 

cyclonedx-lib/build.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0"?>
 <!--
   ~ ********************************************************************************
-  ~ Copyright (c) 2021 Contributors to the Eclipse Foundation
+  ~ Copyright (c) 2021, 2024 Contributors to the Eclipse Foundation
   ~
   ~ See the NOTICE file(s) with this work for additional
   ~ information regarding copyright ownership.
@@ -14,42 +14,44 @@
   ~ ********************************************************************************
 -->
 
-<project name="cyclonedx-lib build" default="build" basedir=".">
-        <taskdef resource="net/sf/antcontrib/antlib.xml" />
+<project name="cyclonedx-lib build" default="build" basedir="." xmlns:if="ant:if" xmlns:unless="ant:unless">
         <!--
 // jscpd:ignore-start
 -->
 
-        <!-- All other dependency versions are listed in the relevant ./dependency_data/versions files -->
+        <condition property="local.deps.cache.dir.set" else="false">
+            <isset property="local.deps.cache.dir"/>
+        </condition>
+
+        <!-- Branch of cyberphone/openkeystore to clone -->
         <property name="openkeystore-version" value="1.0.0"/>
 
-        <!-- When retrieving sbom dependency jars with default settings, we will look here. -->
-        <property name="sbom_dependency_default_location" value="https://ci.adoptium.net/view/all/job/build.getDependency/lastSuccessfulBuild/artifact/sbom_dependencies"/>
+        <!-- Retrieve sbom dependency jar: versions, sha256 and download urls -->
+        <property file="dependency_data/dependency_data.properties"/>
 
         <!-- classpath for running application -->
-        <property name="classpath" value="build/jar/temurin-gen-sbom.jar:build/jar/cyclonedx-core-java.jar:build/jar/jackson-core.jar:build/jar/jackson-dataformat-xml.jar:build/jar/jackson-databind.jar:build/jar/jackson-annotations.jar:build/jar/json-schema.jar:build/jar/commons-codec.jar:build/jar/commons-io.jar:build/jar/github-package-url.jar:build/jar/webpki.org-libext-1.00.jar:build/jar/temurin-sign-sbom.jar"/>
+        <property name="classpath" value="build/jar/temurin-gen-sbom.jar:build/jar/cyclonedx-core-java.jar:build/jar/jackson-core.jar:build/jar/jackson-dataformat-xml.jar:build/jar/jackson-databind.jar:build/jar/jackson-annotations.jar:build/jar/json-schema-validator.jar:build/jar/commons-codec.jar:build/jar/commons-io.jar:build/jar/github-package-url.jar:build/jar/webpki.org-libext-1.00.jar:build/jar/temurin-sign-sbom.jar:build/jar/commons-collections4.jar"/>
 
         <target name="dep-checks">
                 <available file="build/jar/cyclonedx-core-java.jar" property="cyclonedx_available"/>
                 <available file="build/jar/jackson-core.jar" property="jackson-core_available"/>
                 <available file="build/jar/jackson-dataformat-xml.jar" property="jackson-dataformat_available"/>
                 <available file="build/jar/jackson-databind.jar" property="jackson-databind_available"/>
                 <available file="build/jar/jackson-annotations.jar" property="jackson-annotations_available"/>
-                <available file="build/jar/json-schema.jar" property="json-schema_available"/>
+                <available file="build/jar/json-schema-validator.jar" property="json-schema-validator_available"/>
                 <available file="build/jar/commons-codec.jar" property="commons-codec_available"/>
                 <available file="build/jar/commons-io.jar" property="commons-io_available"/>
+                <available file="build/jar/commons-collections4.jar" property="commons-collections4_available"/>
                 <available file="build/jar/github-package-url.jar" property="github-package-url_available"/>
                 <available file="build/webpki.org-libext-1.00.jar" property="openkeystore_available"/>
         </target>
 
         <target name="download-cyclonedx" unless="cyclonedx_available">
-                <echo message="Downloading cyclonedx-core-java"/>
-                <download-file-with-default-options destfile="cyclonedx-core-java.jar"/>
-	    </target>
+                <get-component component="cyclonedx-core-java"/>
+        </target>
 
         <target name="download-jackson-core" unless="jackson-core_available">
-                <echo message="Downloading jackson-core"/>
-                <download-file-with-default-options destfile="jackson-core.jar"/>
+                <get-component component="jackson-core"/>
         </target>
 
