Upgrade to Spring Boot 3.3

.github/workflows/ci.yml

@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java: [ 17, 21 ]
+        java: [ 21 ]
     name: Java ${{ matrix.java }} build
     steps:
       - uses: actions/checkout@v4

.github/workflows/release.yml

@@ -22,7 +22,7 @@ jobs:
         uses: actions/setup-java@v4
         with:
           distribution: liberica
-          java-version: 17
+          java-version: 21
           gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
           gpg-passphrase: MAVEN_GPG_PASSPHRASE
 
@@ -42,7 +42,7 @@ jobs:
         uses: actions/setup-java@v4
         with:
           distribution: liberica
-          java-version: 17
+          java-version: 21
           server-id: central
           server-username: MAVEN_USERNAME
           server-password: MAVEN_CENTRAL_TOKEN

.sdkmanrc

@@ -1 +1 @@
-java=17.0.10-librca
+java=21.0.3-librca

README.md

@@ -25,7 +25,7 @@ The first target is Cloud Foundry.  But there's nothing that stops us from doing
 * [SDKMan](https://sdkman.io/)
 * JDK 17 or better
 * (Optionally) access to a [Cloud Foundry](https://www.cloudfoundry.org/) foundation with read-only admin credentials
-
+* Your application source's Maven `pom.xml` or Gradle `build.gradle` file should declare a dependency on Spring Boot 3.2 or better
 
 ## Clone
 
@@ -37,23 +37,25 @@ gh repo clone cf-toolsuite/spring-boot-starter-runtime-metadata
 ## Build
 
 ```
-sdk install java 17.0.10-librca
-sdk use java 17.0.10-librca
+sdk install java 21.0.3-librca
+sdk use java 21.0.3-librca
 ./mvnw clean install
 ```
 
+> Note: As of `spring-boot-starter-runtime-metadata` `0.4.0`, we have a runtime dependency on Java 21 or better.  Prior versions have a runtime dependency on Java 17 or better.
+
 
 ## How to use
 
-### Maven
+### with Spring Boot 3.2
 
 Add the following `dependency` to your application's `pom.xml` file
 
 ```
 <dependency>
   <groupId>org.cftoolsuite.actuator</groupId>
   <artifactId>spring-boot-starter-runtime-metadata</artifactId>
-  <version>0.2.0</version>
+  <version>0.3.0</version>
 </dependency>
 ```
 
@@ -79,13 +81,60 @@ If you want to embed and expose a bill of materials from your artifact, then you
 </plugin>
 ```
 
-### Gradle
+#### Gradle
+
+Add the following `dependency` to your application's `build.gradle` file
+
+```
+dependencies {
+    compile group: 'org.cftoolsuite.actuator', name: 'spring-boot-starter-runtime-metadata', version: '0.3.0'
+}
+```
+
+If you want to embed and expose a bill of materials from your artifact, then you'll also want to add this plugin to your application's `build.gradle` file too
+
+```
+plugins {
+  id 'org.cyclonedx.bom' version '1.8.2'
+}
+
+tasks.named("cyclonedxBom") {
+  destination = file("${buildDir}/classes")
+}
+```
+
+### with Spring Boot 3.3 or better
+
+> Note: As of `spring-boot-starter-runtime-metadata` `0.4.0`, you will also be able to obtain a software-bill-of-materials from the `/actuator/sbom` endpoint, which is now [built-in](https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.3-Release-Notes#sbom-actuator-endpoint) to Spring Boot `3.3`.
+
+#### Maven
+
+Add the following `dependency` to your application's `pom.xml` file
+
+```
+<dependency>
+  <groupId>org.cftoolsuite.actuator</groupId>
+  <artifactId>spring-boot-starter-runtime-metadata</artifactId>
+  <version>0.4.0</version>
+</dependency>
+```
+
+If you want to embed and expose a bill of materials from your artifact, then you'll also want to add this `plugin` to your application's `pom.xml` file too
+
+```
+<plugin>
+  <groupId>org.cyclonedx</groupId>
+  <artifactId>cyclonedx-maven-plugin</artifactId>
+</plugin>
+```
+
+#### Gradle
 
 Add the following `dependency` to your application's `build.gradle` file
 
 ```
 dependencies {
-    compile group: 'org.cftoolsuite.actuator', name: 'spring-boot-starter-runtime-metadata', version: '0.2.0'
+    compile group: 'org.cftoolsuite.actuator', name: 'spring-boot-starter-runtime-metadata', version: '0.4.0'
 }
 ```
 
@@ -97,7 +146,7 @@ plugins {
 }
 
 tasks.named("cyclonedxBom") {
-  destination = file("${buildDir}/classes/cyclonedx")
+  destination = file("${buildDir}/META-INF/sbom")
 }
 ```
 
@@ -125,7 +174,7 @@ Among several sub-directories underneath the `layers/sbom/launch` directory, you
 Unfortunately, these files are not available and accessible in the container image at runtime.  But what you can do is make a copy of the `sbom.cdx.json` file, like so:
 
 ```
-cp -f layers/sbom/launch/paketo-buildpacks_executable-jar/sbom.cdx.json src/main/resources/sbom.json
+cp -f layers/sbom/launch/paketo-buildpacks_executable-jar/sbom.cdx.json src/main/resources/META-INF/sbom/application.cdx.json
 ```
 
