tmp

Author: snazy

build-logic/src/main/kotlin/polaris-sbom-bundle.gradle.kts

@@ -0,0 +1,123 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import java.util.Base64
+import org.cyclonedx.model.AttachmentText
+import org.cyclonedx.model.License
+import org.cyclonedx.model.LicenseChoice
+import org.cyclonedx.model.Property
+import org.gradle.plugins.signing.SigningExtension
+import publishing.GenerateDigest
+import sbom.CyclonedxBundleTask
+import sbom.createCyclonedxConfigurations
+
+plugins { id("org.cyclonedx.bom") }
+
+val bundleSboms by
+  configurations.creating {
+    isCanBeConsumed = false
+    isCanBeResolved = true
+  }
+
+val cyclonedxBundleBom = tasks.register<CyclonedxBundleTask>("cyclonedxBundleBom")
+
+cyclonedxBundleBom.configure {
+  inputBoms = bundleSboms
+  // The distribution itself has no dependencies, just components
+  includeDependencies = false
+
+  val relativeProjectDir = project.projectDir.relativeTo(project.rootProject.projectDir)
+  val gitInfo = GitInfo.memoized(project)
+
+  licenseChoice.set(
+    LicenseChoice().apply {
+      addLicense(
+        License().apply {
+          val gitCommit = GitInfo.memoized(project).gitHead
+          id = "Apache-2.0"
+          // TODO URL or text ??
+          url = gitInfo.rawGithubLink("$relativeProjectDir/LICENSE")
+          setLicenseText(
+            AttachmentText().apply() {
+              contentType = "plain/text"
+              encoding = "base64"
+              text = Base64.getEncoder().encodeToString(project.file("LICENSE").readBytes())
+            }
+          )
+
+          // TODO Is there a better way to include NOTICE + DISCLAIMER in a CycloneDX SBOM?
+          val props = mutableListOf<org.cyclonedx.model.Property>()
+          props.add(
+            Property().apply {
+              name = "NOTICE"
+              value = project.file("NOTICE").readText(Charsets.UTF_8).replace("\n", "\\n")
+            }
+          )
+          val disclaimerFile = project.file("DISCLAIMER")
+          if (disclaimerFile.isFile) {
+            props.add(
+              Property().apply {
+                name = "DISCLAIMER"
+                value = disclaimerFile.readText(Charsets.UTF_8).replace("\n", "\\n")
+              }
+            )
+          }
+          properties = props
+        }
+      )
+    }
+  )
+}
+
+createCyclonedxConfigurations(project, cyclonedxBundleBom)
+
+tasks.named("assemble") { dependsOn(cyclonedxBundleBom) }
+
+val digestJson =
+  tasks.register<GenerateDigest>("digestCyclonedxBundleBomJson") {
+    description = "Generate the distribution SBOM JSON digest"
+    dependsOn(cyclonedxBundleBom)
+    file.set(cyclonedxBundleBom.get().jsonOutput)
+  }
+
+val digestXml =
+  tasks.register<GenerateDigest>("digestCyclonedxBundleBomXml") {
+    description = "Generate the distribution SBOM XML digest"
+    dependsOn(cyclonedxBundleBom)
+    file.set(cyclonedxBundleBom.get().xmlOutput)
+  }
+
+cyclonedxBundleBom.configure {
+  finalizedBy(digestJson)
+  finalizedBy(digestXml)
+}
+
+if (project.hasProperty("release") || project.hasProperty("signArtifacts")) {
+  afterEvaluate {
+    plugins.withType<SigningPlugin>().configureEach {
+      configure<SigningExtension> {
+        sign(configurations.getByName("cyclonedxBundleBomAll"))
+
+        tasks.named("signCyclonedxBundleBomAll") {
+          dependsOn(cyclonedxBundleBom)
+        }
+      }
+    }
+  }
+}