         <target name="clone-and-build-openkeystore" unless="openkeystore_available">
@@ -65,7 +67,7 @@
                 </move>
         </target>
 
-        <target name="build-sign-sbom" depends="dep-checks, clone-and-build-openkeystore, download-cyclonedx, download-jackson-core, download-jackson-dataformat-xml, download-jackson-databind, download-jackson-annotations, download-json-schema, download-commons-codec, download-commons-io, download-github-package-url, compile-sign-sbom, jar-sign-sbom">
+        <target name="build-sign-sbom" depends="dep-checks, clone-and-build-openkeystore, download-cyclonedx, download-jackson-core, download-jackson-dataformat-xml, download-jackson-databind, download-jackson-annotations, download-json-schema-validator, download-commons-codec, download-commons-io, download-commons-collections4, download-github-package-url, compile-sign-sbom, jar-sign-sbom">
                 <echo message="Building cyclonedx-lib TemurinSignSBOM"/>
         </target>
 
@@ -85,41 +87,38 @@
         </target>
 
         <target name="download-jackson-dataformat-xml" unless="jackson-dataformat_available">
-                <echo message="Downloading jackson-dataformat-xml"/>
-                <download-file-with-default-options destfile="jackson-dataformat-xml.jar"/>
+                <get-component component="jackson-dataformat-xml"/>
         </target>
 
         <target name="download-jackson-databind" unless="jackson-databind_available">
-                <echo message="Downloading jackson-databind"/>
-                <download-file-with-default-options destfile="jackson-databind.jar"/>
+                <get-component component="jackson-databind"/>
         </target>
 
         <target name="download-jackson-annotations" unless="jackson-annotations_available">
-                <echo message="Downloading jackson-annotations"/>
-                <download-file-with-default-options destfile="jackson-annotations.jar"/>
+                <get-component component="jackson-annotations"/>
         </target>
 
-        <target name="download-json-schema" unless="json-schema_available">
-                <echo message="Downloading json-schema"/>
-                <download-file-with-default-options destfile="json-schema.jar"/>
+        <target name="download-json-schema-validator" unless="json-schema-validator_available">
+                <get-component component="json-schema-validator"/>
         </target>
 
         <target name="download-commons-codec" unless="commons-codec_available">
-                <echo message="Downloading commons-codec"/>
-                <download-file-with-default-options destfile="commons-codec.jar"/>
+                <get-component component="commons-codec"/>
         </target>
 
         <target name="download-commons-io" unless="commons-io_available">
-                <echo message="Downloading commons-io"/>
-                <download-file-with-default-options destfile="commons-io.jar"/>
+                <get-component component="commons-io"/>
+        </target>
+
+        <target name="download-commons-collections4" unless="commons-collections4_available">
+                <get-component component="commons-collections4"/>
         </target>
 
         <target name="download-github-package-url" unless="github-package-url_available">
-                <echo message="Downloading github-package-url"/>
-                <download-file-with-default-options destfile="github-package-url.jar"/>
+                <get-component component="github-package-url"/>
         </target>
 
-	      <target name="build" depends="dep-checks, download-cyclonedx, download-jackson-core, download-jackson-dataformat-xml, download-jackson-databind, download-jackson-annotations, download-json-schema, download-commons-codec, download-commons-io, download-github-package-url, compile, jar">
+	      <target name="build" depends="dep-checks, download-cyclonedx, download-jackson-core, download-jackson-dataformat-xml, download-jackson-databind, download-jackson-annotations, download-json-schema-validator, download-commons-codec, download-commons-io, download-commons-collections4, download-github-package-url, compile, jar">
                 <echo message="Building cyclonedx-lib"/>
         </target>
 