 Then rebuild the container image.  (Remember to repeat this process for any change you make to source).
@@ -257,7 +306,6 @@ And how you can download a software bill of materials
 ❯ http :8080/actuator/info | jq .sbom > sbom.json
 ```
 
-
 ## Roadmap
 
 ### Cloud Foundry and Buildpacks
@@ -270,4 +318,3 @@ What if the [Java Buildpack](https://github.com/cloudfoundry/java-buildpack?tab=
 ### Software Bill of Materials
 
 * Adapted earlier work by Maciej Walkowiak, here: https://maciejwalkowiak.com/blog/maven-dependencies-spring-boot-actuator-info/.
-* Keeping an eye on https://github.com/spring-projects/spring-boot/issues/22924.

pom.xml

@@ -5,14 +5,14 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>3.2.5</version>
+		<version>3.3.0</version>
 		<relativePath/>
 		<!-- lookup parent from repository -->
 	</parent>
 
 	<groupId>org.cftoolsuite.actuator</groupId>
 	<artifactId>spring-boot-starter-runtime-metadata</artifactId>
-	<version>0.3.0</version>
+	<version>0.4.0</version>
 
 	<name>spring-boot-starter-runtime-metadata</name>
 	<description>Adds custom actuator endpoints that share details on the dependencies the application requires at runtime</description>
@@ -52,7 +52,7 @@
 	</issueManagement>
 
 	<properties>
-		<java.version>17</java.version>
+		<java.version>21</java.version>
 	</properties>
 
 	<dependencies>
@@ -82,7 +82,6 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-source-plugin</artifactId>
-				<version>3.3.1</version>
 				<executions>
 					<execution>
 						<id>attach-sources</id>
@@ -95,12 +94,10 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-deploy-plugin</artifactId>
-				<version>3.1.2</version>
 			</plugin>
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-javadoc-plugin</artifactId>
-				<version>3.6.3</version>
 				<configuration>
 					<skip>false</skip>
 					<doclint>none</doclint>
@@ -138,7 +135,6 @@
 			<plugin>
 				<groupId>org.codehaus.mojo</groupId>
 				<artifactId>versions-maven-plugin</artifactId>
-				<version>2.16.2</version>
 				<configuration>
 					<generateBackupPoms>false</generateBackupPoms>
 				</configuration>

src/main/java/org/cftoolsuite/actuator/runtime/metadata/CycloneDxInfoContributor.java

@@ -16,7 +16,7 @@ public class CycloneDxInfoContributor implements InfoContributor, InitializingBe
     private final JsonParser jsonParser = new JsonParser();
     private @Nullable List<Dependency> dependencies;
 
-    public CycloneDxInfoContributor(@Value("classpath:bom.json") Resource bomFile) {
+    public CycloneDxInfoContributor(@Value("classpath:META-INF/sbom/application.cdx.json") Resource bomFile) {
         this.bomFile = bomFile;
     }
 

src/main/java/org/cftoolsuite/actuator/runtime/metadata/JarUtil.java

@@ -28,7 +28,7 @@ public static List<String> findMatchingFiles(File jarFile, String extension) {
                 }
             }
         } catch (IOException ioe) {
-            log.error(String.format("Problems reading from %s to find matching embedded %s files", jarFile.getName(), extension), ioe);
+            log.error("Problems reading from %s to find matching embedded %s files".formatted(jarFile.getName(), extension), ioe);
         }
         return result;
     }
@@ -43,7 +43,7 @@ public static String extractFileContent(File jarFile, String filename) {
                 }
             }
         } catch (IOException ioe) {
-            log.error(String.format("Problems reading from %s to extract contents of embedded %s file", jarFile.getName(), filename), ioe);
+            log.error("Problems reading from %s to extract contents of embedded %s file".formatted(jarFile.getName(), filename), ioe);
         }
         return null;
     }

src/main/java/org/cftoolsuite/actuator/runtime/metadata/RuntimeMetadataAutoConfiguration.java

@@ -32,14 +32,14 @@ public JarsEndpoint jarsEndpoint(ArtifactsService artifactsService) {
     @Bean
 	@ConditionalOnEnabledInfoContributor(value = "sbom", fallback = InfoContributorFallback.DISABLE)
 	@Order(DEFAULT_ORDER)
-    public SimpleCycloneDxInfoContributor simpleCycloneDxInfoContributor(@Value("classpath:bom.json") Resource bomFile) {
+    public SimpleCycloneDxInfoContributor simpleCycloneDxInfoContributor(@Value("classpath:META-INF/sbom/application.cdx.json") Resource bomFile) {
         return new SimpleCycloneDxInfoContributor(bomFile);
     }
 
     @Bean
 	@ConditionalOnEnabledInfoContributor(value = "dependencies", fallback = InfoContributorFallback.DISABLE)
 	@Order(DEFAULT_ORDER)
-    public CycloneDxInfoContributor cycloneDxInfoContributor(@Value("classpath:bom.json") Resource bomFile) {
+    public CycloneDxInfoContributor cycloneDxInfoContributor(@Value("classpath:META-INF/sbom/application.cdx.json") Resource bomFile) {
         return new CycloneDxInfoContributor(bomFile);
     }
 }

src/main/java/org/cftoolsuite/actuator/runtime/metadata/SimpleCycloneDxInfoContributor.java

@@ -16,7 +16,7 @@ public class SimpleCycloneDxInfoContributor implements InfoContributor, Initiali
     private final ObjectMapper objectMapper = new ObjectMapper();
     private @Nullable JsonNode bom;
 
-    public SimpleCycloneDxInfoContributor(@Value("classpath:bom.json") Resource bomFile) {
+    public SimpleCycloneDxInfoContributor(@Value("classpath:META-INF/sbom/application.cdx.json") Resource bomFile) {
         this.bomFile = bomFile;
     }