WIP: support for embedding dependency SBOMs in the built applications

Author: aloubyansky

extensions/cyclonedx/deployment/src/main/java/io/quarkus/cyclonedx/deployment/CdxSbomBuildStep.java

@@ -1,12 +1,19 @@
 package io.quarkus.cyclonedx.deployment;
 
+import java.nio.charset.StandardCharsets;
+import java.util.List;
+
 import io.quarkus.cyclonedx.generator.CycloneDxSbomGenerator;
 import io.quarkus.deployment.annotations.BuildProducer;
 import io.quarkus.deployment.annotations.BuildStep;
 import io.quarkus.deployment.builditem.AppModelProviderBuildItem;
+import io.quarkus.deployment.builditem.GeneratedResourceBuildItem;
+import io.quarkus.deployment.pkg.builditem.CurateOutcomeBuildItem;
 import io.quarkus.deployment.pkg.builditem.OutputTargetBuildItem;
 import io.quarkus.deployment.sbom.ApplicationManifestsBuildItem;
 import io.quarkus.deployment.sbom.SbomBuildItem;
+import io.quarkus.sbom.ApplicationManifest;
+import io.quarkus.sbom.ApplicationManifestConfig;
 
 /**
  * Generates SBOMs for packaged applications if the corresponding config is enabled.
@@ -47,4 +54,45 @@ public void generate(ApplicationManifestsBuildItem applicationManifestsBuildItem
             }
         }
     }
+
+    @BuildStep
+    public void embedDependencySbom(BuildProducer<GeneratedResourceBuildItem> generatedResourceBuildItem,
+            CycloneDxConfig cdxConfig,
+            CurateOutcomeBuildItem curateOutcomeBuildItem,
+            AppModelProviderBuildItem appModelProviderBuildItem) {
+        if (!cdxConfig.embeddedDependencySbom().enabled() || cdxConfig.skip()) {
+            return;
+        }
+
+        final CycloneDxConfig.EmbeddedDependencySbomConfig dependencySbomConfig = cdxConfig.embeddedDependencySbom();
+        final String resourceName = dependencySbomConfig.resourceName();
+        if (resourceName == null || resourceName.isEmpty()) {
+            throw new IllegalArgumentException("resourceName is not configured for the embedded dependency SBOM");
+        }
+
+        var depInfoProvider = appModelProviderBuildItem.getDependencyInfoProvider().get();
+        List<String> result = CycloneDxSbomGenerator.newInstance()
+                .setManifest(ApplicationManifest.fromConfig(ApplicationManifestConfig.builder()
+                        .setApplicationModel(curateOutcomeBuildItem.getApplicationModel())
+                        .build()))
+                .setEffectiveModelResolver(depInfoProvider == null ? null : depInfoProvider.getMavenModelResolver())
+                .setFormat(getFormat(resourceName))
+                .setSchemaVersion(cdxConfig.schemaVersion().orElse(null))
+                .setIncludeLicenseText(cdxConfig.includeLicenseText())
+                .generateText();
+
+        if (result.size() != 1) {
+            // this should never happen
+            throw new RuntimeException(
+                    "Embedded dependency SBOM has more than 1 result for configured resource " + resourceName);
+        }
+
+        generatedResourceBuildItem
+                .produce(new GeneratedResourceBuildItem(resourceName, result.get(0).getBytes(StandardCharsets.UTF_8)));
+    }
+
+    private static String getFormat(String resourceName) {
+        int lastDot = resourceName.lastIndexOf('.');
+        return lastDot == -1 ? "json" : resourceName.substring(lastDot + 1);
+    }
 }

extensions/cyclonedx/deployment/src/main/java/io/quarkus/cyclonedx/deployment/CycloneDxConfig.java

@@ -2,6 +2,7 @@
 
 import java.util.Optional;
 
+import io.quarkus.runtime.annotations.ConfigDocSection;
 import io.quarkus.runtime.annotations.ConfigRoot;
 import io.smallrye.config.ConfigMapping;
 import io.smallrye.config.WithDefault;
@@ -42,4 +43,32 @@ public interface CycloneDxConfig {
      */
     @WithDefault("false")
     boolean includeLicenseText();
+
+    /**
+     * Embedded dependency SBOM
+     */
+    @ConfigDocSection
+    EmbeddedDependencySbomConfig embeddedDependencySbom();
+
+    /**
+     * Embedded dependency SBOM configuration
+     */
+    interface EmbeddedDependencySbomConfig {
+
+        /**
+         * Whether dependency SBOM should be embedded in the final application.
+         *
+         * @return true, if dependency SBOM should be embedded in the final application, false - otherwise
+         */
+        @WithDefault("false")
+        boolean enabled();
+
+        /**
+         * Resource name for the embedded dependency SBOM
+         *
+         * @return resource name for the embedded dependency SBOM
+         */
+        @WithDefault("META-INF/sbom/dependency-cdx.json")
+        String resourceName();
+    }
 }

extensions/cyclonedx/generator/src/main/java/io/quarkus/cyclonedx/generator/CycloneDxSbomGenerator.java

@@ -13,6 +13,7 @@
 import org.apache.commons.lang3.StringUtils;
 import org.apache.maven.model.MailingList;
 import org.apache.maven.model.Model;
+import org.cyclonedx.Format;
 import org.cyclonedx.Version;
 import org.cyclonedx.exception.GeneratorException;
 import org.cyclonedx.generators.BomGeneratorFactory;
@@ -73,10 +74,7 @@ public class CycloneDxSbomGenerator {
 
     private static final String CLASSIFIER_CYCLONEDX = "cyclonedx";
     private static final String FORMAT_ALL = "all";
-    private static final String FORMAT_JSON = "json";
-    private static final String FORMAT_XML = "xml";
-    private static final String DEFAULT_FORMAT = FORMAT_JSON;
-    private static final List<String> SUPPORTED_FORMATS = List.of(FORMAT_JSON, FORMAT_XML);
+    private static final String DEFAULT_FORMAT = "json";
 
     public static CycloneDxSbomGenerator newInstance() {
         return new CycloneDxSbomGenerator();
@@ -138,37 +136,57 @@ public CycloneDxSbomGenerator setIncludeLicenseText(boolean includeLicenseText)
         return this;
     }
 
