Maintenance: Add SBOM generation via CycloneDX (#549)

devtobi · web-flow · commit 4fcd71f5cae0 · 2025-05-16T12:57:11.000+02:00
* 🔧 Added SBOM configuration for API gateway * 🔧 Added SBOM configuration for tools * [maven-release-plugin] prepare release refarch-tools-1.2.3 * [maven-release-plugin] prepare for next development iteration * 🔧 Added SBOM configuration for integrations * Revert "[maven-release-plugin] prepare for next development iteration" This reverts commit 7204fe2. * Revert "[maven-release-plugin] prepare release refarch-tools-1.2.3" This reverts commit 6eb307e. * 🔧 Change SBOM projectType for services to application * ♻️ Aligned gateway sbom configuration * 🐛 Fix generation of SBOM in integrations for snapshots
diff --git a/refarch-gateway/pom.xml b/refarch-gateway/pom.xml
@@ -11,11 +11,31 @@
 
     <groupId>de.muenchen.refarch</groupId>
     <artifactId>refarch-gateway</artifactId>
+    <version>1.6.0-SNAPSHOT</version>
+
     <name>refarch-gateway</name>
     <description>Ready to use RefArch gateway based on Spring Cloud Gateway</description>
     <url>https://github.com/it-at-m/refarch</url>
-    <version>1.6.0-SNAPSHOT</version>
-    <packaging>jar</packaging>
+    <licenses>
+        <license>
+            <name>MIT</name>
+            <url>https://opensource.org/licenses/MIT</url>
+            <distribution>repo</distribution>
+        </license>
+    </licenses>
+    <scm>
+        <url>https://github.com/it-at-m/refarch.git</url>
+        <connection>scm:git:https://github.com/it-at-m/refarch.git</connection>
+        <developerConnection>scm:git:https://github.com/it-at-m/refarch.git</developerConnection>
+        <tag>HEAD</tag>
+    </scm>
+    <developers>
+        <developer>
+            <organization>it@M</organization>
+            <email>opensource@muenchen.de</email>
+            <url>https://github.com/it-at-m</url>
+        </developer>
+    </developers>
 
     <properties>
         <!-- Compilation -->
@@ -182,6 +202,18 @@
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-maven-plugin</artifactId>
             </plugin>
+            <plugin>
+                <groupId>org.cyclonedx</groupId>
+                <artifactId>cyclonedx-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <configuration>
+                            <skipNotDeployed>false</skipNotDeployed>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+
             <!-- Testing -->
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
@@ -213,6 +245,7 @@
                     </execution>
                 </executions>
             </plugin>
+
             <!-- Release -->
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
@@ -227,7 +260,7 @@
                 </configuration>
             </plugin>
 
-            <!-- Codeformatter Spotless -->
+            <!-- Linting -->
             <plugin>
                 <groupId>com.diffplug.spotless</groupId>
                 <artifactId>spotless-maven-plugin</artifactId>
@@ -268,8 +301,6 @@
                     </execution>
                 </executions>
             </plugin>
-
-            <!-- Linting -->
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-pmd-plugin</artifactId>
@@ -330,23 +361,4 @@
             </plugin>
         </plugins>
     </build>
-
-    <scm>
-        <url>https://github.com/it-at-m/refarch.git</url>
-        <connection>scm:git:https://github.com/it-at-m/refarch.git</connection>
-        <developerConnection>scm:git:https://github.com/it-at-m/refarch.git</developerConnection>
-        <tag>HEAD</tag>
-    </scm>
-    <licenses>
-        <license>
-            <name>MIT</name>
-        </license>
-    </licenses>
-    <developers>
-        <developer>
-            <organization>it@M</organization>
-            <email>opensource@muenchen.de</email>
-            <url>https://github.com/it-at-m</url>
-        </developer>
-    </developers>
 </project>
diff --git a/refarch-gateway/src/main/java/de/muenchen/refarch/gateway/configuration/SecurityConfiguration.java b/refarch-gateway/src/main/java/de/muenchen/refarch/gateway/configuration/SecurityConfiguration.java
@@ -56,6 +56,8 @@ public SecurityWebFilterChain springSecurityFilterChain(final ServerHttpSecurity
                                 "/actuator/health/readiness",
                                 "/actuator/info",
                                 "/actuator/metrics",
+                                "/actuator/sbom",
+                                "/actuator/sbom/application",
                                 "/public/**")
                         .permitAll()
                         // only authenticated
diff --git a/refarch-gateway/src/main/resources/application.yml b/refarch-gateway/src/main/resources/application.yml
@@ -30,7 +30,11 @@ management:
       default: none
     web:
       exposure:
-        include: health, info, prometheus
+        include:
+          - health
+          - info
+          - prometheus
+          - sbom
       path-mapping:
         prometheus: metrics
   endpoint:
@@ -42,6 +46,8 @@ management:
       access: read_only
     prometheus:
       access: read_only
+    sbom:
+      access: read_only
   info:
     env:
       enabled: true
diff --git a/refarch-integrations/pom.xml b/refarch-integrations/pom.xml
@@ -11,11 +11,32 @@
 
