From 4f82e5440bad013e3a750b0b4b94bb22991d25de Mon Sep 17 00:00:00 2001
From: Thomas Leplus <thomasleplus@users.noreply.github.com>
Date: Sun, 15 Dec 2024 01:00:55 +0800
Subject: [PATCH] Generate SBOM (#411)

CycloneDX format only for now.
---
 .github/workflows/maven.yml | 23 +++++++++--------------
 pom.xml                     | 17 +++++++++++++++++
 2 files changed, 26 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
index fda1aa32..7facd594 100644
--- a/.github/workflows/maven.yml
+++ b/.github/workflows/maven.yml
@@ -71,22 +71,17 @@ jobs:
         run: |
           if [ -z "${MAVEN_GPG_PASSPHRASE}" ]
           then
-            # Forcing dependency check version to a version compatible
-            # with Java 8 since version does not matter due to
-            # dependencyCheck.skip=true. But otherwise Maven initialization
-            # fails with error: "java.lang.TypeNotPresentException:
-            # Type org.owasp.dependencycheck.maven.CheckMojo not present".
-            # shellcheck disable=SC2086
-            ./mvnw ${MAVEN_CLI_OPTS} -DdependencyCheck.version=10.0.4 -DdependencyCheck.skip=true -Dgpg.skip=true verify
+            GPG_SKIP=true
           else
-            # Forcing dependency check version to a version compatible
-            # with Java 8 since version does not matter due to
-            # dependencyCheck.skip=true. But otherwise Maven initialization
-            # fails with error: "java.lang.TypeNotPresentException:
-            # Type org.owasp.dependencycheck.maven.CheckMojo not present".
-            # shellcheck disable=SC2086
-            ./mvnw ${MAVEN_CLI_OPTS} -DdependencyCheck.version=10.0.4 -DdependencyCheck.skip=true verify
+            GPG_SKIP=false
           fi
+          # Forcing dependency check version to a version compatible
+          # with Java 8 since version does not matter due to
+          # dependencyCheck.skip=true. But otherwise Maven initialization
+          # fails with error: "java.lang.TypeNotPresentException:
+          # Type org.owasp.dependencycheck.maven.CheckMojo not present".
+          # shellcheck disable=SC2086
+          ./mvnw ${MAVEN_CLI_OPTS} -DdependencyCheck.version=10.0.4 -DdependencyCheck.skip=true -Dgpg.skip=${GPG_SKIP} verify
       - name: Publish site
         env:
           GITHUB_TOKEN: ${{ github.token }}
diff --git a/pom.xml b/pom.xml
index 4584037a..be04ff7e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -84,6 +84,7 @@ limitations under the License.
     <dependencyCheck.version>11.1.1</dependencyCheck.version>
     <dependencyCheck.skip>false</dependencyCheck.skip>
     <dependencyCheck.threshold>7</dependencyCheck.threshold>
+    <cyclonedx.skip>false</cyclonedx.skip>
   </properties>
   <dependencies>
     <dependency>
@@ -317,6 +318,22 @@ limitations under the License.
           <scmBranch>gh-pages</scmBranch>
         </configuration>
       </plugin>
+      <plugin>
+        <groupId>org.cyclonedx</groupId>
+        <artifactId>cyclonedx-maven-plugin</artifactId>
+        <version>2.9.1</version>
+        <configuration>
+	  <skip>${cyclonedx.skip}</skip>
+        </configuration>
+        <executions>
+          <execution>
+            <phase>package</phase>
+            <goals>
+              <goal>makeAggregateBom</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
   </build>
   <reporting>