****See highlighted instructions****

  

What is it?

Software Package Data Exchange (SPDX) is an open standard for communicating

software bill of materials (SBOM) information that supports accurate identification of software

components, explicit mapping of relationships between components, and the association of

security and licensing information with each component.

 

In global-jjb "lf-infra-maven-sbom-generator" is an optional builder step for the "gerrit-maven-stage" job. 

 

How to use it?

To enable SPDX SBOM Generator, set "sbom-generator" to true for your gerrit-maven-stage jobs.
This feature is disabled by default for all projects

 

Optional variables:

- "sbom-flags" to pass any optional flags to the executor according to:

https://github.com/opensbom-generator/spdx-sbom-generator

- "sbom-generator-version" to use a specific SPDX SBOM Generator version

(default is "v0.0.10")

 

Code example:

 

       - gerrit-maven-stage:

           sbom-generator: true

           sbom-flags: "-p test/path/example"

           sbom-generator-version: v0.0.13

 

What does it do?

When "sbom-generator" is true, "gerrit-maven-stage" will run SPDX SBOM Generator tool to generate a software bill of materials

with current package managers.

 

This report will be part of the "autorelease" package for a staged release candidate. For example:

https://nexus.onap.org/content/repositories/autorelease-318953/

Where can I learn more about it?

More about SPDX SBOM Generator: https://github.com/opensbom-generator/spdx-sbom-generator

More about maven-stage: https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-maven-jobs.html#lf-maven-stage

Maven-stage code: https://github.com/lfit/releng-global-jjb/blob/master/jjb/lf-maven-jobs.yaml#L817

 

If you have any questions or need assistance, please contact https://support.linuxfoundation.org/