Generate an SBOM for the javaagent artifact

tylerbenson · tylerbenson · commit 6ad9e70cfba6 · 2024-04-09T12:07:28.000-04:00
We have been asked to generate SBOMs for published assets that are either natively compiled, or have vendored/embedded dependencies.  In java, this mainly applies to the javaagent.
diff --git a/.github/workflows/build-common.yml b/.github/workflows/build-common.yml
@@ -172,6 +172,18 @@ jobs:
           path: javaagent/build/libs/opentelemetry-javaagent-*-SNAPSHOT.jar
           if-no-files-found: ignore
 
+      - shell: bash
+        name: Collect SBOM's
+        run: |
+          mkdir sboms
+          find . -path ./sboms -prune -o -name "*.spdx.json" -exec mv {} ./sboms/ \;
+
+      - uses: actions/upload-artifact@v4
+        name: Save SBOM's to build
+        with:
+          name: opentelemetry-java-instrumentation-SBOM-${{ matrix.os }}-${{ matrix.test-java-version }}.zip
+          path: "sboms/*.json"
+
   test:
     name: test${{ matrix.test-partition }} (${{ matrix.test-java-version }}, ${{ matrix.vm }})
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -109,6 +109,19 @@ jobs:
           arguments: build publishPlugins publishPluginMavenPublicationToSonatypeRepository closeAndReleaseSonatypeStagingRepository
           build-root-directory: gradle-plugins
 
+      - shell: bash
+        name: Collect SBOM's
+        run: |
+          mkdir sboms
+          find . -path ./sboms -prune -o -name "*.spdx.json" -exec mv {} ./sboms/ \;
+          zip opentelemetry-java-instrumentation-SBOM.zip sboms/*
+
+      - uses: actions/upload-artifact@v4
+        name: Save SBOM's to build
+        with:
+          name: opentelemetry-java-instrumentation-SBOM.zip
+          path: "sboms/*.json"
+
       - name: Generate release notes
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -162,6 +175,7 @@ jobs:
                             --title "Version $VERSION" \
                             --notes-file /tmp/release-notes.txt \
                             v$VERSION \
+                            opentelemetry-java-instrumentation-SBOM.zip \
                             opentelemetry-javaagent.jar
 
           echo "version=$VERSION" >> $GITHUB_OUTPUT
diff --git a/conventions/build.gradle.kts b/conventions/build.gradle.kts
@@ -62,6 +62,7 @@ dependencies {
   implementation("com.gradle.enterprise:com.gradle.enterprise.gradle.plugin:3.17")
   implementation("org.owasp:dependency-check-gradle:9.1.0")
   implementation("ru.vyarus:gradle-animalsniffer-plugin:1.7.1")
+  implementation("org.spdx:spdx-gradle-plugin:0.5.0")
   // When updating, also update dependencyManagement/build.gradle.kts
   implementation("net.bytebuddy:byte-buddy-gradle-plugin:1.14.13")
   implementation("gradle.plugin.io.morethan.jmhreport:gradle-jmh-report:0.9.0")
diff --git a/javaagent/build.gradle.kts b/javaagent/build.gradle.kts
@@ -1,13 +1,15 @@
 import com.github.jengelman.gradle.plugins.shadow.tasks.ShadowJar
 import com.github.jk1.license.filter.LicenseBundleNormalizer
 import com.github.jk1.license.render.InventoryMarkdownReportRenderer
+import java.util.*
 
 plugins {
   id("com.github.jk1.dependency-license-report")
 
   id("otel.java-conventions")
   id("otel.publish-conventions")
   id("io.opentelemetry.instrumentation.javaagent-shadowing")
+  id("org.spdx.sbom")
 }
 
 description = "OpenTelemetry Javaagent"
@@ -271,6 +273,42 @@ with(components["java"] as AdhocComponentWithVariants) {
   }
 }
 
+spdxSbom {
+  targets {
+    // Create a target to match the published jar name.
+    // This is used for the task name (spdxSbomFor<SbomName>)
+    // and output file (<sbomName>.spdx.json).
+    create("opentelemetry-java_opentelemetry-javaagent") {
+      configurations.set(listOf("baseJavaagentLibs"))
+      scm {
+        uri.set("https://github.com/" + System.getenv("GITHUB_REPOSITORY"))
+        revision.set(System.getenv("GITHUB_SHA"))
+      }
+      document {
+        name.set("opentelemetry-java_opentelemetry-javaagent")
+        namespace.set("https://opentelemetry.io/spdx/" + UUID.randomUUID())
+      }
+    }
+  }
+}
+tasks.named("check") {
+  dependsOn("spdxSbom")
+}
+tasks.named("assemble") {
+  dependsOn("spdxSbom")
+}
+tasks.withType<AbstractPublishToMaven> {
+  dependsOn("spdxSbom")
+}
+project.afterEvaluate {
+  tasks.withType<PublishToMavenLocal>().configureEach {
+    this.getPublication().artifact("${layout.buildDirectory.get()}/spdx/opentelemetry-java_opentelemetry-javaagent.spdx.json") {
+      classifier = "spdx"
+      extension = "json"
+    }
+  }
+}
+
 licenseReport {
   outputDir = rootProject.file("licenses").absolutePath
 
