From 3bfd17be16884dfbc283feaff770e090410d43fd Mon Sep 17 00:00:00 2001
From: Ubbo Veentjer <veentjer@sub.uni-goettingen.de>
Date: Mon, 27 Jun 2022 18:15:58 +0200
Subject: [PATCH] generate and upload sbom. closes #30

---
 .gitlab-ci.yml |  8 ++++++++
 pom.xml        | 21 ++++++++++++++++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 75fb10c..b960cd2 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,3 +1,9 @@
+include:
+  - template: Container-Scanning.gitlab-ci.yml
+  - project: 'dariah-de/gitlab-templates'
+    ref: 'main'
+    file: '/templates/SBOM-Upload.gitlab-ci.yml'
+
 variables:
   # This will suppress any download for dependencies and plugins or upload messages which would clutter the console log.
   # `showDateTime` will show the passed time in milliseconds. You need to specify `--batch-mode` to make this work.
@@ -90,10 +96,12 @@ build_and_deploy:
     - git -C src/main/webapp/tei-stylesheets/ checkout $TEI_STYLESHEETS_VERSION
     # REMOVE SKIPTESTS AS SOON AS TESTS ARE WORKING...!!
     - mvn $MAVEN_OPTS $MAVEN_CLI_OPTS $MAVEN_DEPLOY_OPTS -U clean verify -Ptextgrid.deb -DskipTests=true
+    - cp target/bom.json .
   artifacts:
     name: WEBAPP_DEB_PACKAGES
     paths:
       - ./target/*.deb
+      - bom.json
       
 build_container_image:
   image:
diff --git a/pom.xml b/pom.xml
index 2ddd80c..2c13fa9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -33,7 +33,8 @@
 		<saxon-version>9.5.1-5</saxon-version> <!-- XXX mind dependency from epubcheck -->
 		<cxf-version>2.7.18</cxf-version>
 		<confclient-version>4.1.0</confclient-version>
-		<tgsearch-version>4.0.1</tgsearch-version>
+		<cyclonedx-maven-plugin.version>2.7.0</cyclonedx-maven-plugin.version>
+		<tgsearch-version>4.0.3</tgsearch-version>
 		<tgcrud-version>2.6.0</tgcrud-version>
 		<!-- TG-crud client configuration is not working with newest crud, I'll
 			just fix it tomorrow! -->
@@ -198,6 +199,8 @@
 			<version>${xmlunit-version}</version>
 			<scope>test</scope>
 		</dependency>
+
+
 	</dependencies>
 
 	<build>
@@ -451,6 +454,22 @@
 					</reportPlugins>
 				</configuration>
 			</plugin>
+			<plugin>
+				<groupId>org.cyclonedx</groupId>
+				<artifactId>cyclonedx-maven-plugin</artifactId>
+				<version>${cyclonedx-maven-plugin.version}</version>
+				<executions>
+					<execution>
+						<phase>package</phase>
+						<goals>
+							<goal>makeAggregateBom</goal>
+						</goals>
+					</execution>
+				</executions>
+				<configuration>
+					<outputFormat>JSON</outputFormat>
+				</configuration>
+			</plugin>
 		</plugins>
 		<resources>
 			<resource>
-- 
GitLab