Configure SBOM Actuator for Buildpacks

Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com>
ThomasVitale · May 5, 2024 · a73a660 · a73a660
1 parent 49a8df9
commit a73a660
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 6 deletions.
diff --git a/buildpacks/gradle/README.md b/buildpacks/gradle/README.md
@@ -1,11 +1,23 @@
 # Containerizing Java applications with Cloud Native Buildpacks
 
-## Building a container image with Spring Boot
+## Building a container image with Buildpacks and Spring Boot
 
 ```shell
 ./gradlew bootBuildImage
 ```
 
+Run the containerized application
+
+```shell
+docker run --rm -p 8080:8080 demo-buildpacks:1.0
+```
+
+Browse the SBOMs generated by Buildpacks for each image layer
+
+```shell
+http :8080/actuator/sbom
+```
+
 ## Extracting the SBOMs from each layer of the image with pack
 
 ```shell

diff --git a/buildpacks/gradle/build.gradle b/buildpacks/gradle/build.gradle
@@ -20,14 +20,11 @@ repositories {
 }
 
 dependencies {
+    implementation 'org.springframework.boot:spring-boot-starter-actuator'
     implementation 'org.springframework.boot:spring-boot-starter-web'
     testImplementation 'org.springframework.boot:spring-boot-starter-test'
 }
 
-dependencyLocking {
-    lockAllConfigurations()
-}
-
 tasks.named('test') {
     useJUnitPlatform()
 }

diff --git a/buildpacks/gradle/src/main/resources/application.yml b/buildpacks/gradle/src/main/resources/application.yml
@@ -1 +1,22 @@
-
+management:
+  endpoints:
+    web:
+      exposure:
+        include: sbom
+  endpoint:
+    sbom:
+      additional:
+        buildpacks-lifecycle:
+          location: "optional:file:/layers/sbom/launch/buildpacksio_lifecycle/launcher/sbom.cdx.json"
+        buildpacks-liberica-helper:
+          location: "optional:file:/layers/sbom/launch/paketo-buildpacks_bellsoft-liberica/helper/sbom.syft.json"
+        buildpacks-liberica-jre:
+          location: "optional:file:/layers/sbom/launch/paketo-buildpacks_bellsoft-liberica/jre/sbom.syft.json"
+        buildpacks-ca-certificates:
+          location: "optional:file:/layers/sbom/launch/paketo-buildpacks_ca-certificates/helper/sbom.syft.json"
+        buildpacks-executable-jar:
+          location: "optional:file:/layers/sbom/launch/paketo-buildpacks_executable-jar/sbom.cdx.json"
+        buildpacks-spring-boot-helper:
+          location: "optional:file:/layers/sbom/launch/paketo-buildpacks_spring-boot/helper/sbom.syft.json"
+        buildpacks-spring-boot-spring-cloud-bindings:
+          location: "optional:file:/layers/sbom/launch/paketo-buildpacks_spring-boot/spring-cloud-bindings/sbom.syft.json"