From 11444e89fc579d960caf030943346a925fa2c983 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Thu, 10 Oct 2024 11:58:26 +0100 Subject: [PATCH 01/20] Upgrade to CycloneDX 1.0.6 spec Signed-off-by: Andrew Leonard --- cyclonedx-lib/dependency_data/shas/commons-codec.jar.sha256 | 2 +- cyclonedx-lib/dependency_data/shas/commons-io.jar.sha256 | 2 +- .../dependency_data/shas/cyclonedx-core-java.jar.sha256 | 2 +- .../dependency_data/shas/github-package-url.jar.sha256 | 2 +- .../dependency_data/shas/jackson-annotations.jar.sha256 | 2 +- cyclonedx-lib/dependency_data/shas/jackson-core.jar.sha256 | 2 +- cyclonedx-lib/dependency_data/shas/jackson-databind.jar.sha256 | 2 +- .../dependency_data/shas/jackson-dataformat-xml.jar.sha256 | 2 +- cyclonedx-lib/dependency_data/shas/json-schema.jar.sha256 | 2 +- .../dependency_data/versions/commons-codec.jar.version | 2 +- cyclonedx-lib/dependency_data/versions/commons-io.jar.version | 2 +- .../dependency_data/versions/cyclonedx-core-java.jar.version | 2 +- .../dependency_data/versions/github-package-url.jar.version | 2 +- .../dependency_data/versions/jackson-annotations.jar.version | 2 +- cyclonedx-lib/dependency_data/versions/jackson-core.jar.version | 2 +- .../dependency_data/versions/jackson-databind.jar.version | 2 +- .../dependency_data/versions/jackson-dataformat-xml.jar.version | 2 +- cyclonedx-lib/dependency_data/versions/json-schema.jar.version | 2 +- 18 files changed, 18 insertions(+), 18 deletions(-) diff --git a/cyclonedx-lib/dependency_data/shas/commons-codec.jar.sha256 b/cyclonedx-lib/dependency_data/shas/commons-codec.jar.sha256 index a5f27b9cb..d17360a77 100644 --- a/cyclonedx-lib/dependency_data/shas/commons-codec.jar.sha256 +++ b/cyclonedx-lib/dependency_data/shas/commons-codec.jar.sha256 @@ -1 +1 @@ -b3e9f6d63a790109bf0d056611fbed1cf69055826defeb9894a71369d246ed63 \ No newline at end of file +f9f6cb103f2ddc3c99a9d80ada2ae7bf0685111fd6bffccb72033d1da4e6ff23 diff --git a/cyclonedx-lib/dependency_data/shas/commons-io.jar.sha256 b/cyclonedx-lib/dependency_data/shas/commons-io.jar.sha256 index 854ca3d3e..06447c310 100644 --- a/cyclonedx-lib/dependency_data/shas/commons-io.jar.sha256 +++ b/cyclonedx-lib/dependency_data/shas/commons-io.jar.sha256 @@ -1 +1 @@ -961b2f6d87dbacc5d54abf45ab7a6e2495f89b75598962d8c723cea9bc210908 \ No newline at end of file +f41f7baacd716896447ace9758621f62c1c6b0a91d89acee488da26fc477c84f diff --git a/cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 b/cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 index 44090c667..8465d7d62 100644 --- a/cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 +++ b/cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 @@ -1 +1 @@ -ecc371d12808dfe76047f87f8235665d74dd6cf8ec12c41d052715a3fd79e0b5 \ No newline at end of file +4eeecf3ba077a0eb0cb61730dc56c9afd994324658334311628bb228c9c5d0a0 diff --git a/cyclonedx-lib/dependency_data/shas/github-package-url.jar.sha256 b/cyclonedx-lib/dependency_data/shas/github-package-url.jar.sha256 index b9d1f60ef..11bd3cb3b 100644 --- a/cyclonedx-lib/dependency_data/shas/github-package-url.jar.sha256 +++ b/cyclonedx-lib/dependency_data/shas/github-package-url.jar.sha256 @@ -1 +1 @@ -8e23280221afd1e6561d433dfb133252cd287167acb0eca5a991667118ff10a2 \ No newline at end of file +e45551727707acc0c56ac62d56964332ea0f138d6cc3656d988b9369150f5247 diff --git a/cyclonedx-lib/dependency_data/shas/jackson-annotations.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-annotations.jar.sha256 index 95f7e9a2e..179e2d427 100644 --- a/cyclonedx-lib/dependency_data/shas/jackson-annotations.jar.sha256 +++ b/cyclonedx-lib/dependency_data/shas/jackson-annotations.jar.sha256 @@ -1 +1 @@ -2c6869d505cf60dc066734b7d50339f975bd3adc635e26a78abb71acb4473c0d \ No newline at end of file +873a606e23507969f9bbbea939d5e19274a88775ea5a169ba7e2d795aa5156e1 diff --git a/cyclonedx-lib/dependency_data/shas/jackson-core.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-core.jar.sha256 index c75a5db5e..cb7afb494 100644 --- a/cyclonedx-lib/dependency_data/shas/jackson-core.jar.sha256 +++ b/cyclonedx-lib/dependency_data/shas/jackson-core.jar.sha256 @@ -1 +1 @@ -b5d37a77c88277b97e3593c8740925216c06df8e4172bbde058528df04ad3e7a \ No newline at end of file +721a189241dab0525d9e858e5cb604d3ecc0ede081e2de77d6f34fa5779a5b46 diff --git a/cyclonedx-lib/dependency_data/shas/jackson-databind.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-databind.jar.sha256 index 49bdf8a3a..4ef426a7c 100644 --- a/cyclonedx-lib/dependency_data/shas/jackson-databind.jar.sha256 +++ b/cyclonedx-lib/dependency_data/shas/jackson-databind.jar.sha256 @@ -1 +1 @@ -501d3abce4d18dcc381058ec593c5b94477906bba6efbac14dae40a642f77424 \ No newline at end of file +c04993f33c0f845342653784f14f38373d005280e6359db5f808701cfae73c0c diff --git a/cyclonedx-lib/dependency_data/shas/jackson-dataformat-xml.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-dataformat-xml.jar.sha256 index bdf90ce8c..9a3a78b6d 100644 --- a/cyclonedx-lib/dependency_data/shas/jackson-dataformat-xml.jar.sha256 +++ b/cyclonedx-lib/dependency_data/shas/jackson-dataformat-xml.jar.sha256 @@ -1 +1 @@ -edbda6c775a36049cf0088b111ab958cca0dc70cb9326918d6cf153cb3fa426b \ No newline at end of file +517add5f3848517894b319a93a7ebfc1c21737b2c17c9acccd38fea97d6adc6f diff --git a/cyclonedx-lib/dependency_data/shas/json-schema.jar.sha256 b/cyclonedx-lib/dependency_data/shas/json-schema.jar.sha256 index 492cd69b8..79e36c150 100644 --- a/cyclonedx-lib/dependency_data/shas/json-schema.jar.sha256 +++ b/cyclonedx-lib/dependency_data/shas/json-schema.jar.sha256 @@ -1 +1 @@ -968991e5718520cdd7b224770f790cf2c241cddf64d10a36c21f9f8b4a15e79c \ No newline at end of file +de015f79d4a63d22c002bad76bb30c039cafa205465eef8770e2c6b85880ded7 diff --git a/cyclonedx-lib/dependency_data/versions/commons-codec.jar.version b/cyclonedx-lib/dependency_data/versions/commons-codec.jar.version index 07fe6f6c9..511a76e6f 100644 --- a/cyclonedx-lib/dependency_data/versions/commons-codec.jar.version +++ b/cyclonedx-lib/dependency_data/versions/commons-codec.jar.version @@ -1 +1 @@ -1.15 \ No newline at end of file +1.17.1 diff --git a/cyclonedx-lib/dependency_data/versions/commons-io.jar.version b/cyclonedx-lib/dependency_data/versions/commons-io.jar.version index ed0edc885..0e7079b69 100644 --- a/cyclonedx-lib/dependency_data/versions/commons-io.jar.version +++ b/cyclonedx-lib/dependency_data/versions/commons-io.jar.version @@ -1 +1 @@ -2.11.0 \ No newline at end of file +2.16.1 diff --git a/cyclonedx-lib/dependency_data/versions/cyclonedx-core-java.jar.version b/cyclonedx-lib/dependency_data/versions/cyclonedx-core-java.jar.version index 24afbc91d..48e97c8f8 100644 --- a/cyclonedx-lib/dependency_data/versions/cyclonedx-core-java.jar.version +++ b/cyclonedx-lib/dependency_data/versions/cyclonedx-core-java.jar.version @@ -1 +1 @@ -8.0.3 \ No newline at end of file +9.0.5 diff --git a/cyclonedx-lib/dependency_data/versions/github-package-url.jar.version b/cyclonedx-lib/dependency_data/versions/github-package-url.jar.version index 13175fdc4..bc80560fa 100644 --- a/cyclonedx-lib/dependency_data/versions/github-package-url.jar.version +++ b/cyclonedx-lib/dependency_data/versions/github-package-url.jar.version @@ -1 +1 @@ -1.4.1 \ No newline at end of file +1.5.0 diff --git a/cyclonedx-lib/dependency_data/versions/jackson-annotations.