@@ -479,17 +478,23 @@
 
         </target>
 
-	<macrodef name="download-file-with-default-options" description="Use curl to download a file and retrieve its checksum from default locations.">
-		<attribute name="destfile" description="File name of the downloaded file"/>
+	<macrodef name="get-component" description="Obtain the given component from the local cache if available or download, and verify its checksum.">
+		<attribute name="component" description="Dependency component to obtain"/>
 		<sequential>
-			<echo message="Executing macro download-file-with-default-options"/>
-			<echo message="Fetching checksum prior to downloading file."/>
-			<loadfile property="checksum-for-@{destfile}" srcFile="dependency_data/shas/@{destfile}.sha256"/>
-			<echo message="Checksum found: ${checksum-for-@{destfile}}"/>
-			<download-file
-				checksum="${checksum-for-@{destfile}}"
-				destfile="@{destfile}"
-				srcurl="${sbom_dependency_default_location}/@{destfile}"/>
+			<echo message="Executing macro get-component for: @{component}"/>
+			<echo message="Expected checksum: ${@{component}.sha256}"/>
+
+                        <!-- Check if local cache file is available? -->
+                        <available file="${local.deps.cache.dir}/${@{component}.jar}" property="@{component}_cache_available" if:true="${local.deps.cache.dir.set}"/>
+                        <property name="@{component}_cache_available" value="false" unless:true="${local.deps.cache.dir.set}"/>
+
+                        <!-- Use local cache if available, otherwise download -->
+                        <copy verbose="true" file="${local.deps.cache.dir}/${@{component}.jar}" tofile="build/jar/@{component}.jar" if:true="${@{component}_cache_available}"/>
+                        <download-file unless:true="${@{component}_cache_available}"
+				checksum="${@{component}.sha256}"
+                                destdir="build/jar"
+				destfile="@{component}.jar"
+				srcurl="${@{component}.url}"/>
 		</sequential>
 	</macrodef>
 

cyclonedx-lib/dependency_data/dependency_data.properties

@@ -0,0 +1,60 @@
+# ********************************************************************************
+# Copyright (c) 2024 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made
+# available under the terms of the Apache Software License 2.0
+# which is available at https://www.apache.org/licenses/LICENSE-2.0.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ********************************************************************************
+
+# Repositories
+maven.central.repo=https://repo1.maven.org/maven2
+
+# Component versions, SHAs and jar names
+commons-codec.version=1.17.1
+commons-codec.sha256=f9f6cb103f2ddc3c99a9d80ada2ae7bf0685111fd6bffccb72033d1da4e6ff23
+commons-codec.jar=commons-codec-${commons-codec.version}.jar
+commons-collections4.version=4.4
+commons-collections4.sha256=1df8b9430b5c8ed143d7815e403e33ef5371b2400aadbe9bda0883762e0846d1
+commons-collections4.jar=commons-collections4-${commons-collections4.version}.jar
+commons-io.version=2.16.1
+commons-io.sha256=f41f7baacd716896447ace9758621f62c1c6b0a91d89acee488da26fc477c84f
+commons-io.jar=commons-io-${commons-io.version}.jar
+cyclonedx-core-java.version=9.0.5
+cyclonedx-core-java.sha256=9474c73a81d9be6206367d357a3449e03e70c69bc672d82be04f15806ef170fa
+cyclonedx-core-java.jar=cyclonedx-core-java-${cyclonedx-core-java.version}.jar
+github-package-url.version=1.5.0
+github-package-url.sha256=e45551727707acc0c56ac62d56964332ea0f138d6cc3656d988b9369150f5247
+github-package-url.jar=packageurl-java-${github-package-url.version}.jar
+jackson-annotations.version=2.17.2
+jackson-annotations.sha256=873a606e23507969f9bbbea939d5e19274a88775ea5a169ba7e2d795aa5156e1
+jackson-annotations.jar=jackson-annotations-${jackson-annotations.version}.jar
+jackson-core.version=2.17.2
+jackson-core.sha256=721a189241dab0525d9e858e5cb604d3ecc0ede081e2de77d6f34fa5779a5b46
+jackson-core.jar=jackson-core-${jackson-core.version}.jar
+jackson-databind.version=2.17.2
+jackson-databind.sha256=c04993f33c0f845342653784f14f38373d005280e6359db5f808701cfae73c0c
+jackson-databind.jar=jackson-databind-${jackson-databind.version}.jar
+jackson-dataformat-xml.version=2.17.2
+jackson-dataformat-xml.sha256=517add5f3848517894b319a93a7ebfc1c21737b2c17c9acccd38fea97d6adc6f
+jackson-dataformat-xml.jar=jackson-dataformat-xml-${jackson-dataformat-xml.version}.jar
+json-schema-validator.version=1.5.1
+json-schema-validator.sha256=de015f79d4a63d22c002bad76bb30c039cafa205465eef8770e2c6b85880ded7
+json-schema-validator.jar=json-schema-validator-${json-schema-validator.version}.jar
+
+# Download URLs
+commons-codec.url=${maven.central.repo}/commons-codec/commons-codec/${commons-codec.version}/${commons-codec.jar}
+commons-collections4.url=${maven.central.repo}/org/apache/commons/commons-collections4/${commons-collections4.version}/${commons-collections4.jar}
+commons-io.url=${maven.central.repo}/commons-io/commons-io/${commons-io.version}/${commons-io.jar}
+cyclonedx-core-java.url=${maven.central.repo}/org/cyclonedx/cyclonedx-core-java/${cyclonedx-core-java.version}/${cyclonedx-core-java.jar}
+github-package-url.url=${maven.central.repo}/com/github/package-url/packageurl-java/${github-package-url.version}/${github-package-url.jar}
+jackson-annotations.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-annotations/${jackson-annotations.version}/${jackson-annotations.jar}
+jackson-core.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-core/${jackson-core.version}/${jackson-core.jar}
+jackson-databind.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-databind/${jackson-databind.version}/${jackson-databind.jar}
+jackson-dataformat-xml.url=${maven.central.repo}/com/fasterxml/jackson/dataformat/jackson-dataformat-xml/${jackson-dataformat-xml.version}/${jackson-dataformat-xml.jar}
+json-schema-validator.url=${maven.central.repo}/com/networknt/json-schema-validator/${json-schema-validator.version}/${json-schema-validator.jar}
+

