-
Notifications
You must be signed in to change notification settings - Fork 3
JSTEP 14
Back to JSTEP page)
Tatu Saloranta (@cowtowncoder)
- 2025-04-23: Created first proposal
Initial discussions, planning
Use of SBOMs (Software Bill Of Material) is starting to increase. For an overview of SBOMs see:
It would make sense to produce SBOM Artifacts for Jackson components as part of build process, and to publish them to Maven Central.
Due to proximity to 2.19.0 release, we will probably want to wait for 2.20 until publishing SBOMs for all artifacts. We could start with a limited set, only publishing them for 3 core components, but it seems risky to avoid publishing a RC with these artifacts: and after 2.19.0-rc2 there's no appetite for another RC just for SBOMs.
So let's go with 2.20.0 (and one of 3.0.0-rcs which is likely earlier).
Adding this to pom.xml
<build>
<plugins>
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>will generate target/bom.json and target/bom.xml artifacts.
The easiest way to publish SBOMs would be to attach artifacts during "package" phase:
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId>
<executions>
<execution>
<id>attach-sbom</id>
<phase>package</phase>
<goals>
<goal>attach-artifact</goal>
</goals>
<configuration>
<artifacts>
<artifact>
<file>${project.build.directory}/bom.xml</file>
<type>bom.xml</type>
</artifact>
<artifact>
<file>${project.build.directory}/bom.json</file>
<type>bom.json</type>
</artifact>
</artifacts>
</configuration>
</execution>
</executions>
</plugin>