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-annotations.jar.version index fb71e071a..94dc0ec91 100644 --- a/cyclonedx-lib/dependency_data/versions/jackson-annotations.jar.version +++ b/cyclonedx-lib/dependency_data/versions/jackson-annotations.jar.version @@ -1 +1 @@ -2.14.2 \ No newline at end of file +2.17.2 diff --git a/cyclonedx-lib/dependency_data/versions/jackson-core.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-core.jar.version index fb71e071a..94dc0ec91 100644 --- a/cyclonedx-lib/dependency_data/versions/jackson-core.jar.version +++ b/cyclonedx-lib/dependency_data/versions/jackson-core.jar.version @@ -1 +1 @@ -2.14.2 \ No newline at end of file +2.17.2 diff --git a/cyclonedx-lib/dependency_data/versions/jackson-databind.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-databind.jar.version index fb71e071a..94dc0ec91 100644 --- a/cyclonedx-lib/dependency_data/versions/jackson-databind.jar.version +++ b/cyclonedx-lib/dependency_data/versions/jackson-databind.jar.version @@ -1 +1 @@ -2.14.2 \ No newline at end of file +2.17.2 diff --git a/cyclonedx-lib/dependency_data/versions/jackson-dataformat-xml.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-dataformat-xml.jar.version index fb71e071a..94dc0ec91 100644 --- a/cyclonedx-lib/dependency_data/versions/jackson-dataformat-xml.jar.version +++ b/cyclonedx-lib/dependency_data/versions/jackson-dataformat-xml.jar.version @@ -1 +1 @@ -2.14.2 \ No newline at end of file +2.17.2 diff --git a/cyclonedx-lib/dependency_data/versions/json-schema.jar.version b/cyclonedx-lib/dependency_data/versions/json-schema.jar.version index 0c59751cf..26ca59460 100644 --- a/cyclonedx-lib/dependency_data/versions/json-schema.jar.version +++ b/cyclonedx-lib/dependency_data/versions/json-schema.jar.version @@ -1 +1 @@ -1.0.77 \ No newline at end of file +1.5.1 From c04203d6190e698a155d0808393e6217628695e8 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Thu, 10 Oct 2024 12:01:13 +0100 Subject: [PATCH 02/20] Upgrade to CycloneDX 1.0.6 spec Signed-off-by: Andrew Leonard --- cyclonedx-lib/getDependencies | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cyclonedx-lib/getDependencies b/cyclonedx-lib/getDependencies index 855198b77..63af62eb7 100644 --- a/cyclonedx-lib/getDependencies +++ b/cyclonedx-lib/getDependencies @@ -2,8 +2,8 @@ LABEL=params.LABEL ? params.LABEL : 'ci.role.test&&hw.arch.x86&&sw.os.linux' -TEMURIN_BUILD_REPO="https://github.com/adoptium/temurin-build" -TEMURIN_BUILD_BRANCH="master" +TEMURIN_BUILD_REPO=params.TEMURIN_BUILD_REPO ? params.TEMURIN_BUILD_REPO : "https://github.com/adoptium/temurin-build" +TEMURIN_BUILD_BRANCH=params.TEMURIN_BUILD_BRANCH ? params.TEMURIN_BUILD_BRANCH : "master" stage('Queue') { node("$LABEL") { From c5b13af3d8d1e7e2767aed4efdff2670f9fa65eb Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Thu, 10 Oct 2024 12:09:00 +0100 Subject: [PATCH 03/20] Upgrade to CycloneDX 1.0.6 spec Signed-off-by: Andrew Leonard --- .../dependency_data/shas/cyclonedx-core-java.jar.sha256 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 b/cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 index 8465d7d62..19e55f29b 100644 --- a/cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 +++ b/cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 @@ -1 +1 @@ -4eeecf3ba077a0eb0cb61730dc56c9afd994324658334311628bb228c9c5d0a0 +9474c73a81d9be6206367d357a3449e03e70c69bc672d82be04f15806ef170fa From 736790d8953e0856ec48387e58ea71caa06409a8 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Thu, 10 Oct 2024 13:28:49 +0100 Subject: [PATCH 04/20] Upgrade to CycloneDX 1.0.6 spec Signed-off-by: Andrew Leonard --- cyclonedx-lib/build.xml | 8 ++++++-- .../shas/commons-collections4.jar.sha256 | 1 + .../versions/commons-collections4.jar.version | 1 + cyclonedx-lib/getDependencies | 2 ++ .../src/temurin/sbom/TemurinGenSBOM.java | 15 +++++++++------ 5 files changed, 19 insertions(+), 8 deletions(-) create mode 100644 cyclonedx-lib/dependency_data/shas/commons-collections4.jar.sha256 create mode 100644 cyclonedx-lib/dependency_data/versions/commons-collections4.jar.version diff --git a/cyclonedx-lib/build.xml b/cyclonedx-lib/build.xml index 6e3e58f07..ccb170f0c 100644 --- a/cyclonedx-lib/build.xml +++ b/cyclonedx-lib/build.xml @@ -24,7 +24,7 @@ - + @@ -484,7 +484,11 @@ - + + + + + Date: Thu, 10 Oct 2024 14:58:48 +0100 Subject: [PATCH 05/20] Upgrade to CycloneDX 1.0.6 spec Signed-off-by: Andrew Leonard --- cyclonedx-lib/build.xml | 14 +++++--- cyclonedx-lib/sign_src/TemurinSignSBOM.java | 35 +++++++++++++++---- .../src/temurin/sbom/TemurinGenSBOM.java | 2 +- 3 files changed, 39 insertions(+), 12 deletions(-) diff --git a/cyclonedx-lib/build.xml b/cyclonedx-lib/build.xml index ccb170f0c..ec443c787 100644 --- a/cyclonedx-lib/build.xml +++ b/cyclonedx-lib/build.xml @@ -24,10 +24,10 @@ - + - + @@ -38,6 +38,7 @@ + @@ -65,7 +66,7 @@ - + @@ -114,12 +115,17 @@ + + + + + - + diff --git a/cyclonedx-lib/sign_src/TemurinSignSBOM.java b/cyclonedx-lib/sign_src/TemurinSignSBOM.java index afe584d10..4f47110cf 100644 --- a/cyclonedx-lib/sign_src/TemurinSignSBOM.java +++ b/cyclonedx-lib/sign_src/TemurinSignSBOM.java @@ -1,6 +1,6 @@ /* * ******************************************************************************** - * Copyright (c) 2023 Contributors to the Eclipse Foundation + * Copyright (c) 2023,2024 Contributors to the Eclipse Foundation * * See the NOTICE file(s) with this work for additional * information regarding copyright ownership. @@ -15,11 +15,13 @@ package temurin.sbom; -import org.cyclonedx.BomGeneratorFactory; +import org.cyclonedx.exception.GeneratorException; +import org.cyclonedx.generators.json.BomJsonGenerator; import org.cyclonedx.CycloneDxSchema; import org.cyclonedx.generators.json.BomJsonGenerator; import org.cyclonedx.model.Bom; import org.cyclonedx.parsers.JsonParser; +import org.cyclonedx.Version; import org.webpki.json.JSONAsymKeySigner; import org.webpki.json.JSONObjectReader; @@ -113,7 +115,13 @@ static Bom signSBOM(final String jsonFile, final String pemFile) { if (bom == null) { return null; } - String