cyclonedx-lib/sign_src/TemurinSignSBOM.java

@@ -1,6 +1,6 @@
 /*
  * ********************************************************************************
- * Copyright (c) 2023 Contributors to the Eclipse Foundation
+ * Copyright (c) 2023, 2024 Contributors to the Eclipse Foundation
  *
  * See the NOTICE file(s) with this work for additional
  * information regarding copyright ownership.
@@ -15,11 +15,11 @@
 
 package temurin.sbom;
 
-import org.cyclonedx.BomGeneratorFactory;
-import org.cyclonedx.CycloneDxSchema;
+import org.cyclonedx.exception.GeneratorException;
 import org.cyclonedx.generators.json.BomJsonGenerator;
 import org.cyclonedx.model.Bom;
 import org.cyclonedx.parsers.JsonParser;
+import org.cyclonedx.Version;
 
 import org.webpki.json.JSONAsymKeySigner;
 import org.webpki.json.JSONObjectReader;
@@ -113,7 +113,13 @@ static Bom signSBOM(final String jsonFile, final String pemFile) {
             if (bom == null) {
                 return null;
             }
-            String sbomDataToSign = generateBomJson(bom);
+            String sbomDataToSign;
+            try {
+                sbomDataToSign = generateBomJson(bom);
+            } catch (GeneratorException e) {
+                LOGGER.log(Level.SEVERE, "Exception generating BOM", e);
+                return null;
+            }
 
             // Read the private key
             KeyPair signingKey = PEMDecoder.getKeyPair(Files.readAllBytes(Paths.get(pemFile)));
@@ -132,15 +138,22 @@ static Bom signSBOM(final String jsonFile, final String pemFile) {
         }
     }
 
-    static String generateBomJson(final Bom bom) {
-        BomJsonGenerator bomGen = BomGeneratorFactory.createJson(CycloneDxSchema.Version.VERSION_14, bom);
+    static String generateBomJson(final Bom bom) throws GeneratorException {
+        BomJsonGenerator bomGen = new BomJsonGenerator(bom, Version.VERSION_16);
         String json = bomGen.toJsonString();
         return json;
     }
 
     static boolean writeJSONfile(final Bom bom, final String fileName) {
         // Creates testJson.json file
-        String json = generateBomJson(bom);
+        String json;
+        try {
+            json = generateBomJson(bom);
+        } catch (GeneratorException e) {
+            LOGGER.log(Level.SEVERE, "Exception generating BOM", e);
+            return false;
+        }
+
         try (FileWriter file = new FileWriter(fileName)) {
             file.write(json);
             return true;
@@ -164,7 +177,13 @@ static boolean verifySignature(final String jsonFile, final String publicKeyFile
         try {
             // Read the JSON file to be verified
             Bom bom = readJSONfile(jsonFile);
-            String signedSbomData = generateBomJson(bom);
+            String signedSbomData;
+            try {
+                signedSbomData = generateBomJson(bom);
+            } catch (GeneratorException e) {
+                LOGGER.log(Level.SEVERE, "Exception generating BOM", e);
+                return false;
+            }
 
             // Parse JSON
             JSONObjectReader reader = JSONParser.parse(signedSbomData);