Implement and document SBOM support (apache/logging-log4j2#1707)

vy · vy · commit eab4c2095e10 · 2023-10-22T22:55:58.000+02:00
diff --git a/pom.xml b/pom.xml
@@ -15,14 +15,14 @@
   ~ See the License for the specific language governing permissions and
   ~ limitations under the License.
   -->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" child.project.url.inherit.append.path="false" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
 
   <modelVersion>4.0.0</modelVersion>
 
   <parent>
     <groupId>org.apache.logging</groupId>
     <artifactId>logging-parent</artifactId>
-    <version>10.1.1</version>
+    <version>10.2.0</version>
     <relativePath />
   </parent>
 
@@ -101,7 +101,7 @@
     <module>log4j-api-kotlin-benchmark</module>
   </modules>
 
-  <scm>
+  <scm child.scm.connection.inherit.append.path="false" child.scm.developerConnection.inherit.append.path="false" child.scm.url.inherit.append.path="false">
     <connection>scm:git:git@github.com:apache/logging-log4j-kotlin.git</connection>
     <developerConnection>scm:git:git@github.com:apache/logging-log4j-kotlin.git</developerConnection>
     <tag>HEAD</tag>
@@ -118,6 +118,10 @@
     <url>https://github.com/apache/logging-log4j-kotlin/actions</url>
   </ciManagement>
 
+  <distributionManagement>
+    <downloadUrl>https://logging.apache.org/log4j/kotlin/latest/#distribution</downloadUrl>
+  </distributionManagement>
+
   <properties>
 