sbomDataToSign = generateBomJson(bom); + String sbomDataToSign; + try { + sbomDataToSign = generateBomJson(bom); + } catch (GeneratorException e) { + LOGGER.log(Level.SEVERE, "Exception generating BOM", e); + return null; + } // Read the private key KeyPair signingKey = PEMDecoder.getKeyPair(Files.readAllBytes(Paths.get(pemFile))); @@ -132,15 +140,22 @@ static Bom signSBOM(final String jsonFile, final String pemFile) { } } - static String generateBomJson(final Bom bom) { - BomJsonGenerator bomGen = BomGeneratorFactory.createJson(CycloneDxSchema.Version.VERSION_14, bom); + static String generateBomJson(final Bom bom) throws GeneratorException { + BomJsonGenerator bomGen = new BomJsonGenerator(bom, Version.VERSION_16); String json = bomGen.toJsonString(); return json; } static boolean writeJSONfile(final Bom bom, final String fileName) { // Creates testJson.json file - String json = generateBomJson(bom); + String json; + try { + json = generateBomJson(bom); + } catch (GeneratorException e) { + LOGGER.log(Level.SEVERE, "Exception generating BOM", e); + return false; + } + try (FileWriter file = new FileWriter(fileName)) { file.write(json); return true; @@ -164,7 +179,13 @@ static boolean verifySignature(final String jsonFile, final String publicKeyFile try { // Read the JSON file to be verified Bom bom = readJSONfile(jsonFile); - String signedSbomData = generateBomJson(bom); + String signedSbomData; + try { + signedSbomData = generateBomJson(bom); + } catch (GeneratorException e) { + LOGGER.log(Level.SEVERE, "Exception generating BOM", e); + return false; + } // Parse JSON JSONObjectReader reader = JSONParser.parse(signedSbomData); diff --git a/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java b/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java index d2d1ba896..63abc2f2a 100644 --- a/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java +++ b/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java @@ -1,6 +1,6 @@ /* * ******************************************************************************** - * Copyright (c) 2021 Contributors to the Eclipse Foundation + * Copyright (c) 2021,2024 Contributors to the Eclipse Foundation * * See the NOTICE file(s) with this work for additional * information regarding copyright ownership. From 949b7424d71569ddcc9f1be367b06e90ac3c9c83 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Thu, 10 Oct 2024 15:31:42 +0100 Subject: [PATCH 06/20] Upgrade to CycloneDX 1.0.6 spec Signed-off-by: Andrew Leonard --- cyclonedx-lib/sign_src/TemurinSignSBOM.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/cyclonedx-lib/sign_src/TemurinSignSBOM.java b/cyclonedx-lib/sign_src/TemurinSignSBOM.java index 4f47110cf..b85426c7c 100644 --- a/cyclonedx-lib/sign_src/TemurinSignSBOM.java +++ b/cyclonedx-lib/sign_src/TemurinSignSBOM.java @@ -17,8 +17,6 @@ import org.cyclonedx.exception.GeneratorException; import org.cyclonedx.generators.json.BomJsonGenerator; -import org.cyclonedx.CycloneDxSchema; -import org.cyclonedx.generators.json.BomJsonGenerator; import org.cyclonedx.model.Bom; import org.cyclonedx.parsers.JsonParser; import org.cyclonedx.Version; From d857468faf16f4e0db6197fa2ca06fd576fd18b8 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Thu, 10 Oct 2024 15:35:41 +0100 Subject: [PATCH 07/20] Upgrade to CycloneDX 1.0.6 spec Signed-off-by: Andrew Leonard --- cyclonedx-lib/sign_src/TemurinSignSBOM.java | 2 +- cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cyclonedx-lib/sign_src/TemurinSignSBOM.java b/cyclonedx-lib/sign_src/TemurinSignSBOM.java index b85426c7c..14784fc76 100644 --- a/cyclonedx-lib/sign_src/TemurinSignSBOM.java +++ b/cyclonedx-lib/sign_src/TemurinSignSBOM.java @@ -1,6 +1,6 @@ /* * ******************************************************************************** - * Copyright (c) 2023,2024 Contributors to the Eclipse Foundation + * Copyright (c) 2023, 2024 Contributors to the Eclipse Foundation * * See the NOTICE file(s) with this work for additional * information regarding copyright ownership. diff --git a/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java b/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java index 63abc2f2a..639ed6737 100644 --- a/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java +++ b/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java @@ -1,6 +1,6 @@ /* * ******************************************************************************** - * Copyright (c) 2021,2024 Contributors to the Eclipse Foundation + * Copyright (c) 2021, 2024 Contributors to the Eclipse Foundation * * See the NOTICE file(s) with this work for additional * information regarding copyright ownership. From 352dc437d2bd561382ce863f8613420ee0121d46 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Thu, 31 Oct 2024 15:13:50 +0000 Subject: [PATCH 08/20] CDX 1.0.6 Signed-off-by: Andrew Leonard --- sbin/build.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sbin/build.sh b/sbin/build.sh index a51c4947c..0cb91e845 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -890,7 +890,7 @@ getCyclonedxClasspath() { local CYCLONEDB_JAR_DIR="${CYCLONEDB_DIR}/build/jar" - local classpath="${CYCLONEDB_JAR_DIR}/temurin-gen-sbom.jar:${CYCLONEDB_JAR_DIR}/cyclonedx-core-java.jar:${CYCLONEDB_JAR_DIR}/jackson-core.jar:${CYCLONEDB_JAR_DIR}/jackson-dataformat-xml.jar:${CYCLONEDB_JAR_DIR}/jackson-databind.jar:${CYCLONEDB_JAR_DIR}/jackson-annotations.jar:${CYCLONEDB_JAR_DIR}/json-schema.jar:${CYCLONEDB_JAR_DIR}/commons-codec.jar:${CYCLONEDB_JAR_DIR}/commons-io.jar:${CYCLONEDB_JAR_DIR}/github-package-url.jar" + local classpath="${CYCLONEDB_JAR_DIR}/temurin-gen-sbom.jar:${CYCLONEDB_JAR_DIR}/cyclonedx-core-java.jar:${CYCLONEDB_JAR_DIR}/jackson-core.jar:${CYCLONEDB_JAR_DIR}/jackson-dataformat-xml.jar:${CYCLONEDB_JAR_DIR}/jackson-databind.jar:${CYCLONEDB_JAR_DIR}/jackson-annotations.jar:${CYCLONEDB_JAR_DIR}/json-schema.jar:${CYCLONEDB_JAR_DIR}/commons-codec.jar:${CYCLONEDB_JAR_DIR}/commons-io.jar:${CYCLONEDB_JAR_DIR}/github-package-url.jar:${CYCLONEDB_JAR_DIR}/commons-collections4.jar" if [[ "$OSTYPE" == "cygwin" ]] || [[ "$OSTYPE" == "msys" ]]; then classpath="" for jarfile in "${CYCLONEDB_JAR_DIR}/temurin-gen-sbom.jar" "${CYCLONEDB_JAR_DIR}/cyclonedx-core-java.jar" \ From e03435ed47ed6f13f79bd3d35a2bc3b33e32c2ce Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Thu, 31 Oct 2024 16:14:57 +0000 Subject: [PATCH 09/20] CDX 1.0.6 Signed-off-by: Andrew Leonard --- sbin/build.