     <groupId>de.muenchen.refarch</groupId>
     <artifactId>refarch-integrations</artifactId>
+    <version>1.6.0-SNAPSHOT</version>
+    <packaging>pom</packaging>
+
     <name>refarch-integrations</name>
     <description>Collection of different ready to use RefArch integrations</description>
     <url>https://github.com/it-at-m/refarch</url>
-    <version>1.6.0-SNAPSHOT</version>
-    <packaging>pom</packaging>
+    <licenses>
+        <license>
+            <name>MIT</name>
+            <url>https://opensource.org/licenses/MIT</url>
+            <distribution>repo</distribution>
+        </license>
+    </licenses>
+    <scm>
+        <url>https://github.com/it-at-m/refarch.git</url>
+        <connection>scm:git:https://github.com/it-at-m/refarch.git</connection>
+        <developerConnection>scm:git:https://github.com/it-at-m/refarch.git</developerConnection>
+        <tag>HEAD</tag>
+    </scm>
+    <developers>
+        <developer>
+            <organization>it@M</organization>
+            <email>opensource@muenchen.de</email>
+            <url>https://github.com/it-at-m</url>
+        </developer>
+    </developers>
 
     <modules>
         <module>refarch-s3-integration</module>
@@ -180,6 +201,20 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.cyclonedx</groupId>
+                <artifactId>cyclonedx-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <configuration>
+                            <projectType>library</projectType>
+                            <outputName>library.cdx</outputName>
+                            <skipNotDeployed>false</skipNotDeployed>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+
             <!-- Testing -->
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
@@ -211,6 +246,7 @@
                     </execution>
                 </executions>
             </plugin>
+
             <!-- Release -->
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
@@ -224,7 +260,7 @@
                 </configuration>
             </plugin>
 
-            <!-- Codeformatter Spotless -->
+            <!-- Linting -->
             <plugin>
                 <groupId>com.diffplug.spotless</groupId>
                 <artifactId>spotless-maven-plugin</artifactId>
@@ -265,8 +301,6 @@
                     </execution>
                 </executions>
             </plugin>
-
-            <!-- Linting -->
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-pmd-plugin</artifactId>
@@ -353,23 +387,4 @@
             </build>
         </profile>
     </profiles>
-
-    <scm>
-        <url>https://github.com/it-at-m/refarch.git</url>
-        <connection>scm:git:https://github.com/it-at-m/refarch.git</connection>
-        <developerConnection>scm:git:https://github.com/it-at-m/refarch.git</developerConnection>
-        <tag>HEAD</tag>
-    </scm>
-    <licenses>
-        <license>
-            <name>MIT</name>
-        </license>
-    </licenses>
-    <developers>
-        <developer>
-            <organization>it@M</organization>
-            <email>opensource@muenchen.de</email>
-            <url>https://github.com/it-at-m</url>
-        </developer>
-    </developers>
 </project>
diff --git a/refarch-integrations/refarch-cosys-integration/refarch-cosys-integration-example/pom.xml b/refarch-integrations/refarch-cosys-integration/refarch-cosys-integration-example/pom.xml
@@ -27,4 +27,20 @@
         </dependency>
     </dependencies>
 
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.cyclonedx</groupId>
+                <artifactId>cyclonedx-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <configuration>
+                            <projectType>application</projectType>
+                            <outputName>application.cdx</outputName>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
 </project>
diff --git a/refarch-integrations/refarch-dms-integration/refarch-dms-integration-example/pom.xml b/refarch-integrations/refarch-dms-integration/refarch-dms-integration-example/pom.xml
@@ -21,4 +21,21 @@
         </dependency>
     </dependencies>
 
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.cyclonedx</groupId>
+                <artifactId>cyclonedx-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <configuration>
+                            <projectType>application</projectType>
+                            <outputName>application.cdx</outputName>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
 </project>
diff --git a/refarch-integrations/refarch-dms-integration/refarch-dms-integration-fabasoft-soap/refarch-dms-integration-fabasoft-mock-service/pom.xml b/refarch-integrations/refarch-dms-integration/refarch-dms-integration-fabasoft-soap/refarch-dms-integration-fabasoft-mock-service/pom.xml
@@ -33,4 +33,21 @@
         </dependency>
     </dependencies>
 
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.cyclonedx</groupId>
+                <artifactId>cyclonedx-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <configuration>
+                            <projectType>application</projectType>
+                            <outputName>application.cdx</outputName>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
 </project>
diff --git a/refarch-integrations/refarch-email-integration/refarch-email-integration-example/pom.xml b/refarch-integrations/refarch-email-integration/refarch-email-integration-example/pom.xml
@@ -35,6 +35,18 @@
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-maven-plugin</artifactId>
             </plugin>
+            <plugin>
+                <groupId>org.cyclonedx</groupId>
+                <artifactId>cyclonedx-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <configuration>
+                            <projectType>application</projectType>
+                            <outputName>application.cdx</outputName>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
 </project>
diff --git a/refarch-integrations/refarch-s3-integration/refarch-s3-integration-rest/refarch-s3-integration-rest-service/pom.xml b/refarch-integrations/refarch-s3-integration/refarch-s3-integration-rest/refarch-s3-integration-rest-service/pom.xml
@@ -147,6 +147,18 @@
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-maven-plugin</artifactId>
             </plugin>
+            <plugin>
+                <groupId>org.cyclonedx</groupId>
+                <artifactId>cyclonedx-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <configuration>
+                            <projectType>application</projectType>
+                            <outputName>application.cdx</outputName>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
 </project>
diff --git a/refarch-tools/refarch-java-tools/pom.xml b/refarch-tools/refarch-java-tools/pom.xml