     <!-- project version -->
@@ -261,6 +265,22 @@
 
     <plugins>
 
+      <!-- `cyclonedx-maven-plugin` doesn't exclude not installed/deployed modules: https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/409
+           This `generate-sbom` execution override configures such exclusions. -->
+      <plugin>
+        <groupId>org.cyclonedx</groupId>
+        <artifactId>cyclonedx-maven-plugin</artifactId>
+        <executions>
+          <execution>
+            <id>generate-sbom</id>
+            <configuration combine.self="append">
+              <excludeArtifactId>log4j-api-kotlin-benchmark</excludeArtifactId>
+              <excludeArtifactId>log4j-api-kotlin-sample</excludeArtifactId>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+
       <plugin>
         <groupId>org.jetbrains.kotlin</groupId>
         <artifactId>kotlin-maven-plugin</artifactId>
diff --git a/src/changelog/.1.x.x/add-sbom.xml b/src/changelog/.1.x.x/add-sbom.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to you under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns="http://logging.apache.org/log4j/changelog"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
+       type="added">
+  <author id="github:vy"/>
+  <description format="asciidoc">Started generating CycloneDX SBOM with the recent update of `logging-parent` to version `10.2.0`</description>
+</entry>
diff --git a/src/changelog/.1.x.x/update-parent.xml b/src/changelog/.1.x.x/update-parent.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to you under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns="http://logging.apache.org/log4j/changelog"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
+       type="changed">
+  <author id="github:vy"/>
+  <description format="asciidoc">Update `org.apache.logging:logging-parent` to version `10.2.0`</description>
+</entry>
diff --git a/src/changelog/1.0.0/.release.xml b/src/changelog/1.0.0/.release.xml
@@ -17,5 +17,5 @@
   -->
 <release xmlns="http://logging.apache.org/log4j/changelog"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+         xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
          date="2018-11-03" version="1.0.0"/>
diff --git a/src/changelog/1.0.0/LOG4J2-1705_Create_Kotlin_API.xml b/src/changelog/1.0.0/LOG4J2-1705_Create_Kotlin_API.xml
@@ -1,6 +1,6 @@
 <entry xmlns="http://logging.apache.org/log4j/changelog"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="added">
   <issue id="LOG4J2-3556" link="https://issues.apache.org/jira/browse/LOG4J2-1705"/>
   <author id="github:jvz"/>
diff --git a/src/changelog/1.0.0/LOG4J2-2432_Make_namedLogger_more_discoverable.xml b/src/changelog/1.0.0/LOG4J2-2432_Make_namedLogger_more_discoverable.xml
@@ -1,6 +1,6 @@
 <entry xmlns="http://logging.apache.org/log4j/changelog"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="changed">
   <issue id="LOG4J2-2432" link="https://issues.apache.org/jira/browse/LOG4J2-2432"/>
   <author id="github:jvz"/>
diff --git a/src/changelog/1.1.0/.release.xml b/src/changelog/1.1.0/.release.xml
@@ -17,5 +17,5 @@
   -->
 <release xmlns="http://logging.apache.org/log4j/changelog"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+         xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
          date="2021-08-28" version="1.1.0"/>
diff --git a/src/changelog/1.1.0/LOG4J2-2433_Support_MDCs_with_coroutines.xml b/src/changelog/1.1.0/LOG4J2-2433_Support_MDCs_with_coroutines.xml
@@ -1,6 +1,6 @@
 <entry xmlns="http://logging.apache.org/log4j/changelog"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="added">
   <issue id="LOG4J2-2433" link="https://issues.apache.org/jira/browse/LOG4J2-2433"/>
   <author id="github:rocketraman"/>
diff --git a/src/changelog/1.1.0/LOG4J2-2518_Support_suspend_functions.xml b/src/changelog/1.1.0/LOG4J2-2518_Support_suspend_functions.xml
@@ -1,6 +1,6 @@
 <entry xmlns="http://logging.apache.org/log4j/changelog"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="added">
   <issue id="LOG4J2-2518" link="https://issues.apache.org/jira/browse/LOG4J2-2518"/>
   <author id="github:rocketraman"/>
diff --git a/src/changelog/1.1.0/LOG4J2-2843_Update_Kotlin_baseline_to_1.3.72.xml b/src/changelog/1.1.0/LOG4J2-2843_Update_Kotlin_baseline_to_1.3.72.xml
@@ -1,6 +1,6 @@
 <entry xmlns="http://logging.apache.org/log4j/changelog"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="changed">
   <issue id="LOG4J2-2843" link="https://issues.apache.org/jira/browse/LOG4J2-2843"/>
   <author id="github:rocketraman"/>
diff --git a/src/changelog/1.2.0/.release.xml b/src/changelog/1.2.0/.release.xml
@@ -17,5 +17,5 @@
   -->
 <release xmlns="http://logging.apache.org/log4j/changelog"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+         xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
          date="2021-12-20" version="1.2.0"/>
diff --git a/src/changelog/1.2.0/LOG4J2-3218_Update_Log4j_baseline.xml b/src/changelog/1.2.0/LOG4J2-3218_Update_Log4j_baseline.xml
@@ -1,6 +1,6 @@
 <entry xmlns="http://logging.apache.org/log4j/changelog"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="changed">
   <issue id="LOG4J2-3218" link="https://issues.apache.org/jira/browse/LOG4J2-3218"/>
   <author id="github:rocketraman"/>
diff --git a/src/changelog/1.3.0/28-Update_Log4j_baseline.xml b/src/changelog/1.3.0/28-Update_Log4j_baseline.xml
@@ -1,6 +1,6 @@
 <entry xmlns="http://logging.apache.org/log4j/changelog"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="changed">
   <author id="github:vy"/>
   <description format="asciidoc">Updated Log4j dependency to `2.20.0`</description>
diff --git a/src/changelog/1.3.0/29-Add_extension_property_for_logger.xml b/src/changelog/1.3.0/29-Add_extension_property_for_logger.xml
@@ -1,6 +1,6 @@
 <entry xmlns="http://logging.apache.org/log4j/changelog"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="added">
   <issue id="29" link="https://github.com/apache/logging-log4j-kotlin/issues/29"/>
   <author id="github:jvz"/>
diff --git a/src/changelog/1.3.0/30-Add_facade_APIs_for_ThreadContext.xml b/src/changelog/1.3.0/30-Add_facade_APIs_for_ThreadContext.xml
@@ -1,6 +1,6 @@
 <entry xmlns="http://logging.apache.org/log4j/changelog"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="added">
   <issue id="30" link="https://github.com/apache/logging-log4j-kotlin/issues/30"/>
   <author id="github:jvz"/>
diff --git a/src/changelog/1.3.0/32-Catching_Throwing.xml b/src/changelog/1.3.0/32-Catching_Throwing.xml
@@ -1,6 +1,6 @@
 <entry xmlns="http://logging.apache.org/log4j/changelog"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="added">
   <issue id="32" link="https://github.com/apache/logging-log4j-kotlin/issues/32"/>
   <author id="github:rocketraman"/>
diff --git a/src/changelog/1.3.0/37-facelift.xml b/src/changelog/1.3.0/37-facelift.xml
@@ -1,6 +1,6 @@
 <entry xmlns="http://logging.apache.org/log4j/changelog"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="changed">
   <issue id="37" link="https://github.com/apache/logging-log4j-kotlin/pull/37"/>
   <author id="github:vy"/>
diff --git a/src/changelog/1.3.0/JPMS.xml b/src/changelog/1.3.0/JPMS.xml
@@ -1,6 +1,6 @@
 <entry xmlns="http://logging.apache.org/log4j/changelog"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="added">
   <author id="github:vy"/>
   <description format="asciidoc">Added JPMS support and used `org.apache.logging.log4j.api.kotlin` for the module name (identical to OSGi `Bundle-SymbolicName`) of the `log4j-api-kotlin` artifact</description>
diff --git a/src/changelog/1.3.0/OSGi-Bundle-SymbolicName.xml b/src/changelog/1.3.0/OSGi-Bundle-SymbolicName.xml
@@ -1,6 +1,6 @@
 <entry xmlns="http://logging.apache.org/log4j/changelog"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="changed">
   <author id="github:vy"/>
   <description format="asciidoc">Renamed OSGi `Bundle-SymbolicName` from `org.apache.logging.log4j.kotlin` to `org.apache.logging.log4j.api.kotlin`</description>
diff --git a/src/changelog/1.3.0/dokka.xml b/src/changelog/1.3.0/dokka.xml
@@ -1,6 +1,6 @@
 <entry xmlns="http://logging.apache.org/log4j/changelog"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="removed">
   <author id="github:vy"/>
   <description format="asciidoc">Stopped exporting KDoc to HTML</description>
diff --git a/src/changelog/1.3.0/junit5.xml b/src/changelog/1.3.0/junit5.xml
@@ -1,6 +1,6 @@
 <entry xmlns="http://logging.apache.org/log4j/changelog"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="changed">
   <author id="github:vy"/>
   <description format="asciidoc">Migrated tests to JUnit 5</description>
diff --git a/src/changelog/1.3.0/kotlin-baseline.xml b/src/changelog/1.3.0/kotlin-baseline.xml
@@ -1,6 +1,6 @@
 <entry xmlns="http://logging.apache.org/log4j/changelog"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="changed">
   <author id="github:breun"/>
   <author id="github:vy"/>
diff --git a/src/changelog/1.3.0/skip-deploy.xml b/src/changelog/1.3.0/skip-deploy.xml
@@ -1,6 +1,6 @@
 <entry xmlns="http://logging.apache.org/log4j/changelog"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.1.xsd"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
        type="changed">
   <author id="github:vy"/>
   <description format="asciidoc">Skipped deploying `log4j-api-kotlin-benchmark` and `log4j-api-kotlin-sample` modules</description>
diff --git a/src/site/_release-notes.adoc b/src/site/_release-notes.adoc
@@ -36,6 +36,7 @@
 [#release-notes]
 == Release Notes
 