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sbin/build.sh b/sbin/build.sh index 0cb91e845..d62a4bfd8 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -897,7 +897,7 @@ getCyclonedxClasspath() { "${CYCLONEDB_JAR_DIR}/jackson-core.jar" "${CYCLONEDB_JAR_DIR}/jackson-dataformat-xml.jar" \ "${CYCLONEDB_JAR_DIR}/jackson-databind.jar" "${CYCLONEDB_JAR_DIR}/jackson-annotations.jar" \ "${CYCLONEDB_JAR_DIR}/json-schema.jar" "${CYCLONEDB_JAR_DIR}/commons-codec.jar" "${CYCLONEDB_JAR_DIR}/commons-io.jar" \ - "${CYCLONEDB_JAR_DIR}/github-package-url.jar" ; + "${CYCLONEDB_JAR_DIR}/github-package-url.jar" "${CYCLONEDB_JAR_DIR}/commons-collections4.jar"; do classpath+=$(cygpath -w "${jarfile}")";" done From 4fcabfa4b36a1683f91ceceab4560d2cb36df972 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Fri, 1 Nov 2024 10:00:45 +0000 Subject: [PATCH 10/20] CDX 1.0.6 Signed-off-by: Andrew Leonard --- cyclonedx-lib/build.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cyclonedx-lib/build.xml b/cyclonedx-lib/build.xml index ec443c787..a88736428 100644 --- a/cyclonedx-lib/build.xml +++ b/cyclonedx-lib/build.xml @@ -24,7 +24,7 @@ - + From 0738565d49057c64f96ed5bd5a66d2ec0eee78d9 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Tue, 5 Nov 2024 12:14:38 +0000 Subject: [PATCH 11/20] Change CycloneDx dependency jar download to use Maven Central download Signed-off-by: Andrew Leonard --- cyclonedx-lib/build.xml | 56 +++++++++---------- .../dependency_data.properties | 41 ++++++++++++++ .../shas/commons-codec.jar.sha256 | 1 - .../shas/commons-collections4.jar.sha256 | 1 - .../shas/commons-io.jar.sha256 | 1 - .../shas/cyclonedx-core-java.jar.sha256 | 1 - .../shas/github-package-url.jar.sha256 | 1 - .../shas/jackson-annotations.jar.sha256 | 1 - .../shas/jackson-core.jar.sha256 | 1 - .../shas/jackson-databind.jar.sha256 | 1 - .../shas/jackson-dataformat-xml.jar.sha256 | 1 - .../shas/json-schema.jar.sha256 | 1 - .../versions/commons-codec.jar.version | 1 - .../versions/commons-collections4.jar.version | 1 - .../versions/commons-io.jar.version | 1 - .../versions/cyclonedx-core-java.jar.version | 1 - .../versions/github-package-url.jar.version | 1 - .../versions/jackson-annotations.jar.version | 1 - .../versions/jackson-core.jar.version | 1 - .../versions/jackson-databind.jar.version | 1 - .../jackson-dataformat-xml.jar.version | 1 - .../versions/json-schema.jar.version | 1 - 22 files changed, 66 insertions(+), 51 deletions(-) create mode 100644 cyclonedx-lib/dependency_data/dependency_data.properties delete mode 100644 cyclonedx-lib/dependency_data/shas/commons-codec.jar.sha256 delete mode 100644 cyclonedx-lib/dependency_data/shas/commons-collections4.jar.sha256 delete mode 100644 cyclonedx-lib/dependency_data/shas/commons-io.jar.sha256 delete mode 100644 cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 delete mode 100644 cyclonedx-lib/dependency_data/shas/github-package-url.jar.sha256 delete mode 100644 cyclonedx-lib/dependency_data/shas/jackson-annotations.jar.sha256 delete mode 100644 cyclonedx-lib/dependency_data/shas/jackson-core.jar.sha256 delete mode 100644 cyclonedx-lib/dependency_data/shas/jackson-databind.jar.sha256 delete mode 100644 cyclonedx-lib/dependency_data/shas/jackson-dataformat-xml.jar.sha256 delete mode 100644 cyclonedx-lib/dependency_data/shas/json-schema.jar.sha256 delete mode 100644 cyclonedx-lib/dependency_data/versions/commons-codec.jar.version delete mode 100644 cyclonedx-lib/dependency_data/versions/commons-collections4.jar.version delete mode 100644 cyclonedx-lib/dependency_data/versions/commons-io.jar.version delete mode 100644 cyclonedx-lib/dependency_data/versions/cyclonedx-core-java.jar.version delete mode 100644 cyclonedx-lib/dependency_data/versions/github-package-url.jar.version delete mode 100644 cyclonedx-lib/dependency_data/versions/jackson-annotations.jar.version delete mode 100644 cyclonedx-lib/dependency_data/versions/jackson-core.jar.version delete mode 100644 cyclonedx-lib/dependency_data/versions/jackson-databind.jar.version delete mode 100644 cyclonedx-lib/dependency_data/versions/jackson-dataformat-xml.jar.version delete mode 100644 cyclonedx-lib/dependency_data/versions/json-schema.jar.version diff --git a/cyclonedx-lib/build.xml b/cyclonedx-lib/build.xml index a88736428..074d430fa 100644 --- a/cyclonedx-lib/build.xml +++ b/cyclonedx-lib/build.xml @@ -23,11 +23,11 @@ - - + + - + @@ -35,7 +35,7 @@ - + @@ -45,12 +45,12 @@ - + - + @@ -66,7 +66,7 @@ - + @@ -87,45 +87,45 @@ - + - + - + - - - + + + - + - + - + - + - + @@ -485,21 +485,15 @@ - - + + - - - - - - - - + + + checksum="${@{component}.sha256}" + destfile="@{component}.jar" + srcurl="${@{component}.url}"/> diff --git a/cyclonedx-lib/dependency_data/dependency_data.properties b/cyclonedx-lib/dependency_data/dependency_data.properties new file mode 100644 index 000000000..719f268e6 --- /dev/null +++ b/cyclonedx-lib/dependency_data/dependency_data.properties @@ -0,0 +1,41 @@ +# +# +# + +# Repositories +maven.central.repo=https://repo1.maven.org/maven2 + +# Component versions and SHAs +commons-codec.version=1.17.1 +commons-codec.sha256=f9f6cb103f2ddc3c99a9d80ada2ae7bf0685111fd6bffccb72033d1da4e6ff23 +commons-collections4.version=4.4 +commons-collections4.sha256=1df8b9430b5c8ed143d7815e403e33ef5371b2400aadbe9bda0883762e0846d1 +commons-io.version=2.16.1 +commons-io.sha256=f41f7baacd716896447ace9758621f62c1c6b0a91d89acee488da26fc477c84f +cyclonedx-core-java.version=9.0.5 +cyclonedx-core-java.sha256=9474c73a81d9be6206367d357a3449e03e70c69bc672d82be04f15806ef170fa +github-package-url.version=1.5.0 +github-package-url.sha256=e45551727707acc0c56ac62d56964332ea0f138d6cc3656d988b9369150f5247 +jackson-annotations.version=2.17.2 +jackson-annotations.sha256=873a606e23507969f9bbbea939d5e19274a88775ea5a169ba7e2d795aa5156e1 +jackson-core.version=2.17.2 +jackson-core.sha256=721a189241dab0525d9e858e5cb604d3ecc0ede081e2de77d6f34fa5779a5b46 +jackson-databind.version=2.17.2 +jackson-databind.sha256=c04993f33c0f845342653784f14f38373d005280e6359db5f808701cfae73c0c +jackson-dataformat-xml.version=2.17.2 +jackson-dataformat-xml.sha256=517add5f3848517894b319a93a7ebfc1c21737b2c17c9acccd38fea97d6adc6f +json-schema-validator.version=1.5.1 +json-schema-validator.sha256=de015f79d4a63d22c002bad76bb30c039cafa205465eef8770e2c6b85880ded7 + +# Download URLs +commons-codec.url=${maven.central.repo}/commons-codec/commons-codec/${commons-codec.version}/commons-codec-${commons-codec.version}.jar +commons-collections4.url=${maven.central.repo}/org/apache/commons/commons-collections4/${commons-collections4.version}/commons-collections4-${commons-collections4.version}.jar +commons-io.url=${maven.central.repo}/commons-io/commons-io/${commons-io.version}/commons-io-${commons-io.version}.jar +cyclonedx-core-java.url=${maven.central.repo}/org/cyclonedx/cyclonedx-core-java/${cyclonedx-core-java.version}/cyclonedx-core-java-${cyclonedx-core-java.version}.jar +github-package-url.url=${maven.central.repo}/com/github/package-url/packageurl-java/${github-package-url.version}/packageurl-java-${github-package-url.version}.jar +jackson-annotations.