Embedded tests and endpoint extension scaffold

aloubyansky · aloubyansky · commit 2de611cdc8dd · 2026-04-09T22:53:54.000+02:00
diff --git a/bom/application/pom.xml b/bom/application/pom.xml
@@ -887,6 +887,16 @@
                 <artifactId>quarkus-cyclonedx-generator</artifactId>
                 <version>${project.version}</version>
             </dependency>
+            <dependency>
+                <groupId>io.quarkus</groupId>
+                <artifactId>quarkus-cyclonedx-endpoint</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.quarkus</groupId>
+                <artifactId>quarkus-cyclonedx-endpoint-deployment</artifactId>
+                <version>${project.version}</version>
+            </dependency>
             <dependency>
                 <groupId>io.quarkus</groupId>
                 <artifactId>quarkus-datasource-common</artifactId>
diff --git a/extensions/cyclonedx/deployment/src/main/java/io/quarkus/cyclonedx/deployment/CdxSbomBuildStep.java b/extensions/cyclonedx/deployment/src/main/java/io/quarkus/cyclonedx/deployment/CdxSbomBuildStep.java
@@ -36,7 +36,7 @@ public void generate(ApplicationManifestsBuildItem applicationManifestsBuildItem
             AppModelProviderBuildItem appModelProviderBuildItem,
             CycloneDxConfig cdxSbomConfig,
             BuildProducer<SbomBuildItem> sbomProducer) {
-        if (cdxSbomConfig.skip() || applicationManifestsBuildItem.getManifests().isEmpty()) {
+        if (!cdxSbomConfig.enabled() || applicationManifestsBuildItem.getManifests().isEmpty()) {
             // until there is a proper way to request the desired build items as build outcome
             return;
         }
@@ -60,11 +60,13 @@ public void embedDependencySbom(BuildProducer<GeneratedResourceBuildItem> genera
             CycloneDxConfig cdxConfig,
             CurateOutcomeBuildItem curateOutcomeBuildItem,
             AppModelProviderBuildItem appModelProviderBuildItem) {
-        if (!cdxConfig.embeddedDependencySbom().enabled() || cdxConfig.skip()) {
+        if (!cdxConfig.enabled() ||
+        // if embedded
+                !cdxConfig.embedded().enabled() && !cdxConfig.endpoint().enabled()) {
             return;
         }
 
-        final CycloneDxConfig.EmbeddedDependencySbomConfig dependencySbomConfig = cdxConfig.embeddedDependencySbom();
+        final CycloneDxConfig.EmbeddedSbomConfig dependencySbomConfig = cdxConfig.embedded();
         final String resourceName = dependencySbomConfig.resourceName();
         if (resourceName == null || resourceName.isEmpty()) {
             throw new IllegalArgumentException("resourceName is not configured for the embedded dependency SBOM");
diff --git a/extensions/cyclonedx/deployment/src/main/java/io/quarkus/cyclonedx/deployment/CycloneDxConfig.java b/extensions/cyclonedx/deployment/src/main/java/io/quarkus/cyclonedx/deployment/CycloneDxConfig.java
@@ -14,10 +14,11 @@
 @ConfigRoot
 public interface CycloneDxConfig {
     /**
-     * Whether to skip SBOM generation
+     * Whether to CycloneDX SBOM generation is enabled.
+     * If this option is false, the rest of the configuration will be ignored.
      */
-    @WithDefault("false")
-    boolean skip();
+    @WithDefault("true")
+    boolean enabled();
 
     /**
      * SBOM file format. Supported formats are {code json} and {code xml}.
@@ -45,18 +46,25 @@ public interface CycloneDxConfig {
     boolean includeLicenseText();
 
     /**
-     * Embedded dependency SBOM
+     * Embedded dependency SBOM configuration
      */
     @ConfigDocSection
-    EmbeddedDependencySbomConfig embeddedDependencySbom();
+    EmbeddedSbomConfig embedded();
+
+    /**
+     * REST endpoint configuration for an embedded SBOM
+     *
+     * @return REST endpoint configuration for an embedded SBOM
+     */
+    SbomEndpointConfig endpoint();
 
     /**
      * Embedded dependency SBOM configuration
      */
-    interface EmbeddedDependencySbomConfig {
+    interface EmbeddedSbomConfig {
 
