Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NR-379716 : Remove Cyclonedx-bom plugin & utilise Github API to generate SBOM #399

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

NR-379716 : Remove Cyclonedx-bom plugin & utilise Github API to generate SBOM #399

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d4313b4
Remove cyclonedx-bom plugin & utilise github api to generate SBOM
IshikaDawda Mar 20, 2025
aa7331f
fix code
IshikaDawda Mar 25, 2025
124106c
Fix IOException generating due to missing reports dir
IshikaDawda Mar 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 36 additions & 8 deletions newrelic-security-agent/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,17 @@ import com.nr.builder.DependencyPatcher
import com.nr.builder.GitUtil
import com.nr.builder.Log4j2PluginFileMover
import com.nr.builder.publish.PublishConfig
import groovy.json.JsonBuilder
import groovy.json.JsonSlurper

import java.nio.file.Files
import java.nio.file.Paths
import java.time.Clock

plugins {
id("java-library")
id("maven-publish")
id("signing")
id 'org.cyclonedx.bom' version '1.7.3'
}

java.sourceCompatibility = JavaVersion.VERSION_1_8
Expand All @@ -36,11 +39,6 @@ configurations {
configurations.implementation.extendsFrom(configurations.shadowIntoJar)
configurations.implementation.extendsFrom(configurations.jarIntoJar)

cyclonedxBom {
outputFormat = "json"
outputName = "SBOM"
}

project.ext {
instrumentProjects = {
rootProject.subprojects.findAll { project -> project.path =~ /:instrumentation:/ }
Expand Down Expand Up @@ -188,6 +186,37 @@ task transformedShadowJar(type: ShadowJar) {
archiveBaseName.set("transformedShadowJar")
}

/**
* <p> The gradle task generate-sbom is responsible for generating an aggregate of all direct and transitive dependencies associated with the project.
* It utilizes the GitHub REST API to produce SBOM in the standardized SPDX format.
* For more information, please refer to <a href="https://docs.github.com/en/rest/dependency-graph/sboms"> this</a>.</p>
* <ul>The output of this task should contain:
* <li>The SBOM json file, which is located in newrelic-security-agent/reports/ directory.</li>
* </ul>
*/
tasks.register('generate-sbom') {
def url = new URL("https://api.github.com/repos/newrelic/csec-java-agent/dependency-graph/sbom")
def req = (HttpURLConnection) url.openConnection()
req.addRequestProperty("Accept", "application/vnd.github+json")
req.connect()
req.getResponseCode()
def parsedJson = new JsonSlurper().parseText(req.getInputStream().getText())

try {
def reportsDir = Paths.get("$buildDir", "reports")
def sbomFile = new File("$buildDir/reports", "SBOM.json")
if (Files.exists(reportsDir) || Files.createDirectory(reportsDir)) {
sbomFile.exists() && sbomFile.delete();
if (sbomFile.createNewFile()) {
sbomFile.write(new JsonBuilder(parsedJson).toPrettyString())
}
}
} catch (e) {
printf("Error while creating SBOM file: %s", e.getMessage())
e.printStackTrace()
}
}

/**
* The newrelicVersionedAgentJar task builds the final output jar. This jar contains:
* <ul>
Expand All @@ -202,8 +231,7 @@ task newrelicVersionedAgentJar(type: Jar) {
group("build")
dependsOn("transformedShadowJar")
dependsOn(instrumentProjects().collect { it.tasks["jar"] })
dependsOn("cyclonedxBom")

dependsOn("generate-sbom")
duplicatesStrategy = DuplicatesStrategy.EXCLUDE

from("$rootDir/LICENSE.md")
Expand Down
Loading