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-annotations/${jackson-annotations.version}/jackson-annotations-${jackson-annotations.version}.jar +jackson-core.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-core/${jackson-core.version}/jackson-core-${jackson-core.version}.jar +jackson-databind.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-databind/${jackson-databind.version}/jackson-databind-${jackson-databind.version}.jar +jackson-dataformat-xml.url=${maven.central.repo}/com/fasterxml/jackson/dataformat/jackson-dataformat-xml/${jackson-dataformat-xml.version}/jackson-dataformat-xml-${jackson-dataformat-xml.version}.jar +json-schema-validator.url=${maven.central.repo}/com/networknt/json-schema-validator/${json-schema-validator.version}/json-schema-validator-${json-schema-validator.version}.jar + diff --git a/cyclonedx-lib/dependency_data/shas/commons-codec.jar.sha256 b/cyclonedx-lib/dependency_data/shas/commons-codec.jar.sha256 deleted file mode 100644 index d17360a77..000000000 --- a/cyclonedx-lib/dependency_data/shas/commons-codec.jar.sha256 +++ /dev/null @@ -1 +0,0 @@ -f9f6cb103f2ddc3c99a9d80ada2ae7bf0685111fd6bffccb72033d1da4e6ff23 diff --git a/cyclonedx-lib/dependency_data/shas/commons-collections4.jar.sha256 b/cyclonedx-lib/dependency_data/shas/commons-collections4.jar.sha256 deleted file mode 100644 index 60ef177f3..000000000 --- a/cyclonedx-lib/dependency_data/shas/commons-collections4.jar.sha256 +++ /dev/null @@ -1 +0,0 @@ -1df8b9430b5c8ed143d7815e403e33ef5371b2400aadbe9bda0883762e0846d1 diff --git a/cyclonedx-lib/dependency_data/shas/commons-io.jar.sha256 b/cyclonedx-lib/dependency_data/shas/commons-io.jar.sha256 deleted file mode 100644 index 06447c310..000000000 --- a/cyclonedx-lib/dependency_data/shas/commons-io.jar.sha256 +++ /dev/null @@ -1 +0,0 @@ -f41f7baacd716896447ace9758621f62c1c6b0a91d89acee488da26fc477c84f diff --git a/cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 b/cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 deleted file mode 100644 index 19e55f29b..000000000 --- a/cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 +++ /dev/null @@ -1 +0,0 @@ -9474c73a81d9be6206367d357a3449e03e70c69bc672d82be04f15806ef170fa diff --git a/cyclonedx-lib/dependency_data/shas/github-package-url.jar.sha256 b/cyclonedx-lib/dependency_data/shas/github-package-url.jar.sha256 deleted file mode 100644 index 11bd3cb3b..000000000 --- a/cyclonedx-lib/dependency_data/shas/github-package-url.jar.sha256 +++ /dev/null @@ -1 +0,0 @@ -e45551727707acc0c56ac62d56964332ea0f138d6cc3656d988b9369150f5247 diff --git a/cyclonedx-lib/dependency_data/shas/jackson-annotations.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-annotations.jar.sha256 deleted file mode 100644 index 179e2d427..000000000 --- a/cyclonedx-lib/dependency_data/shas/jackson-annotations.jar.sha256 +++ /dev/null @@ -1 +0,0 @@ -873a606e23507969f9bbbea939d5e19274a88775ea5a169ba7e2d795aa5156e1 diff --git a/cyclonedx-lib/dependency_data/shas/jackson-core.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-core.jar.sha256 deleted file mode 100644 index cb7afb494..000000000 --- a/cyclonedx-lib/dependency_data/shas/jackson-core.jar.sha256 +++ /dev/null @@ -1 +0,0 @@ -721a189241dab0525d9e858e5cb604d3ecc0ede081e2de77d6f34fa5779a5b46 diff --git a/cyclonedx-lib/dependency_data/shas/jackson-databind.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-databind.jar.sha256 deleted file mode 100644 index 4ef426a7c..000000000 --- a/cyclonedx-lib/dependency_data/shas/jackson-databind.jar.sha256 +++ /dev/null @@ -1 +0,0 @@ -c04993f33c0f845342653784f14f38373d005280e6359db5f808701cfae73c0c diff --git a/cyclonedx-lib/dependency_data/shas/jackson-dataformat-xml.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-dataformat-xml.jar.sha256 deleted file mode 100644 index 9a3a78b6d..000000000 --- a/cyclonedx-lib/dependency_data/shas/jackson-dataformat-xml.jar.sha256 +++ /dev/null @@ -1 +0,0 @@ -517add5f3848517894b319a93a7ebfc1c21737b2c17c9acccd38fea97d6adc6f diff --git a/cyclonedx-lib/dependency_data/shas/json-schema.jar.sha256 b/cyclonedx-lib/dependency_data/shas/json-schema.jar.sha256 deleted file mode 100644 index 79e36c150..000000000 --- a/cyclonedx-lib/dependency_data/shas/json-schema.jar.sha256 +++ /dev/null @@ -1 +0,0 @@ -de015f79d4a63d22c002bad76bb30c039cafa205465eef8770e2c6b85880ded7 diff --git a/cyclonedx-lib/dependency_data/versions/commons-codec.jar.version b/cyclonedx-lib/dependency_data/versions/commons-codec.jar.version deleted file mode 100644 index 511a76e6f..000000000 --- a/cyclonedx-lib/dependency_data/versions/commons-codec.jar.version +++ /dev/null @@ -1 +0,0 @@ -1.17.1 diff --git a/cyclonedx-lib/dependency_data/versions/commons-collections4.jar.version b/cyclonedx-lib/dependency_data/versions/commons-collections4.jar.version deleted file mode 100644 index 515be8f91..000000000 --- a/cyclonedx-lib/dependency_data/versions/commons-collections4.jar.version +++ /dev/null @@ -1 +0,0 @@ -4.4 diff --git a/cyclonedx-lib/dependency_data/versions/commons-io.jar.version b/cyclonedx-lib/dependency_data/versions/commons-io.jar.version deleted file mode 100644 index 0e7079b69..000000000 --- a/cyclonedx-lib/dependency_data/versions/commons-io.jar.version +++ /dev/null @@ -1 +0,0 @@ -2.16.1 diff --git a/cyclonedx-lib/dependency_data/versions/cyclonedx-core-java.jar.version b/cyclonedx-lib/dependency_data/versions/cyclonedx-core-java.jar.version deleted file mode 100644 index 48e97c8f8..000000000 --- a/cyclonedx-lib/dependency_data/versions/cyclonedx-core-java.jar.version +++ /dev/null @@ -1 +0,0 @@ -9.0.5 diff --git a/cyclonedx-lib/dependency_data/versions/github-package-url.jar.version b/cyclonedx-lib/dependency_data/versions/github-package-url.jar.version deleted file mode 100644 index bc80560fa..000000000 --- a/cyclonedx-lib/dependency_data/versions/github-package-url.jar.version +++ /dev/null @@ -1 +0,0 @@ -1.5.0 diff --git a/cyclonedx-lib/dependency_data/versions/jackson-annotations.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-annotations.jar.version deleted file mode 100644 index 94dc0ec91..000000000 --- a/cyclonedx-lib/dependency_data/versions/jackson-annotations.jar.version +++ /dev/null @@ -1 +0,0 @@ -2.17.2 diff --git a/cyclonedx-lib/dependency_data/versions/jackson-core.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-core.jar.version deleted file mode 100644 index 94dc0ec91..000000000 --- a/cyclonedx-lib/dependency_data/versions/jackson-core.jar.version +++ /dev/null @@ -1 +0,0 @@ -2.17.2 diff --git a/cyclonedx-lib/dependency_data/versions/jackson-databind.