diff --git a/.ci/build.sh b/.ci/build.sh
index 5f4d321698..2479f35e82 100755
--- a/.ci/build.sh
+++ b/.ci/build.sh
@@ -179,6 +179,11 @@ function pmd_ci_deploy_build_artifacts() {
# Deploy to sourceforge files https://sourceforge.net/projects/pmd/files/pmd/
pmd_ci_sourceforge_uploadFile "pmd/${PMD_CI_MAVEN_PROJECT_VERSION}" "pmd-dist/target/pmd-bin-${PMD_CI_MAVEN_PROJECT_VERSION}.zip"
pmd_ci_sourceforge_uploadFile "pmd/${PMD_CI_MAVEN_PROJECT_VERSION}" "pmd-dist/target/pmd-src-${PMD_CI_MAVEN_PROJECT_VERSION}.zip"
+ # Deploy SBOM
+ cp pmd-dist/target/bom.xml "pmd-dist/target/pmd-${PMD_CI_MAVEN_PROJECT_VERSION}-cyclonedx.xml"
+ cp pmd-dist/target/bom.json "pmd-dist/target/pmd-${PMD_CI_MAVEN_PROJECT_VERSION}-cyclonedx.json"
+ pmd_ci_sourceforge_uploadFile "pmd/${PMD_CI_MAVEN_PROJECT_VERSION}" "pmd-dist/target/pmd-${PMD_CI_MAVEN_PROJECT_VERSION}-cyclonedx.xml"
+ pmd_ci_sourceforge_uploadFile "pmd/${PMD_CI_MAVEN_PROJECT_VERSION}" "pmd-dist/target/pmd-${PMD_CI_MAVEN_PROJECT_VERSION}-cyclonedx.json"
if pmd_ci_maven_isReleaseBuild; then
# create a draft github release
@@ -188,6 +193,9 @@ function pmd_ci_deploy_build_artifacts() {
# Deploy to github releases
pmd_ci_gh_releases_uploadAsset "$GH_RELEASE" "pmd-dist/target/pmd-bin-${PMD_CI_MAVEN_PROJECT_VERSION}.zip"
pmd_ci_gh_releases_uploadAsset "$GH_RELEASE" "pmd-dist/target/pmd-src-${PMD_CI_MAVEN_PROJECT_VERSION}.zip"
+ # Deploy SBOM
+ pmd_ci_gh_releases_uploadAsset "$GH_RELEASE" "pmd-dist/target/pmd-${PMD_CI_MAVEN_PROJECT_VERSION}-cyclonedx.xml"
+ pmd_ci_gh_releases_uploadAsset "$GH_RELEASE" "pmd-dist/target/pmd-${PMD_CI_MAVEN_PROJECT_VERSION}-cyclonedx.json"
fi
}
diff --git a/docs/pages/release_notes.md b/docs/pages/release_notes.md
index 49fedcfcbf..651130d040 100644
--- a/docs/pages/release_notes.md
+++ b/docs/pages/release_notes.md
@@ -40,6 +40,8 @@ This section lists the most important changes from the last release candidate.
The remaining section describe the complete release notes for 7.0.0.
Fixed Issues:
+* miscellaneous
+ * [#4462](https://github.com/pmd/pmd/issues/4462): Provide Software Bill of Materials (SBOM)
* java-codestyle
* [#4273](https://github.com/pmd/pmd/issues/4273): \[java] CommentDefaultAccessModifier ignoredAnnotations should include "org.junit.jupiter.api.extension.RegisterExtension" by default
* java-errorprone
@@ -208,6 +210,7 @@ See [Detailed Release Notes for PMD 7](pmd_release_notes_pmd7.html).
* [#2497](https://github.com/pmd/pmd/issues/2497): PMD 7 Logo page
* [#2498](https://github.com/pmd/pmd/issues/2498): Update PMD 7 Logo in documentation
* [#3797](https://github.com/pmd/pmd/issues/3797): \[all] Use JUnit5
+ * [#4462](https://github.com/pmd/pmd/issues/4462): Provide Software Bill of Materials (SBOM)
* ant
* [#4080](https://github.com/pmd/pmd/issues/4080): \[ant] Split off Ant integration into a new submodule
* core
diff --git a/pmd-dist/src/main/resources/assemblies/pmd-bin.xml b/pmd-dist/src/main/resources/assemblies/pmd-bin.xml
index aa5a06faab..8d67eb9662 100644
--- a/pmd-dist/src/main/resources/assemblies/pmd-bin.xml
+++ b/pmd-dist/src/main/resources/assemblies/pmd-bin.xml
@@ -53,6 +53,19 @@
+
+
+ target/bom.xml
+ sbom
+ pmd-${project.version}-cyclonedx.xml
+
+
+ target/bom.json
+ sbom
+ pmd-${project.version}-cyclonedx.json
+
+
+
diff --git a/pmd-dist/src/test/java/net/sourceforge/pmd/it/BinaryDistributionIT.java b/pmd-dist/src/test/java/net/sourceforge/pmd/it/BinaryDistributionIT.java
index c1331cbd67..569c17e5cd 100644
--- a/pmd-dist/src/test/java/net/sourceforge/pmd/it/BinaryDistributionIT.java
+++ b/pmd-dist/src/test/java/net/sourceforge/pmd/it/BinaryDistributionIT.java
@@ -87,6 +87,8 @@ class BinaryDistributionIT extends AbstractBinaryDistributionTest {
result.add(basedir + "shell/pmd-completion.sh");
result.add(basedir + "lib/pmd-core-" + PMDVersion.VERSION + ".jar");
result.add(basedir + "lib/pmd-java-" + PMDVersion.VERSION + ".jar");
+ result.add(basedir + "sbom/pmd-" + PMDVersion.VERSION + "-cyclonedx.xml");
+ result.add(basedir + "sbom/pmd-" + PMDVersion.VERSION + "-cyclonedx.json");
return result;
}
diff --git a/pom.xml b/pom.xml
index 2368d22bfd..79cc63a327 100644
--- a/pom.xml
+++ b/pom.xml
@@ -503,6 +503,11 @@
jacoco-maven-plugin
0.8.8
+
+ org.cyclonedx
+ cyclonedx-maven-plugin
+ 2.7.6
+
@@ -624,6 +629,26 @@
https://oss.sonatype.org/
+
+ org.cyclonedx
+ cyclonedx-maven-plugin
+
+
+ package
+
+ makeAggregateBom
+
+
+
+
+
+
+ org.ow2.asm
+ asm
+ 9.5
+
+
+