         /**
-         * Whether dependency SBOM should be embedded in the final application.
+         * Whether a dependency SBOM should be embedded in the final application.
          *
          * @return true, if dependency SBOM should be embedded in the final application, false - otherwise
          */
@@ -68,7 +76,32 @@ interface EmbeddedDependencySbomConfig {
          *
          * @return resource name for the embedded dependency SBOM
          */
-        @WithDefault("META-INF/sbom/dependency-cdx.json")
+        @WithDefault("META-INF/sbom/application.cdx.json")
         String resourceName();
     }
+
+    /**
+     * SBOM endpoint configuration
+     */
+    interface SbomEndpointConfig {
+
+        /**
+         * Whether the embedded SBOM should be exposed through a REST endpoint.
+         * <p>
+         * Note: enabling the endpoint option will force embedded SBOM generation,
+         * even if {@link EmbeddedSbomConfig#enabled()} is {@code false}.
+         *
+         * @return true, if the embedded SBOM should be exposed through a REST endpoint, otherwise - false
+         */
+        @WithDefault("false")
+        boolean enabled();
+
+        /**
+         * REST endpoint path that will provide an SBOM
+         *
+         * @return REST endpoint path that will provide an SBOM
+         */
+        @WithDefault("/.well-known/sbom")
+        String path();
+    }
 }
diff --git a/extensions/cyclonedx/endpoint/deployment/pom.xml b/extensions/cyclonedx/endpoint/deployment/pom.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <artifactId>quarkus-cyclonedx-endpoint-parent</artifactId>
+        <groupId>io.quarkus</groupId>
+        <version>999-SNAPSHOT</version>
+    </parent>
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>quarkus-cyclonedx-endpoint-deployment</artifactId>
+    <name>Quarkus - CycloneDX - Endpoint - Deployment</name>
+
+    <dependencies>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-core-deployment</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-cyclonedx-endpoint</artifactId>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>default-compile</id>
+                        <configuration>
+                            <annotationProcessorPaths>
+                                <path>
+                                    <groupId>io.quarkus</groupId>
+                                    <artifactId>quarkus-extension-processor</artifactId>
+                                    <version>${project.version}</version>
+                                </path>
+                            </annotationProcessorPaths>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>
diff --git a/extensions/cyclonedx/endpoint/pom.xml b/extensions/cyclonedx/endpoint/pom.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <artifactId>quarkus-cyclonedx-parent</artifactId>
+        <groupId>io.quarkus</groupId>
+        <version>999-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>quarkus-cyclonedx-endpoint-parent</artifactId>
+    <name>Quarkus - CycloneDX - Endpoint</name>
+    <packaging>pom</packaging>
+    <modules>
+        <module>deployment</module>
+        <module>runtime</module>
+    </modules>
+
+</project>
diff --git a/extensions/cyclonedx/endpoint/runtime/pom.xml b/extensions/cyclonedx/endpoint/runtime/pom.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>io.quarkus</groupId>
+        <artifactId>quarkus-cyclonedx-endpoint-parent</artifactId>
+        <version>999-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>quarkus-cyclonedx-endpoint</artifactId>
+    <name>Quarkus - CycloneDX - Endpoint - Runtime</name>
+    <description>CycloneDX REST Endpoint</description>
+    <dependencies>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-core</artifactId>
+        </dependency>
+    </dependencies>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>io.quarkus</groupId>
+                <artifactId>quarkus-extension-maven-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/extensions/cyclonedx/pom.xml b/extensions/cyclonedx/pom.xml
@@ -17,6 +17,7 @@
         <module>generator</module>
         <module>deployment</module>
         <module>runtime</module>
+        <module>endpoint</module>
     </modules>
 
 </project>
diff --git a/integration-tests/maven/src/test/java/io/quarkus/maven/it/CycloneDxIT.java b/integration-tests/maven/src/test/java/io/quarkus/maven/it/CycloneDxIT.java
@@ -4,6 +4,7 @@
 import static org.assertj.core.api.Assertions.assertThat;
 