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-databind.jar.version deleted file mode 100644 index 94dc0ec91..000000000 --- a/cyclonedx-lib/dependency_data/versions/jackson-databind.jar.version +++ /dev/null @@ -1 +0,0 @@ -2.17.2 diff --git a/cyclonedx-lib/dependency_data/versions/jackson-dataformat-xml.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-dataformat-xml.jar.version deleted file mode 100644 index 94dc0ec91..000000000 --- a/cyclonedx-lib/dependency_data/versions/jackson-dataformat-xml.jar.version +++ /dev/null @@ -1 +0,0 @@ -2.17.2 diff --git a/cyclonedx-lib/dependency_data/versions/json-schema.jar.version b/cyclonedx-lib/dependency_data/versions/json-schema.jar.version deleted file mode 100644 index 26ca59460..000000000 --- a/cyclonedx-lib/dependency_data/versions/json-schema.jar.version +++ /dev/null @@ -1 +0,0 @@ -1.5.1 From 3106be973d30e286756199a3e2a50d1be7fbad89 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Tue, 5 Nov 2024 12:18:05 +0000 Subject: [PATCH 12/20] Change CycloneDx dependency jar download to use Maven Central download Signed-off-by: Andrew Leonard --- cyclonedx-lib/build.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cyclonedx-lib/build.xml b/cyclonedx-lib/build.xml index 074d430fa..2e22cf04a 100644 --- a/cyclonedx-lib/build.xml +++ b/cyclonedx-lib/build.xml @@ -23,7 +23,7 @@ - + From e17a70475bb00192f1081b9332d394ed68bd0c8c Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Tue, 5 Nov 2024 12:20:46 +0000 Subject: [PATCH 13/20] Change CycloneDx dependency jar download to use Maven Central download Signed-off-by: Andrew Leonard --- cyclonedx-lib/dependency_data/dependency_data.properties | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/cyclonedx-lib/dependency_data/dependency_data.properties b/cyclonedx-lib/dependency_data/dependency_data.properties index 719f268e6..98be77147 100644 --- a/cyclonedx-lib/dependency_data/dependency_data.properties +++ b/cyclonedx-lib/dependency_data/dependency_data.properties @@ -1,6 +1,15 @@ +# ******************************************************************************** +# Copyright (c) 2024 Contributors to the Eclipse Foundation # +# See the NOTICE file(s) with this work for additional +# information regarding copyright ownership. # +# This program and the accompanying materials are made +# available under the terms of the Apache Software License 2.0 +# which is available at https://www.apache.org/licenses/LICENSE-2.0. # +# SPDX-License-Identifier: Apache-2.0 +# ******************************************************************************** # Repositories maven.central.repo=https://repo1.maven.org/maven2 From f3b34dad9679fb106e29cd51a67c7bbf5a41a71a Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Tue, 5 Nov 2024 12:23:01 +0000 Subject: [PATCH 14/20] Change CycloneDx dependency jar download to use Maven Central download Signed-off-by: Andrew Leonard --- cyclonedx-lib/getDependencies | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/cyclonedx-lib/getDependencies b/cyclonedx-lib/getDependencies index 51d298773..855198b77 100644 --- a/cyclonedx-lib/getDependencies +++ b/cyclonedx-lib/getDependencies @@ -2,8 +2,8 @@ LABEL=params.LABEL ? params.LABEL : 'ci.role.test&&hw.arch.x86&&sw.os.linux' -TEMURIN_BUILD_REPO=params.TEMURIN_BUILD_REPO ? params.TEMURIN_BUILD_REPO : "https://github.com/adoptium/temurin-build" -TEMURIN_BUILD_BRANCH=params.TEMURIN_BUILD_BRANCH ? params.TEMURIN_BUILD_BRANCH : "master" +TEMURIN_BUILD_REPO="https://github.com/adoptium/temurin-build" +TEMURIN_BUILD_BRANCH="master" stage('Queue') { node("$LABEL") { @@ -48,7 +48,6 @@ def fetchDeps() { def commons_codec_version = readFile(file : dep_data + 'versions/commons-codec.jar.version').replaceAll("\\s","") def commons_io_version = readFile(file : dep_data + 'versions/commons-io.jar.version').replaceAll("\\s","") def github_package_url_version = readFile(file : dep_data + 'versions/github-package-url.jar.version').replaceAll("\\s","") - def commons_collections4_version = readFile(file : dep_data + 'versions/commons-collections4.jar.version').replaceAll("\\s","") // Each of these fetches a jar in the format: fetchSingleFile(jar name post-download, current jar location under Maven) fetchSingleFile("cyclonedx-core-java.jar", "org/cyclonedx/cyclonedx-core-java/${cyclonedx_core_java_version}/cyclonedx-core-java-${cyclonedx_core_java_version}.jar") @@ -60,7 +59,6 @@ def fetchDeps() { fetchSingleFile("commons-codec.jar", "commons-codec/commons-codec/${commons_codec_version}/commons-codec-${commons_codec_version}.jar") fetchSingleFile("github-package-url.jar", "com/github/package-url/packageurl-java/${github_package_url_version}/packageurl-java-${github_package_url_version}.jar") fetchSingleFile("commons-io.jar", "commons-io/commons-io/${commons_io_version}/commons-io-${commons_io_version}.jar") - fetchSingleFile("commons-collections4.jar", "org/apache/commons/commons-collections4/${commons_collections4_version}/commons-collections4-${commons_collections4_version}.jar") // Check that every file matches the sha of the file we expected. From 93d7bbc17e4af049c9e96b33d96966af91ac2c33 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Tue, 5 Nov 2024 12:24:18 +0000 Subject: [PATCH 15/20] Change CycloneDx dependency jar download to use Maven Central download Signed-off-by: Andrew Leonard --- sbin/build.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sbin/build.sh b/sbin/build.sh index d62a4bfd8..5b610a8ad 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -890,13 +890,13 @@ getCyclonedxClasspath() { local CYCLONEDB_JAR_DIR="${CYCLONEDB_DIR}/build/jar" - local classpath="${CYCLONEDB_JAR_DIR}/temurin-gen-sbom.jar:${CYCLONEDB_JAR_DIR}/cyclonedx-core-java.jar:${CYCLONEDB_JAR_DIR}/jackson-core.jar:${CYCLONEDB_JAR_DIR}/jackson-dataformat-xml.jar:${CYCLONEDB_JAR_DIR}/jackson-databind.jar:${CYCLONEDB_JAR_DIR}/jackson-annotations.jar:${CYCLONEDB_JAR_DIR}/json-schema.jar:${CYCLONEDB_JAR_DIR}/commons-codec.jar:${CYCLONEDB_JAR_DIR}/commons-io.jar:${CYCLONEDB_JAR_DIR}/github-package-url.jar:${CYCLONEDB_JAR_DIR}/commons-collections4.jar" + local classpath="${CYCLONEDB_JAR_DIR}/temurin-gen-sbom.jar:${CYCLONEDB_JAR_DIR}/cyclonedx-core-java.jar:${CYCLONEDB_JAR_DIR}/jackson-core.jar:${CYCLONEDB_JAR_DIR}/jackson-dataformat-xml.jar:${CYCLONEDB_JAR_DIR}/jackson-databind.jar:${CYCLONEDB_JAR_DIR}/jackson-annotations.jar:${CYCLONEDB_JAR_DIR}/json-schema-validator.jar:${CYCLONEDB_JAR_DIR}/commons-codec.jar:${CYCLONEDB_JAR_DIR}/commons-io.jar:${CYCLONEDB_JAR_DIR}/github-package-url.jar:${CYCLONEDB_JAR_DIR}/commons-collections4.jar" if [[ "$OSTYPE" == "cygwin" ]] || [[ "$OSTYPE" == "msys" ]]; then classpath="" for jarfile in "${CYCLONEDB_JAR_DIR}/temurin-gen-sbom.jar" "${CYCLONEDB_JAR_DIR}/cyclonedx-core-java.jar" \ "${CYCLONEDB_JAR_DIR}/jackson-core.jar" "${CYCLONEDB_JAR_DIR}/jackson-dataformat-xml.jar" \ "${CYCLONEDB_JAR_DIR}/jackson-databind.jar" "${CYCLONEDB_JAR_DIR}/jackson-annotations.jar" \ - "${CYCLONEDB_JAR_DIR}/json-schema.jar" "${CYCLONEDB_JAR_DIR}/commons-codec.jar" "${CYCLONEDB_JAR_DIR}/commons-io.jar" \ + "${CYCLONEDB_JAR_DIR}/json-schema-validator.jar" "${CYCLONEDB_JAR_DIR}/commons-codec.jar" "${CYCLONEDB_JAR_DIR}/commons-io.jar" \ "${CYCLONEDB_JAR_DIR}/github-package-url.jar" "${CYCLONEDB_JAR_DIR}/commons-collections4.jar"; do classpath+=$(cygpath -w "${jarfile}")";" From b61988b0e098cf940403a27e3d04f1ab3343e4c1 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Tue, 5 Nov 2024 13:43:45 +0000 Subject: [PATCH 16/20] Change CycloneDx dependency jar download to use Maven Central download Signed-off-by: Andrew Leonard --- cyclonedx-lib/build.