Skip to content

JSTEP 14

Jump to bottom
Tatu Saloranta edited this page Apr 23, 2025 · 5 revisions

Back to JSTEP page)

Generate, publish SBOMs for Jackson components

Author

Tatu Saloranta (@cowtowncoder)

Version history

  • 2025-04-23: Created first proposal

Status

Initial discussions, planning

Overview

Use of SBOMs (Software Bill Of Material) is starting to increase. For an overview of SBOMs see:

It would make sense to produce SBOM Artifacts for Jackson components as part of build process, and to publish them to Maven Central.

Timing

Due to proximity to 2.19.0 release, we will probably want to wait for 2.20 until publishing SBOMs for all artifacts. We could start with a limited set, only publishing them for 3 core components, but it seems risky to avoid publishing a RC with these artifacts: and after 2.19.0-rc2 there's no appetite for another RC just for SBOMs.

So let's go with 2.20.0 (and one of 3.0.0-rcs which is likely earlier).

Technical details

Proof-of-Concept: generating SBOMs

Adding this to pom.xml

<build>
  <plugins>
      <plugin>
        <groupId>org.cyclonedx</groupId>
        <artifactId>cyclonedx-maven-plugin</artifactId>
        <executions>
          <execution>
            <phase>package</phase>
            <goals>
              <goal>makeAggregateBom</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
  </plugins>
</build>

will generate target/bom.json and target/bom.xml artifacts.

Proof-of-Concept: publishing SBOMs

Looks like the plug-in will by default "attach" sbom artifacts in a way to be publishable.

One open question is the "classifier" to use for SBOM artifacts. The default of "cyclonedx" produces:

jackson-core-2.19.0-SNAPSHOT-cyclonedx.json

but some frameworks use different classifier: Quarkus seems to default to "dependency-cyclonedx" instead, for example.

If attach did not happen, we could manually attach by:

<plugin>
    <groupId>org.codehaus.mojo</groupId>
    <artifactId>build-helper-maven-plugin</artifactId>
    <executions>
        <execution>
            <id>attach-sbom</id>
            <phase>package</phase>
            <goals>
                <goal>attach-artifact</goal>
            </goals>
            <configuration>
                <artifacts>
                    <artifact>
                        <file>${project.build.directory}/bom.xml</file>
                        <type>bom.xml</type>
                    </artifact>
                    <artifact>
                        <file>${project.build.directory}/bom.json</file>
                        <type>bom.json</type>
                    </artifact>
                </artifacts>
            </configuration>
        </execution>
    </executions>
</plugin>

Clone this wiki locally