From ae0bf240d76130bbae58e72a960aadf5b440e4d6 Mon Sep 17 00:00:00 2001
From: Andreas Dangel <andreas.dangel@pmd-code.org>
Date: Thu, 6 Apr 2023 12:49:37 +0200
Subject: [PATCH] Provide Software Bill of Materials (SBOM)

- Add cyclonedx plugin to generate SBOM (Software Bill of Materials)
- The SBOM is attached and deployed into maven central
- The SBOM is also included in the binary distribution of PMD

See https://github.com/CycloneDX/cyclonedx-maven-plugin
---
 docs/pages/release_notes.md                   |  3 +++
 .../src/main/resources/assemblies/pmd-bin.xml | 13 ++++++++++
 .../pmd/it/BinaryDistributionIT.java          |  2 ++
 pom.xml                                       | 25 +++++++++++++++++++
 4 files changed, 43 insertions(+)

diff --git a/docs/pages/release_notes.md b/docs/pages/release_notes.md
index b875222f4d..a6a58421b7 100644
--- a/docs/pages/release_notes.md
+++ b/docs/pages/release_notes.md
@@ -40,6 +40,8 @@ This section lists the most important changes from the last release candidate.
 The remaining section describe the complete release notes for 7.0.0.
 
 Fixed Issues:
+* miscellaneous
+  * [#4462](https://github.com/pmd/pmd/issues/4462): Provide Software Bill of Materials (SBOM)
 * java-codestyle
   * [#4273](https://github.com/pmd/pmd/issues/4273): \[java] CommentDefaultAccessModifier ignoredAnnotations should include "org.junit.jupiter.api.extension.RegisterExtension" by default
 * java-errorprone
@@ -208,6 +210,7 @@ See [Detailed Release Notes for PMD 7](pmd_release_notes_pmd7.html).
     * [#2497](https://github.com/pmd/pmd/issues/2497): PMD 7 Logo page
     * [#2498](https://github.com/pmd/pmd/issues/2498): Update PMD 7 Logo in documentation
     * [#3797](https://github.com/pmd/pmd/issues/3797): \[all] Use JUnit5
+    * [#4462](https://github.com/pmd/pmd/issues/4462): Provide Software Bill of Materials (SBOM)
 * ant
     * [#4080](https://github.com/pmd/pmd/issues/4080): \[ant] Split off Ant integration into a new submodule
 * core
diff --git a/pmd-dist/src/main/resources/assemblies/pmd-bin.xml b/pmd-dist/src/main/resources/assemblies/pmd-bin.xml
index 2215aa3265..738017141b 100644
--- a/pmd-dist/src/main/resources/assemblies/pmd-bin.xml
+++ b/pmd-dist/src/main/resources/assemblies/pmd-bin.xml
@@ -53,6 +53,19 @@
         </fileSet>
     </fileSets>
 
+    <files>
+        <file>
+            <source>target/bom.xml</source>
+            <outputDirectory>sbom</outputDirectory>
+            <destName>pmd-${project.version}-cyclonedx.xml</destName>
+        </file>
+        <file>
+            <source>target/bom.json</source>
+            <outputDirectory>sbom</outputDirectory>
+            <destName>pmd-${project.version}-cyclonedx.json</destName>
+        </file>
+    </files>
+
     <dependencySets>
         <!-- shell completion goes to shell/ -->
         <dependencySet>
diff --git a/pmd-dist/src/test/java/net/sourceforge/pmd/it/BinaryDistributionIT.java b/pmd-dist/src/test/java/net/sourceforge/pmd/it/BinaryDistributionIT.java
index c1331cbd67..569c17e5cd 100644
--- a/pmd-dist/src/test/java/net/sourceforge/pmd/it/BinaryDistributionIT.java
+++ b/pmd-dist/src/test/java/net/sourceforge/pmd/it/BinaryDistributionIT.java
@@ -87,6 +87,8 @@ class BinaryDistributionIT extends AbstractBinaryDistributionTest {
         result.add(basedir + "shell/pmd-completion.sh");
         result.add(basedir + "lib/pmd-core-" + PMDVersion.VERSION + ".jar");
         result.add(basedir + "lib/pmd-java-" + PMDVersion.VERSION + ".jar");
+        result.add(basedir + "sbom/pmd-" + PMDVersion.VERSION + "-cyclonedx.xml");
+        result.add(basedir + "sbom/pmd-" + PMDVersion.VERSION + "-cyclonedx.json");
         return result;
     }
 
diff --git a/pom.xml b/pom.xml
index a2b90df0c5..353eb10d90 100644
--- a/pom.xml
+++ b/pom.xml
@@ -503,6 +503,11 @@
                     <artifactId>jacoco-maven-plugin</artifactId>
                     <version>0.8.8</version>
                 </plugin>
+                <plugin>
+                    <groupId>org.cyclonedx</groupId>
+                    <artifactId>cyclonedx-maven-plugin</artifactId>
+                    <version>2.7.6</version>
+                </plugin>
                 <!--This plugin's configuration is used to store Eclipse
                     m2e settings only. It has no influence on the Maven build itself. -->
                 <plugin>
@@ -624,6 +629,26 @@
                     <nexusUrl>https://oss.sonatype.org/</nexusUrl>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>org.cyclonedx</groupId>
+                <artifactId>cyclonedx-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>makeAggregateBom</goal>
+                        </goals>
+                    </execution>
+                </executions>
+                <!-- https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/326 -->
+                <dependencies>
+                    <dependency>
+                        <groupId>org.ow2.asm</groupId>
+                        <artifactId>asm</artifactId>
+                        <version>9.5</version>
+                    </dependency>
+                </dependencies>
+            </plugin>
         </plugins>
     </build>