Package org.graalvm.buildtools.maven.sbom

Class SBOMGenerator

java.lang.Object
org.graalvm.buildtools.maven.sbom.SBOMGenerator
public final class SBOMGenerator extends Object
Generates a Software Bill of Materials (SBOM) that is augmented and refined by Native Image. This feature is only supported in Oracle GraalVM for JDK requiredNativeImageVersion or later.

Approach: 1. The cyclonedx-maven-plugin creates a baseline SBOM. 2. The components of the baseline SBOM (referred to as the "base" SBOM) are updated with additional metadata, most importantly being the set of package names associated with the component (see SBOMGenerator.AddedComponentFields for all additional metadata). 3. The SBOM is stored at a known location. 4. Native Image processes the SBOM and removes unreachable components and unnecessary dependencies.

Creating the package-name-to-component mapping in the context of Native Image, without the knowledge known at the plugin build-time is difficult, which was the primary motivation for realizing this approach.

Benefits: * Great Baseline: Produces an industry-standard SBOM at minimum. * Enhanced Accuracy: Native Image augments and refines the SBOM, potentially significantly improving its accuracy.

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final int
    requiredNativeImageVersion
     
    static final String
    SBOM_FILENAME
     

  • Constructor Summary

    Constructors
    Constructor
    Description
    SBOMGenerator(org.apache.maven.project.MavenProject mavenProject, org.apache.maven.execution.MavenSession mavenSession, org.apache.maven.plugin.BuildPluginManager pluginManager, org.eclipse.aether.RepositorySystem repositorySystem, String mainClass, org.codehaus.plexus.logging.Logger logger)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    static boolean
    checkAugmentedSBOMSupportedByJDKVersion(int detectedJdkVersion, boolean throwErrorIfNotSupported)
    Checks if the JDK version supports augmented SBOMs.
    void
    generate()
    Generates an SBOM that will be further augmented by Native Image.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

  • Constructor Details

    • SBOMGenerator

      public SBOMGenerator(org.apache.maven.project.MavenProject mavenProject, org.apache.maven.execution.MavenSession mavenSession, org.apache.maven.plugin.BuildPluginManager pluginManager, org.eclipse.aether.RepositorySystem repositorySystem, String mainClass, org.codehaus.plexus.logging.Logger logger)

  • Method Details

    • checkAugmentedSBOMSupportedByJDKVersion

      public static boolean checkAugmentedSBOMSupportedByJDKVersion(int detectedJdkVersion, boolean throwErrorIfNotSupported) throws IllegalArgumentException
      Checks if the JDK version supports augmented SBOMs.
      Parameters:
      detectedJdkVersion - the JDK version used.
      throwErrorIfNotSupported - if true, then an error is thrown if the check failed.
      Returns:
      true if the JDK version supports the flag, otherwise false (if throwErrorIfNotSupported is false).
      Throws:
      IllegalArgumentException - when throwErrorIfNotSupported is true and the version check failed.

    • generate

      public void generate() throws org.apache.maven.plugin.MojoExecutionException
      Generates an SBOM that will be further augmented by Native Image. The SBOM is stored in the build directory.
      Throws:
      org.apache.maven.plugin.MojoExecutionException - if SBOM creation fails.