runtime/distribution/build.gradle.kts

@@ -17,12 +17,6 @@
  * under the License.
  */
 
-import java.util.Base64
-import kotlin.apply
-import org.cyclonedx.model.AttachmentText
-import org.cyclonedx.model.License
-import org.cyclonedx.model.LicenseChoice
-import org.cyclonedx.model.Property
 import publishing.GenerateDigest
 import publishing.PublishingHelperPlugin
 import sbom.CyclonedxBundleTask
@@ -32,7 +26,7 @@ plugins {
   id("signing")
   id("polaris-spotless")
   id("polaris-reproducible")
-  id("org.cyclonedx.bom")
+  id("polaris-sbom-bundle")
 }
 
 description = "Apache Polaris Binary Distribution"
@@ -55,17 +49,21 @@ val serverDistribution by
     isCanBeResolved = true
   }
 
-val applicationsSboms by
-  configurations.creating {
-    isCanBeConsumed = false
-    isCanBeResolved = true
-  }
-
 dependencies {
   adminDistribution(project(":polaris-admin", "distributionElements"))
   serverDistribution(project(":polaris-server", "distributionElements"))
-  applicationsSboms(project(":polaris-admin", "cyclonedxDirectBomJson"))
-  applicationsSboms(project(":polaris-server", "cyclonedxDirectBomJson"))
+  bundleSboms(project(":polaris-admin", "cyclonedxDirectBomJson"))
+  bundleSboms(project(":polaris-server", "cyclonedxDirectBomJson"))
+}
+
+tasks.named<CyclonedxBundleTask>("cyclonedxBundleBom") {
+  val baseName = distributions.main.get().distributionBaseName.get()
+  jsonOutput.set(
+    project.layout.buildDirectory.file("distributions/$baseName-$version.cyclonedx.json")
+  )
+  xmlOutput.set(
+    project.layout.buildDirectory.file("distributions/$baseName-$version.cyclonedx.xml")
+  )
 }
 
 distributions {
@@ -92,60 +90,6 @@ distributions {
   }
 }
 
-tasks.register<CyclonedxBundleTask>("cyclonedxBundleBom") {
-  val baseName = distributions.main.get().distributionBaseName.get()
-  jsonOutput.set(project.layout.buildDirectory.file("distributions/$baseName-$version.json"))
-  xmlOutput.set(project.layout.buildDirectory.file("distributions/$baseName-$version.xml"))
-
-  inputBoms = applicationsSboms
-  // The distribution itself has no dependencies, just components
-  includeDependencies = false
-
-  val relativeProjectDir = project.projectDir.relativeTo(project.rootProject.projectDir)
-  val gitInfo = GitInfo.memoized(project)
-
-  licenseChoice.set(
-    LicenseChoice().apply {
-      addLicense(
-        License().apply {
-          val gitCommit = GitInfo.memoized(project).gitHead
-          id = "Apache-2.0"
-          // TODO URL or text ??
-          url = gitInfo.rawGithubLink("$relativeProjectDir/LICENSE")
-          setLicenseText(
-            AttachmentText().apply() {
-              contentType = "plain/text"
-              encoding = "base64"
-              text = Base64.getEncoder().encodeToString(project.file("LICENSE").readBytes())
-            }
-          )
-
-          // TODO Is there a better way to include NOTICE + DISCLAIMER in a CycloneDX SBOM?
-          val props = mutableListOf<org.cyclonedx.model.Property>()
-          props.add(
-            Property().apply {
-              name = "NOTICE"
-              value = project.file("NOTICE").readText(Charsets.UTF_8).replace("\n", "\\n")
-            }
-          )
-          val disclaimerFile = project.file("DISCLAIMER")
-          if (disclaimerFile.isFile) {
-            props.add(
-              Property().apply {
-                name = "DISCLAIMER"
-                value = disclaimerFile.readText(Charsets.UTF_8).replace("\n", "\\n")
-              }
-            )
-          }
-          properties = props
-        }
-      )
-    }
-  )
-}
-
-tasks.named("assemble") { dependsOn("cyclonedxBundleBom") }
-
 val distTar = tasks.named<Tar>("distTar") { compression = Compression.GZIP }
 
 val distZip = tasks.named<Zip>("distZip") {}