 import java.io.File;
+import java.nio.file.Path;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
@@ -99,4 +100,109 @@ public void testMutableJar() throws Exception {
         assertComponent(components, "io.quarkus", "quarkus-cyclonedx", "runtime", "lib/main/");
         assertComponent(components, "io.quarkus", "quarkus-cyclonedx-deployment", "development", "lib/deployment/");
     }
+
+    @Test
+    public void testEmbeddedSbomFastJar() throws Exception {
+        testDir = initProject("projects/cyclonedx-sbom", "projects/cyclonedx-sbom-embedded-fast-jar");
+        running = new RunningInvoker(testDir, false);
+
+        Properties p = new Properties();
+        p.setProperty("quarkus.cyclonedx.embedded.enabled", "true");
+
+        final MavenProcessInvocationResult result = running.execute(
+                List.of("package", "-DskipTests"),
+                Map.of(), p);
+        assertThat(result.getProcess().waitFor()).isEqualTo(0);
+
+        // the embedded SBOM should be in generated-bytecode.jar
+        final Path generatedJar = testDir.toPath()
+                .resolve("target/quarkus-app/quarkus/generated-bytecode.jar");
+        final String defaultResourceName = "META-INF/sbom/application.cdx.json";
+        final Bom bom = parseEmbeddedSbom(generatedJar, defaultResourceName);
+
+        assertEmbeddedSbomComponents(bom);
+    }
+
+    @Test
+    public void testEmbeddedSbomUberJar() throws Exception {
+        testDir = initProject("projects/cyclonedx-sbom", "projects/cyclonedx-sbom-embedded-uber-jar");
+        running = new RunningInvoker(testDir, false);
+
+        Properties p = new Properties();
+        p.setProperty("quarkus.package.jar.type", "uber-jar");
+        p.setProperty("quarkus.cyclonedx.embedded.enabled", "true");
+
+        final MavenProcessInvocationResult result = running.execute(
+                List.of("package", "-DskipTests"),
+                Map.of(), p);
+        assertThat(result.getProcess().waitFor()).isEqualTo(0);
+
+        // for uber-jar, the resource is embedded directly in the runner jar
+        final Path uberJar = testDir.toPath()
+                .resolve("target/acme-app-1.0-SNAPSHOT-runner.jar");
+        final String defaultResourceName = "META-INF/sbom/application.cdx.json";
+        final Bom bom = parseEmbeddedSbom(uberJar, defaultResourceName);
+
+        assertEmbeddedSbomComponents(bom);
+    }
+
+    @Test
+    public void testEmbeddedSbomCustomResourceName() throws Exception {
+        testDir = initProject("projects/cyclonedx-sbom", "projects/cyclonedx-sbom-embedded-custom-name");
+        running = new RunningInvoker(testDir, false);
+
+        final String customResourceName = "META-INF/custom-sbom.json";
+        Properties p = new Properties();
+        p.setProperty("quarkus.cyclonedx.embedded.enabled", "true");
+        p.setProperty("quarkus.cyclonedx.embedded.resource-name", customResourceName);
+
+        final MavenProcessInvocationResult result = running.execute(
+                List.of("package", "-DskipTests"),
+                Map.of(), p);
+        assertThat(result.getProcess().waitFor()).isEqualTo(0);
+
+        final Path generatedJar = testDir.toPath()
+                .resolve("target/quarkus-app/quarkus/generated-bytecode.jar");
+
+        // the default resource name should not exist
+        assertNoEmbeddedResource(generatedJar, "META-INF/sbom/application.cdx.json");
+
+        // the custom resource name should contain a valid SBOM
+        final Bom bom = parseEmbeddedSbom(generatedJar, customResourceName);
+        assertEmbeddedSbomComponents(bom);
+    }
+
+    @Test
+    public void testEmbeddedSbomDisabledByDefault() throws Exception {
+        testDir = initProject("projects/cyclonedx-sbom", "projects/cyclonedx-sbom-embedded-disabled");
+        running = new RunningInvoker(testDir, false);
+
+        final MavenProcessInvocationResult result = running.execute(
+                List.of("package", "-DskipTests"),
+                Map.of());
+        assertThat(result.getProcess().waitFor()).isEqualTo(0);
+
+        // without enabling embedded SBOM, the resource should not be present
+        final Path generatedJar = testDir.toPath()
+                .resolve("target/quarkus-app/quarkus/generated-bytecode.jar");
+        assertNoEmbeddedResource(generatedJar, "META-INF/sbom/application.cdx.json");
+    }
+
+    /**
+     * Asserts that an embedded SBOM has the expected structure and contains
+     * expected dependency components.
+     */
+    private static void assertEmbeddedSbomComponents(Bom bom) {
+        assertThat(bom).isNotNull();
+        assertThat(bom.getMetadata()).isNotNull();
+        assertThat(bom.getMetadata().getComponent()).isNotNull();
+
+        final List<Component> components = bom.getComponents();
+        assertThat(components).isNotEmpty();
+        // the embedded SBOM should contain application dependencies
+        assertComponent(components, "io.quarkus", "quarkus-rest", "runtime", null);
+        assertComponent(components, "io.quarkus", "quarkus-rest-deployment", "development", null);
+        assertComponent(components, "io.quarkus", "quarkus-cyclonedx", "runtime", null);
+        assertComponent(components, "io.quarkus", "quarkus-cyclonedx-deployment", "development", null);
+    }
 }
diff --git a/integration-tests/maven/src/test/java/io/quarkus/maven/it/CycloneDxTestUtils.java b/integration-tests/maven/src/test/java/io/quarkus/maven/it/CycloneDxTestUtils.java