+include::_release-notes/_1.x.x.adoc[]
 include::_release-notes/_1.3.0.adoc[]
 include::_release-notes/_1.2.0.adoc[]
 include::_release-notes/_1.1.0.adoc[]
diff --git a/src/site/_release-notes/_1.x.x.adoc b/src/site/_release-notes/_1.x.x.adoc
@@ -40,3 +40,11 @@
 
 This minor release bumps the Kotlin baseline to 1.6.21 and contains various small improvements.
 
+
+==== Added
+
+* Started generating CycloneDX SBOM with the recent update of `logging-parent` to version `10.2.0`
+
+==== Changed
+
+* Update `org.apache.logging:logging-parent` to version `10.2.0`
diff --git a/src/site/index.adoc b/src/site/index.adoc
@@ -195,8 +195,6 @@ class MyClass: BaseClass {
 
 This is also needed in scopes that do not have a `this` object, such as top-level functions.
 
-
-
 [#development]
 == Development
 
@@ -228,6 +226,13 @@ In accordance with the Apache Software Foundation's release https://infra.apache
 * ASF https://downloads.apache.org/logging/{project-id}[Distribution directory]
 
 See xref:#release-instructions[the release instructions] for details.
+[#maven-bom]
+
+[#cyclonedx-sbom]
+=== CycloneDX Software Bill of Materials (SBOM)
+
+Starting with version `1.4.0`, {project-name} distributes https://cyclonedx.org/capabilities/sbom/[CyclenoDX Software Bill of Materials (SBOM)] along with each deployed artifact.
+This is streamlined by `logging-parent`, see https://logging.apache.org/logging-parent/latest/#cyclonedx-sbom[its website] for details.
 
 [#support]
 == Support
