Package org.graalvm.buildtools.maven.sbom

Class SBOMGenerator

  • public final class SBOMGenerator
extends java.lang.Object
    Generates a Software Bill of Materials (SBOM) that is augmented and refined by Native Image. This feature is only supported in Oracle GraalVM for JDK requiredNativeImageVersion or later.

    Approach: 1. The cyclonedx-maven-plugin creates a baseline SBOM. 2. The components of the baseline SBOM (referred to as the "base" SBOM) are updated with additional metadata, most importantly being the set of package names associated with the component (see SBOMGenerator.AddedComponentFields for all additional metadata). 3. The SBOM is stored at a known location. 4. Native Image processes the SBOM and removes unreachable components and unnecessary dependencies.

    Creating the package-name-to-component mapping in the context of Native Image, without the knowledge known at the plugin build-time is difficult, which was the primary motivation for realizing this approach.

    Benefits: * Great Baseline: Produces an industry-standard SBOM at minimum. * Enhanced Accuracy: Native Image augments and refines the SBOM, potentially significantly improving its accuracy.

    • Constructor Summary

      Constructors 
      Constructor Description
      SBOMGenerator​(org.apache.maven.project.MavenProject mavenProject, org.apache.maven.execution.MavenSession mavenSession, org.apache.maven.plugin.BuildPluginManager pluginManager, org.eclipse.aether.RepositorySystem repositorySystem, java.lang.String mainClass, org.codehaus.plexus.logging.Logger logger)  

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      static boolean checkAugmentedSBOMSupportedByJDKVersion​(int detectedJdkVersion, boolean throwErrorIfNotSupported)
      Checks if the JDK version supports augmented SBOMs.
      void generate()
      Generates an SBOM that will be further augmented by Native Image.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • SBOMGenerator

        public SBOMGenerator​(org.apache.maven.project.MavenProject mavenProject,
                     org.apache.maven.execution.MavenSession mavenSession,
                     org.apache.maven.plugin.BuildPluginManager pluginManager,
                     org.eclipse.aether.RepositorySystem repositorySystem,
                     java.lang.String mainClass,
                     org.codehaus.plexus.logging.Logger logger)

    • Method Detail

      • checkAugmentedSBOMSupportedByJDKVersion

        public static boolean checkAugmentedSBOMSupportedByJDKVersion​(int detectedJdkVersion,
                                                              boolean throwErrorIfNotSupported)
                                                       throws java.lang.IllegalArgumentException
        Checks if the JDK version supports augmented SBOMs.
        Parameters:
        detectedJdkVersion - the JDK version used.
        throwErrorIfNotSupported - if true, then an error is thrown if the check failed.
        Returns:
        true if the JDK version supports the flag, otherwise false (if throwErrorIfNotSupported is false).
        Throws:
        java.lang.IllegalArgumentException - when throwErrorIfNotSupported is true and the version check failed.

      • generate

        public void generate()
              throws org.apache.maven.plugin.MojoExecutionException
        Generates an SBOM that will be further augmented by Native Image. The SBOM is stored in the build directory.
        Throws:
        org.apache.maven.plugin.MojoExecutionException - if SBOM creation fails.