From 5754be36f191a30109dc6612dcace68462414855 Mon Sep 17 00:00:00 2001 From: Moritz Halbritter Date: Mon, 14 Oct 2024 11:37:54 +0200 Subject: [PATCH] Improve documentation for CycloneDX integration Closes gh-41506 --- .../antora-asciidoc-attributes.properties | 4 ++- .../antora/modules/how-to/pages/build.adoc | 31 +++++++++++++++++++ .../reference/pages/actuator/endpoints.adoc | 27 ++-------------- .../modules/gradle-plugin/pages/reacting.adoc | 9 ++++++ 4 files changed, 45 insertions(+), 26 deletions(-) diff --git a/buildSrc/src/main/resources/org/springframework/boot/build/antora/antora-asciidoc-attributes.properties b/buildSrc/src/main/resources/org/springframework/boot/build/antora/antora-asciidoc-attributes.properties index 431d73265bff..992d303bef70 100644 --- a/buildSrc/src/main/resources/org/springframework/boot/build/antora/antora-asciidoc-attributes.properties +++ b/buildSrc/src/main/resources/org/springframework/boot/build/antora/antora-asciidoc-attributes.properties @@ -7,6 +7,9 @@ include-kotlin= ROOT:example$kotlin/org/springframework/boot/docs url-ant-docs=https://ant.apache.org/manual url-buildpacks-docs=https://buildpacks.io/docs +url-cyclonedx-docs-gradle-plugin=https://github.com/CycloneDX/cyclonedx-gradle-plugin +url-cyclonedx-docs-maven-plugin=https://github.com/CycloneDX/cyclonedx-maven-plugin +url-download-liberica-nik=https://bell-sw.com/pages/downloads/native-image-kit/#/nik-22-17 url-dynatrace-docs=https://docs.dynatrace.com/docs url-dynatrace-docs-shortlink={url-dynatrace-docs}/shortlink url-github-raw=https://raw.githubusercontent.com/{github-repo}/{github-ref} @@ -25,7 +28,6 @@ url-gradle-javadoc=https://docs.gradle.org/current/javadoc url-kotlin-docs-kotlin-plugin={url-kotlin-docs}/using-gradle.html url-micrometer-docs-concepts={url-micrometer-docs}/concepts url-micrometer-docs-implementations={url-micrometer-docs}/implementations -url-download-liberica-nik=https://bell-sw.com/pages/downloads/native-image-kit/#/nik-22-17 url-native-build-tools-docs=https://graalvm.github.io/native-build-tools/{version-native-build-tools} url-native-build-tools-docs-gradle-plugin={url-native-build-tools-docs}/gradle-plugin.html url-native-build-tools-docs-maven-plugin={url-native-build-tools-docs}/maven-plugin.html diff --git a/spring-boot-project/spring-boot-docs/src/docs/antora/modules/how-to/pages/build.adoc b/spring-boot-project/spring-boot-docs/src/docs/antora/modules/how-to/pages/build.adoc index 49c67dd550fe..a1f69de53832 100644 --- a/spring-boot-project/spring-boot-docs/src/docs/antora/modules/how-to/pages/build.adoc +++ b/spring-boot-project/spring-boot-docs/src/docs/antora/modules/how-to/pages/build.adoc @@ -87,6 +87,37 @@ Using this format lets the time be parsed into a `Date` and its format, when ser +[[howto.build.generate-cyclonedx-sbom]] +== Generate a CycloneDX SBOM + +Both Maven and Gradle allow generating a CycloneDX SBOM at project build time. + +For Maven users, the `spring-boot-starter-parent` POM includes a pre-configured plugin to generate the SBOM. +To use it, add the following declaration for the {url-cyclonedx-docs-maven-plugin}[`cyclonedx-maven-plugin`] to your POM: + +[source,xml] +---- + + + + org.cyclonedx + cyclonedx-maven-plugin + + + +---- + +Gradle users can achieve the same result by using the {url-cyclonedx-docs-gradle-plugin}[`cyclonedx-gradle-plugin`] plugin, as shown in the following example: + +[source,gradle] +---- +plugins { + id 'org.cyclonedx.bom' version '1.8.2' +} +---- + + + [[howto.build.customize-dependency-versions]] == Customize Dependency Versions diff --git a/spring-boot-project/spring-boot-docs/src/docs/antora/modules/reference/pages/actuator/endpoints.adoc b/spring-boot-project/spring-boot-docs/src/docs/antora/modules/reference/pages/actuator/endpoints.adoc index f045bc106cc3..1aa859002de9 100644 --- a/spring-boot-project/spring-boot-docs/src/docs/antora/modules/reference/pages/actuator/endpoints.adoc +++ b/spring-boot-project/spring-boot-docs/src/docs/antora/modules/reference/pages/actuator/endpoints.adoc @@ -1256,33 +1256,10 @@ If you reach the `info` endpoint, you should see a response that contains the fo The `sbom` endpoint exposes the https://en.wikipedia.org/wiki/Software_supply_chain[Software Bill of Materials]. CycloneDX SBOMs can be auto-detected, but other formats can be manually configured, too. -The `spring-boot-starter-parent` Maven parent and the Spring Boot Gradle plugin configure the https://github.com/CycloneDX/cyclonedx-maven-plugin[CycloneDX Maven plugin] and the https://github.com/CycloneDX/cyclonedx-gradle-plugin[CycloneDX Gradle plugin] respectively. - -To get a CycloneDX SBOM, you'll need to add this to your Maven build: - -[source,xml] ----- - - - - org.cyclonedx - cyclonedx-maven-plugin - - - ----- - -For Gradle, you'll need to apply the CycloneDX Gradle plugin: - -[source,groovy] ----- -plugins { - id 'org.cyclonedx.bom' version '1.8.2' -} ----- - The `sbom` actuator endpoint will then expose an SBOM called "application", which describes the contents of your application. +TIP: To automatically generate a CycloneDX SBOM at project build time, please see the xref:how-to:build.adoc#howto.build.generate-cyclonedx-sbom[] section. + [[actuator.endpoints.sbom.other-formats]] diff --git a/spring-boot-project/spring-boot-tools/spring-boot-gradle-plugin/src/docs/antora/modules/gradle-plugin/pages/reacting.adoc b/spring-boot-project/spring-boot-tools/spring-boot-gradle-plugin/src/docs/antora/modules/gradle-plugin/pages/reacting.adoc index f283e27cb700..ddf0b0ed51a4 100644 --- a/spring-boot-project/spring-boot-tools/spring-boot-gradle-plugin/src/docs/antora/modules/gradle-plugin/pages/reacting.adoc +++ b/spring-boot-project/spring-boot-tools/spring-boot-gradle-plugin/src/docs/antora/modules/gradle-plugin/pages/reacting.adoc @@ -92,3 +92,12 @@ When the {url-native-build-tools-docs-gradle-plugin}[GraalVM Native Image plugin . Configures the `bootBuildImage` task to use `paketobuildpacks/builder-jammy-tiny:latest` as its builder and to set `BP_NATIVE_IMAGE` to `true` in its environment. + +[[reacting-to-other-plugins.cyclonedx]] +== Reacting to the CycloneDX Plugin + +When the {url-cyclonedx-docs-gradle-plugin}[CycloneDX plugin] is applied to a project, the Spring Boot plugin: + +. Configures the `cyclonedxBom` task to use the `application` project type and output the SBOM to the `application.cdx` file in JSON format without full license texts. +. Adds the SBOM under `META-INF/sbom` in the generated jar or war file. +. Adds the `Sbom-Format` and `Sbom-Location` to the manifest of the jar or war file.