Package org.graalvm.buildtools.maven.sbom

Class SBOMGenerator

java.lang.Object

org.graalvm.buildtools.maven.sbom.SBOMGenerator

public final class SBOMGenerator
extends Object

Generates a base Software Bill of Materials (SBOM) that is refined by Native Image. This feature is only supported in Oracle GraalVM for JDK requiredNativeImageVersion or later.

Approach: 1. The cyclonedx-maven-plugin creates an initial SBOM. 2. The components of the initial SBOM are updated with additional metadata, most importantly being the set of package names associated with the component (see SBOMGenerator.AddedComponentFields for all additional metadata). The updated SBOM is referred to as the base SBOM. 3. The base SBOM is stored at a known location. 4. Native Image processes the base SBOM and removes unreachable components and unnecessary dependencies.

Creating the package-name-to-component mapping in the context of Native Image, without the knowledge known at the plugin build-time is difficult, which was the primary motivation for realizing this approach.

Benefits: - Great Baseline: Produces an industry-standard SBOM at minimum. - Enhanced Accuracy: Native Image refines the SBOM, potentially significantly improving its accuracy.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static final record	SBOMGenerator.Config

Field Summary

Fields

Modifier and Type	Field	Description
static final int	requiredNativeImageVersion	The support for base SBOMs was added in this version of Native Image.
static final String	SBOM_FILENAME

Constructor Summary

Constructors

Constructor	Description
SBOMGenerator(org.apache.maven.project.MavenProject mavenProject, org.apache.maven.execution.MavenSession mavenSession, org.apache.maven.plugin.BuildPluginManager pluginManager, org.eclipse.aether.RepositorySystem repositorySystem, String mainClass)

Method Summary

Modifier and Type	Method	Description
void	generateIfSupportedAndEnabled(SBOMGenerator.Config config)	Generates a base SBOM that will help Native Image when building its SBOM.
static boolean	isBaseSBOMSupported(boolean isOracleGraalVM, int graalvmMajorVersion)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

requiredNativeImageVersion

public static final int requiredNativeImageVersion

The support for base SBOMs was added in this version of Native Image.

See Also:

• Constant Field Values

SBOM_FILENAME

public static final String SBOM_FILENAME

See Also:

• Constant Field Values

Constructor Details

SBOMGenerator

public SBOMGenerator(org.apache.maven.project.MavenProject mavenProject,
 org.apache.maven.execution.MavenSession mavenSession,
 org.apache.maven.plugin.BuildPluginManager pluginManager,
 org.eclipse.aether.RepositorySystem repositorySystem,
 String mainClass)

Method Details

generateIfSupportedAndEnabled

public void generateIfSupportedAndEnabled(SBOMGenerator.Config config)
                                   throws org.apache.maven.plugin.MojoExecutionException

Generates a base SBOM that will help Native Image when building its SBOM. The base SBOM is only generated if the SBOM feature is enabled and if the base SBOM is supported by the used Native Image version.

Throws:

org.apache.maven.plugin.MojoExecutionException - if base SBOM creation fails.

isBaseSBOMSupported

public static boolean isBaseSBOMSupported(boolean isOracleGraalVM,
 int graalvmMajorVersion)