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cyclonedx-lib/build.xml b/cyclonedx-lib/build.xml index 2e22cf04a..7a7457fd2 100644 --- a/cyclonedx-lib/build.xml +++ b/cyclonedx-lib/build.xml @@ -20,7 +20,7 @@ // jscpd:ignore-start --> - + From 9e2a3665c1bf0c089bf055bdcc77d7c47bff0506 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Wed, 6 Nov 2024 11:35:36 +0000 Subject: [PATCH 17/20] Change CycloneDx dependency jar download to use Maven Central download Signed-off-by: Andrew Leonard --- README.md | 3 ++ cyclonedx-lib/build.xml | 43 +++++++++++++------ .../dependency_data.properties | 32 +++++++++----- sbin/build.sh | 26 ++++++----- sbin/common/config_init.sh | 7 +++ 5 files changed, 78 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index 11f38584a..807fbc223 100644 --- a/README.md +++ b/README.md @@ -185,6 +185,9 @@ the one you are trying to build. -k, --keep if using docker, keep the container after the build. +--local-dependency-cache-dir +specify the location of a local cache of required build dependency jars + --make-exploded-image creates an exploded image (useful for codesigning jmods). Use --assemble-exploded-image once you have signed the jmods to complete the packaging steps. diff --git a/cyclonedx-lib/build.xml b/cyclonedx-lib/build.xml index 7a7457fd2..bd56551a4 100644 --- a/cyclonedx-lib/build.xml +++ b/cyclonedx-lib/build.xml @@ -20,6 +20,10 @@ // jscpd:ignore-start --> + + + + @@ -44,12 +48,10 @@ - - + - @@ -86,42 +88,34 @@ - - - - - - - - @@ -490,10 +484,35 @@ - + + + + + + + + + + + + + + + + + + + + + + + diff --git a/cyclonedx-lib/dependency_data/dependency_data.properties b/cyclonedx-lib/dependency_data/dependency_data.properties index 98be77147..4b5607d50 100644 --- a/cyclonedx-lib/dependency_data/dependency_data.properties +++ b/cyclonedx-lib/dependency_data/dependency_data.properties @@ -14,37 +14,47 @@ # Repositories maven.central.repo=https://repo1.maven.org/maven2 -# Component versions and SHAs +# Component versions, SHAs and jar names commons-codec.version=1.17.1 commons-codec.sha256=f9f6cb103f2ddc3c99a9d80ada2ae7bf0685111fd6bffccb72033d1da4e6ff23 +commons-codec.jar=commons-codec-${commons-codec.version}.jar commons-collections4.version=4.4 commons-collections4.sha256=1df8b9430b5c8ed143d7815e403e33ef5371b2400aadbe9bda0883762e0846d1 +commons-collections4.jar=commons-collections4-${commons-collections4.version}.jar commons-io.version=2.16.1 commons-io.sha256=f41f7baacd716896447ace9758621f62c1c6b0a91d89acee488da26fc477c84f +commons-io.jar=commons-io-${commons-io.version}.jar cyclonedx-core-java.version=9.0.5 cyclonedx-core-java.sha256=9474c73a81d9be6206367d357a3449e03e70c69bc672d82be04f15806ef170fa +cyclonedx-core-java.jar=cyclonedx-core-java-${cyclonedx-core-java.version}.jar github-package-url.version=1.5.0 github-package-url.sha256=e45551727707acc0c56ac62d56964332ea0f138d6cc3656d988b9369150f5247 +github-package-url.jar=packageurl-java-${github-package-url.version}.jar jackson-annotations.version=2.17.2 jackson-annotations.sha256=873a606e23507969f9bbbea939d5e19274a88775ea5a169ba7e2d795aa5156e1 +jackson-annotations.jar=jackson-annotations-${jackson-annotations.version}.jar jackson-core.version=2.17.2 jackson-core.sha256=721a189241dab0525d9e858e5cb604d3ecc0ede081e2de77d6f34fa5779a5b46 +jackson-core.jar=jackson-core-${jackson-core.version}.jar jackson-databind.version=2.17.2 jackson-databind.sha256=c04993f33c0f845342653784f14f38373d005280e6359db5f808701cfae73c0c +jackson-databind.jar=jackson-databind-${jackson-databind.version}.jar jackson-dataformat-xml.version=2.17.2 jackson-dataformat-xml.sha256=517add5f3848517894b319a93a7ebfc1c21737b2c17c9acccd38fea97d6adc6f +jackson-dataformat-xml.jar=jackson-dataformat-xml-${jackson-dataformat-xml.version}.jar json-schema-validator.version=1.5.1 json-schema-validator.sha256=de015f79d4a63d22c002bad76bb30c039cafa205465eef8770e2c6b85880ded7 +json-schema-validator.jar=json-schema-validator-${json-schema-validator.version}.jar # Download URLs -commons-codec.url=${maven.central.repo}/commons-codec/commons-codec/${commons-codec.version}/commons-codec-${commons-codec.version}.jar -commons-collections4.url=${maven.central.repo}/org/apache/commons/commons-collections4/${commons-collections4.version}/commons-collections4-${commons-collections4.version}.jar -commons-io.url=${maven.central.repo}/commons-io/commons-io/${commons-io.version}/commons-io-${commons-io.version}.jar -cyclonedx-core-java.url=${maven.central.repo}/org/cyclonedx/cyclonedx-core-java/${cyclonedx-core-java.version}/cyclonedx-core-java-${cyclonedx-core-java.version}.jar -github-package-url.url=${maven.central.repo}/com/github/package-url/packageurl-java/${github-package-url.version}/packageurl-java-${github-package-url.version}.jar -jackson-annotations.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-annotations/${jackson-annotations.version}/jackson-annotations-${jackson-annotations.version}.jar -jackson-core.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-core/${jackson-core.version}/jackson-core-${jackson-core.version}.jar -jackson-databind.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-databind/${jackson-databind.version}/jackson-databind-${jackson-databind.version}.jar -jackson-dataformat-xml.url=${maven.central.repo}/com/fasterxml/jackson/dataformat/jackson-dataformat-xml/${jackson-dataformat-xml.version}/jackson-dataformat-xml-${jackson-dataformat-xml.version}.jar -json-schema-validator.url=${maven.central.repo}/com/networknt/json-schema-validator/${json-schema-validator.version}/json-schema-validator-${json-schema-validator.version}.jar +commons-codec.url=${maven.central.repo}/commons-codec/commons-codec/${commons-codec.version}/${commons-codec.jar} +commons-collections4.url=${maven.central.repo}/org/apache/commons/commons-collections4/${commons-collections4.version}/${commons-collections4.jar} +commons-io.url=${maven.central.repo}/commons-io/commons-io/${commons-io.version}/${commons-io.jar} +cyclonedx-core-java.url=${maven.central.repo}/org/cyclonedx/cyclonedx-core-java/${cyclonedx-core-java.version}/${cyclonedx-core-java.jar} +github-package-url.url=${maven.central.repo}/com/github/package-url/packageurl-java/${github-package-url.version}/${github-package-url.jar} +jackson-annotations.