Implement and document SBOM (#1707)

vy · vy · commit ee9c39b3f646 · 2023-10-20T14:54:33.000+02:00
diff --git a/pom.xml b/pom.xml
@@ -524,6 +524,26 @@
 
     <plugins>
 
+      <!-- `cyclonedx-maven-plugin` doesn't exclude not installed/deployed modules: https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/409
+           This `generate-sbom` execution override configures such exclusions. -->
+      <plugin>
+        <groupId>org.cyclonedx</groupId>
+        <artifactId>cyclonedx-maven-plugin</artifactId>
+        <executions>
+          <execution>
+            <id>generate-sbom</id>
+            <configuration combine.self="append">
+              <excludeArtifactId>log4j-api-java9</excludeArtifactId>
+              <excludeArtifactId>log4j-core-its</excludeArtifactId>
+              <excludeArtifactId>log4j-core-java9</excludeArtifactId>
+              <excludeArtifactId>log4j-layout-template-json-test</excludeArtifactId>
+              <excludeArtifactId>log4j-osgi-test</excludeArtifactId>
+              <excludeArtifactId>log4j-perf-test</excludeArtifactId>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+
       <!-- Enable BOM flattening -->
       <plugin>
         <groupId>org.codehaus.mojo</groupId>
diff --git a/src/site/markdown/maven-artifacts.md.vm b/src/site/markdown/maven-artifacts.md.vm
@@ -123,15 +123,14 @@ To build with [SBT](http://www.scala-sbt.org/), add the dependencies listed belo
 
 #sbt(['log4j-api', 'log4j-core'])
 
-$h2 Bill of Material
+$h2 Maven Bill of Materials (BOM)
 
-To keep your Log4j module versions in sync with each other, a
-<abbr id="Bill of Material">BOM</abbr>
-pom.xml file is provided for your convenience. To use this with
-[Maven](https://maven.apache.org/), add the dependency listed below to your
-`pom.xml`
-file. When you specify the version identifier in this section, you don't have to specify the version in your
-`<dependencies/>` section.
+To keep your Log4j module versions aligned, a [Maven Bill of Materials (BOM) POM](https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#bill-of-materials-bom-poms) is provided for your convenience.
+
+To use this with Maven, add the dependency listed below to your `pom.xml` file.
+Note that the `<dependencyManagement>` nesting and the `<scope>import</scope>` instruction.
+This will *import* all modules bundled with the associated Log4j release to your `dependencyManagement`.
+As a result, you don't have to specify versions of the imported modules (`log4j-api`, `log4j-core`, etc.) while adding them using `<dependency>` elements.
 
 `pom.xml`
 
@@ -188,6 +187,11 @@ dependencies {
 }
 ```
 
+$h2 CycloneDX Software Bill of Materials (SBOM)
+
+Starting with version `2.22.0`, Log4j distributes [CyclenoDX Software Bill of Materials (SBOM)](https://cyclonedx.org/capabilities/sbom/) along with each deployed artifact.
+This is streamlined by `logging-parent`, see https://logging.apache.org/logging-parent/latest/#cyclonedx-sbom[its website] for details.
+
 $h2 Optional Components
 
 Log4j 2.x contains several optional components that can be included in an application.
diff --git a/src/site/site.xml b/src/site/site.xml
@@ -46,13 +46,14 @@
       <item name="Download" href="/download.html"/>
       <item name="Support" href="/support.html"/>
       <item name="Maven, Ivy, Gradle Artifacts" href="/maven-artifacts.html" collapse="true">
-        <item name="Maven" href="/maven-artifacts.html#Using_Log4j_in_your_Apache_Maven_build" />
-        <item name="Ivy" href="/maven-artifacts.html#Using_Log4j_in_your_Apache_Ivy_build" />
-        <item name="Gradle" href="/maven-artifacts.html#Using_Log4j_in_your_Gradle_build" />
-        <item name="SBT" href="/maven-artifacts.html#Using_Log4j_in_your_SBT_build" />
-        <item name="Bill of Material" href="/maven-artifacts.html#Bill_of_Material" />
-        <item name="Optional Components" href="/maven-artifacts.html#Optional_Components" />
-        <item name="Snapshot builds" href="/maven-artifacts.html#Snapshot_builds" />
+        <item name="Maven" href="/maven-artifacts.html#using-log4j-in-your-apache-maven-build" />
+        <item name="Ivy" href="/maven-artifacts.html#using-log4j-in-your-apache-ivy-build" />
+        <item name="Gradle" href="/maven-artifacts.html#using-log4j-in-your-gradle-build" />
+        <item name="SBT" href="/maven-artifacts.html#using-log4j-in-your-sbt-build" />
+        <item name="Maven Bill of Materials (BOM)" href="/maven-artifacts.html#maven-bill-of-materials-bom" />
+        <item name="CycloneDX Software Bill of Materials (SBOM)" href="/maven-artifacts.html#cyclonedx-software-bill-of-materials-sbom" />
+        <item name="Optional Components" href="/maven-artifacts.html#optional-components" />
+        <item name="Snapshot builds" href="/maven-artifacts.html#snapshot-builds" />
       </item>
       <item name="Release Notes" href="/release-notes.html"/>
       <item name="FAQ" href="/faq.html"/>