+    public List<String> generateText() {
+        final Bom bom = createSbom();
+        if (FORMAT_ALL.equals(format)) {
+            Format[] formats = Format.values();
+            final List<String> result = new ArrayList<>(formats.length);
+            for (Format format : formats) {
+                result.add(formatSbom(bom, format.getExtension()));
+            }
+            return result;
+        }
+        return List.of(formatSbom(bom, format));
+    }
+
     public List<SbomResult> generate() {
-        ensureNotGenerated();
-        Objects.requireNonNull(manifest, "Manifest is null");
         if (outputFile == null && outputDir == null) {
             throw new IllegalArgumentException("Either outputDir or outputFile must be provided");
         }
-        generated = true;
+        final Bom bom = createSbom();
 
-        var bom = new Bom();
-        bom.setMetadata(new Metadata());
-        addToolInfo(bom);
-
-        addApplicationComponent(bom, manifest.getMainComponent());
-        for (var c : manifest.getComponents()) {
-            addComponent(bom, c);
-        }
         if (FORMAT_ALL.equalsIgnoreCase(format)) {
             if (outputFile != null) {
                 throw new IllegalArgumentException("Can't use output file " + outputFile + " with format '"
                         + FORMAT_ALL + "', since it implies generating multiple files");
             }
-            final List<SbomResult> result = new ArrayList<>(SUPPORTED_FORMATS.size());
-            for (String format : SUPPORTED_FORMATS) {
-                result.add(persistSbom(bom, getOutputFile(format), format));
+            Format[] formats = Format.values();
+            final List<SbomResult> result = new ArrayList<>(formats.length);
+            for (Format format : formats) {
+                result.add(persistSbom(bom, getOutputFile(format.getExtension()), format.getExtension()));
             }
             return result;
         }
         var outputFile = getOutputFile(format == null ? DEFAULT_FORMAT : format);
         return List.of(persistSbom(bom, outputFile, getFormat(outputFile)));
     }
 
+    private Bom createSbom() {
+        ensureNotGenerated();
+        Objects.requireNonNull(manifest, "Manifest is null");
+        generated = true;
+
+        var bom = new Bom();
+        bom.setMetadata(new Metadata());
+        addToolInfo(bom);
+
+        addApplicationComponent(bom, manifest.getMainComponent());
+        for (var c : manifest.getComponents()) {
+            addComponent(bom, c);
+        }
+        return bom;
+    }
+
     private void addComponent(Bom bom, ApplicationComponent component) {
         final org.cyclonedx.model.Component c = getComponent(component);
         bom.addComponent(c);
@@ -421,25 +439,7 @@ private static List<ArtifactCoords> sortAlphabetically(Collection<ArtifactCoords
     }
 
     private SbomResult persistSbom(Bom bom, Path sbomFile, String format) {
-
-        var specVersion = getSchemaVersion();
-        final String sbomContent;
-        if (format.equalsIgnoreCase("json")) {
-            try {
-                sbomContent = BomGeneratorFactory.createJson(specVersion, bom).toJsonString();
-            } catch (Throwable e) {
-                throw new RuntimeException("Failed to generate an SBOM in JSON format", e);
-            }
-        } else if (format.equalsIgnoreCase("xml")) {
-            try {
-                sbomContent = BomGeneratorFactory.createXml(specVersion, bom).toXmlString();
-            } catch (GeneratorException e) {
-                throw new RuntimeException("Failed to generate an SBOM in XML format", e);
-            }
-        } else {
-            throw new RuntimeException(
-                    "Unsupported SBOM artifact type " + format + ", supported types are json and xml");
-        }
+        final String sbomContent = formatSbom(bom, format);
 
         var outputDir = sbomFile.getParent();
         if (outputDir != null) {
@@ -462,6 +462,33 @@ private SbomResult persistSbom(Bom bom, Path sbomFile, String format) {
                 manifest.getRunnerPath());
     }
 
+    private String formatSbom(Bom bom, String format) {
+        var specVersion = getSchemaVersion();
+        final String sbomContent;
+        if (format.equalsIgnoreCase("json")) {
+            try {
+                sbomContent = BomGeneratorFactory.createJson(specVersion, bom).toJsonString();
+            } catch (Throwable e) {
+                throw new RuntimeException("Failed to generate an SBOM in JSON format", e);
+            }
+        } else if (format.equalsIgnoreCase("xml")) {
+            try {
+                sbomContent = BomGeneratorFactory.createXml(specVersion, bom).toXmlString();
+            } catch (GeneratorException e) {
+                throw new RuntimeException("Failed to generate an SBOM in XML format", e);
+            }
+        } else {
+            var msg = new StringBuilder("Unsupported SBOM format ").append(format);
+            var supportedFormats = Format.values();
+            msg.append(". Supported formats are ").append(supportedFormats[0].getExtension());
+            for (int i = 1; i < supportedFormats.length; i++) {
+                msg.append(", ").append(supportedFormats[i].getExtension());
+            }
+            throw new IllegalArgumentException(msg.toString());
+        }
+        return sbomContent;
+    }
+
     private Path getOutputFile(String defaultFormat) {
         if (outputFile == null) {
             var fileName = toSbomFileName(manifest.getRunnerPath().getFileName().toString(), defaultFormat);