From 5b325847ca95d1bb90914b56a29bfcf86f657b09 Mon Sep 17 00:00:00 2001 From: Nelson Baby Date: Fri, 3 Apr 2026 16:58:28 -0400 Subject: [PATCH] build: add CycloneDX SBOM generation support - Add docling-sbom.gradle.kts plugin for SBOM generation - Integrate SBOM artifacts into Maven publications - Add CycloneDX Gradle plugin dependency - Configure cyclonedxDirectBom task in build group Signed-off-by: Nelson Baby --- buildSrc/build.gradle.kts | 1 + buildSrc/src/main/kotlin/docling-release.gradle.kts | 13 +++++++++++++ buildSrc/src/main/kotlin/docling-sbom.gradle.kts | 8 ++++++++ gradle/libs.versions.toml | 3 +++ 4 files changed, 25 insertions(+) create mode 100644 buildSrc/src/main/kotlin/docling-sbom.gradle.kts diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts index a27aed8e..294fe0b7 100644 --- a/buildSrc/build.gradle.kts +++ b/buildSrc/build.gradle.kts @@ -9,6 +9,7 @@ repositories { dependencies { implementation("org.yaml:snakeyaml:2.6") + implementation(libs.cyclonedx.gradle) implementation(libs.lombok.gradle) implementation(libs.spotless.gradle) } diff --git a/buildSrc/src/main/kotlin/docling-release.gradle.kts b/buildSrc/src/main/kotlin/docling-release.gradle.kts index df75b350..cd3a2174 100644 --- a/buildSrc/src/main/kotlin/docling-release.gradle.kts +++ b/buildSrc/src/main/kotlin/docling-release.gradle.kts @@ -1,4 +1,5 @@ plugins { + id("docling-sbom") `maven-publish` } @@ -13,6 +14,18 @@ publishing { create("maven") { from(components["java"]) + // Attach SBOM artifacts to publication + val cyclonedxTask = tasks.named("cyclonedxDirectBom") + afterEvaluate { + cyclonedxTask.get().outputs.files.forEach { file -> + artifact(file) { + classifier = "cyclonedx" + extension = file.extension + builtBy(cyclonedxTask) + } + } + } + pom { url = "https://docling-project.github.io/docling-java" name = project.name diff --git a/buildSrc/src/main/kotlin/docling-sbom.gradle.kts b/buildSrc/src/main/kotlin/docling-sbom.gradle.kts new file mode 100644 index 00000000..2f218765 --- /dev/null +++ b/buildSrc/src/main/kotlin/docling-sbom.gradle.kts @@ -0,0 +1,8 @@ +plugins { + id("org.cyclonedx.bom") +} + +tasks.named("cyclonedxDirectBom") { + group = "build" + description = "Generates a per-project CycloneDX Software Bill of Materials (SBOM)" +} diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 0573756c..c52a27c3 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -17,6 +17,7 @@ quarkus = "3.34.2" quarkus-github-api = "1.330.0" quarkus-wiremock = "1.6.1" wiremock = "3.13.2" +cyclonedx = "3.2.3" [libraries] # assertj @@ -26,6 +27,7 @@ assertj-core = { group = "org.assertj", name = "assertj-core", version.ref = "as awaitility = { group = "org.awaitility", name = "awaitility", version.ref = "awaitility" } # lombok-gradle +cyclonedx-gradle = { group = "org.cyclonedx", name = "cyclonedx-gradle-plugin", version.ref = "cyclonedx" } lombok-gradle = { group = "io.freefair.lombok", name = "io.freefair.lombok.gradle.plugin", version.ref = "lombok-gradle" } spotless-gradle = { group = "com.diffplug.spotless", name = "spotless-plugin-gradle", version.ref = "spotless" } @@ -63,6 +65,7 @@ quarkus-wiremock-test = { group = "io.quarkiverse.wiremock", name = "quarkus-wir wiremock = { group = "org.wiremock", name = "wiremock", version.ref = "wiremock" } [plugins] +cyclonedx = { id = "org.cyclonedx.bom", version.ref = "cyclonedx" } lombok = { id = "io.freefair.lombok", version.ref = "lombok-gradle" } quarkus = { id = "io.quarkus", version.ref = "quarkus" } module-info = { id = "org.gradlex.extra-java-module-info", version.ref = "module-info" }