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-annotations/${jackson-annotations.version}/${jackson-annotations.jar} +jackson-core.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-core/${jackson-core.version}/${jackson-core.jar} +jackson-databind.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-databind/${jackson-databind.version}/${jackson-databind.jar} +jackson-dataformat-xml.url=${maven.central.repo}/com/fasterxml/jackson/dataformat/jackson-dataformat-xml/${jackson-dataformat-xml.version}/${jackson-dataformat-xml.jar} +json-schema-validator.url=${maven.central.repo}/com/networknt/json-schema-validator/${json-schema-validator.version}/${json-schema-validator.jar} diff --git a/sbin/build.sh b/sbin/build.sh index 92469d3f9..7cb8847a2 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -887,8 +887,15 @@ buildCyclonedxLib() { else ANTBUILDFILE="${CYCLONEDB_DIR}/build.xml" fi + + # Do we have a local cache for the dependency jars? + local localJarCacheOption="" + if [[ -n "${BUILD_CONFIG[LOCAL_DEPENDENCY_CACHE_DIR]}" ]]; then + localJarCacheOption="-Dlocal.deps.cache.dir=${BUILD_CONFIG[LOCAL_DEPENDENCY_CACHE_DIR]}" + fi + JAVA_HOME=${javaHome} ant -f "${ANTBUILDFILE}" clean - JAVA_HOME=${javaHome} ant -f "${ANTBUILDFILE}" build + JAVA_HOME=${javaHome} ant -f "${ANTBUILDFILE}" build "${localJarCacheOption}" } # get the classpath to run the CycloneDX java app TemurinGenSBOM @@ -1211,21 +1218,20 @@ addCycloneDXVersions() { else # Should we do something special if the sha256sum fails? for JAR in "${CYCLONEDB_DIR}/build/jar"/*.jar; do - JarName=$(basename "$JAR") + JarName=$(basename "$JAR" | cut -d'.' -f1) if [ "$(uname)" = "Darwin" ]; then JarSha=$(shasum -a 256 "$JAR" | cut -d' ' -f1) else JarSha=$(sha256sum "$JAR" | cut -d' ' -f1) fi - addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs" "${JarName}" "${JarSha}" + addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs" "${JarName}.jar" "${JarSha}" # Now the jar's SHA has been added, we add the version string. - JarVersionFile="$(joinPath ${CYCLONEDB_DIR} dependency_data versions ${JarName}.version)" - if [ -f "${JarVersionFile}" ]; then - JarVersionString=$(cat "${JarVersionFile}") - addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar versions" "${JarName}" "${JarVersionString}" - elif [ "${JarName}" != "temurin-gen-sbom.jar" ]; then - echo "ERROR: Cannot find jar version file for SBOM creation dependency ${JarName}." - echo "ERROR: Expected location: ${JarVersionFile}" + JarDepsFile="$(joinPath ${CYCLONEDB_DIR} dependency_data/dependency_data.properties)" + JarVersionString=$(grep "${JarName}\.version=" "${JarDepsFile}" | cut -d'=' -f2) + if [ -n "${JarVersionString}" ]; then + addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar versions" "${JarName}.jar" "${JarVersionString}" + elif [ "${JarName}" != "temurin-gen-sbom" ]; then + echo "ERROR: Cannot determine jar version from ${JarDepsFile} for SBOM creation dependency ${JarName}.jar." fi done fi diff --git a/sbin/common/config_init.sh b/sbin/common/config_init.sh index d2bccb4b8..1a649a805 100755 --- a/sbin/common/config_init.sh +++ b/sbin/common/config_init.sh @@ -75,6 +75,7 @@ JRE_PATH TEST_IMAGE_PATH STATIC_LIBS_IMAGE_PATH JVM_VARIANT +LOCAL_DEPENDENCY_CACHE_DIR MACOSX_CODESIGN_IDENTITY MAKE_ARGS_FOR_ANY_PLATFORM MAKE_EXPLODED @@ -381,6 +382,9 @@ function parseConfigurationArguments() { "--use-adoptium-devkit") BUILD_CONFIG[USE_ADOPTIUM_DEVKIT]="$1"; shift;; + "--local-dependency-cache-dir") + BUILD_CONFIG[LOCAL_DEPENDENCY_CACHE_DIR]="$1"; shift;; + "--user-openjdk-build-root-directory" ) BUILD_CONFIG[USER_OPENJDK_BUILD_ROOT_DIRECTORY]="$1"; shift;; @@ -651,6 +655,9 @@ function configDefaults() { BUILD_CONFIG[USE_ADOPTIUM_DEVKIT]="" BUILD_CONFIG[ADOPTIUM_DEVKIT_LOCATION]="" + # Default to no local dependency cache + BUILD_CONFIG[LOCAL_DEPENDENCY_CACHE_DIR]="" + # By default dont backport JEP318 certs to < Java 10 BUILD_CONFIG[USE_JEP319_CERTS]=false From 9d53f7d49cc8b6d0285e43d899eec3ce9e5b6133 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Wed, 6 Nov 2024 11:38:08 +0000 Subject: [PATCH 18/20] Change CycloneDx dependency jar download to use Maven Central download Signed-off-by: Andrew Leonard --- sbin/build.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sbin/build.sh b/sbin/build.sh index 7cb8847a2..51a3f1dee 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -1,7 +1,7 @@ #!/bin/bash # shellcheck disable=SC2155,SC2153,SC2038,SC1091,SC2116,SC2086 # ******************************************************************************** -# Copyright (c) 2017 Contributors to the Eclipse Foundation +# Copyright (c) 2017,2024 Contributors to the Eclipse Foundation # # See the NOTICE file(s) with this work for additional # information regarding copyright ownership. From c1f5ce94106f6f693e1546917bbcc7123c968ec8 Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Wed, 6 Nov 2024 11:38:57 +0000 Subject: [PATCH 19/20] Change CycloneDx dependency jar download to use Maven Central download Signed-off-by: Andrew Leonard --- sbin/build.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sbin/build.sh b/sbin/build.sh index 51a3f1dee..a5777321f 100755 --- a/sbin/build.sh +++ b/sbin/build.sh @@ -1,7 +1,7 @@ #!/bin/bash # shellcheck disable=SC2155,SC2153,SC2038,SC1091,SC2116,SC2086 # ******************************************************************************** -# Copyright (c) 2017,2024 Contributors to the Eclipse Foundation +# Copyright (c) 2017, 2024 Contributors to the Eclipse Foundation # # See the NOTICE file(s) with this work for additional # information regarding copyright ownership. From 26afea937c9a46e600c4034eef88d8c2574cf9af Mon Sep 17 00:00:00 2001 From: Andrew Leonard Date: Wed, 6 Nov 2024 15:03:21 +0000 Subject: [PATCH 20/20] Change CycloneDx dependency jar download to use Maven Central download Signed-off-by: Andrew Leonard --- cyclonedx-lib/build.xml | 56 ++++++++++++++--------------------------- 1 file changed, 19 insertions(+), 37 deletions(-) diff --git a/cyclonedx-lib/build.xml b/cyclonedx-lib/build.xml index bd56551a4..f026a2611 100644 --- a/cyclonedx-lib/build.xml +++ b/cyclonedx-lib/build.xml @@ -1,7 +1,7 @@ - - + @@ -48,11 +47,11 @@ - + - + @@ -88,35 +87,35 @@ - + - + - + - + - + - + - + - + @@ -479,40 +478,23 @@ - - + + - + - - - - - - - - - + + - - - - - - - - - - + - -