WIP experiment with cyclonedx

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>

Author: chadlwilson

ant/pom.xml

@@ -193,6 +193,18 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
                     </archive>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>org.cyclonedx</groupId>
+                <artifactId>cyclonedx-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>makeBom</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-assembly-plugin</artifactId>

ant/src/main/assembly/release.xml

@@ -1,12 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<assembly
-    xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="
-    http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2
-      http://maven.apache.org/xsd/assembly-1.1.2.xsd
-  "
->
+<assembly xmlns="http://maven.apache.org/ASSEMBLY/2.2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://maven.apache.org/ASSEMBLY/2.2.0 https://maven.apache.org/xsd/assembly-2.2.0.xsd">
     <id>release</id>
     <formats>
         <format>zip</format>
@@ -18,6 +12,10 @@
             <outputDirectory>dependency-check-ant</outputDirectory>
             <destName>dependency-check-ant.jar</destName>
         </file>
+        <file>
+            <source>${project.build.directory}/sbom.json</source>
+            <outputDirectory>dependency-check-ant</outputDirectory>
+        </file>
     </files>
     <dependencySets>
         <dependencySet>

cli/pom.xml

@@ -82,6 +82,18 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                     </archive>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>org.cyclonedx</groupId>
+                <artifactId>cyclonedx-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <phase>generate-resources</phase>
+                        <goals>
+                            <goal>makeBom</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>appassembler-maven-plugin</artifactId>
@@ -104,7 +116,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                     </binFileExtensions>
                     <repositoryLayout>flat</repositoryLayout>
                     <repositoryName>lib</repositoryName>
-                    <unixScriptTemplate>${project.basedir}/src/main/conf/unixBinTemplate.sh</unixScriptTemplate>
                     <windowsScriptTemplate>${project.basedir}/src/main/conf/windowsBinTemplate.bat</windowsScriptTemplate>
                     <extraJvmArguments>${runtime.extra.jvm.args}</extraJvmArguments>
                 </configuration>

cli/src/main/assembly/release.xml

@@ -1,9 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<assembly
-    xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2
-      http://maven.apache.org/xsd/assembly-1.1.2.xsd">
+<assembly xmlns="http://maven.apache.org/ASSEMBLY/2.2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://maven.apache.org/ASSEMBLY/2.2.0 https://maven.apache.org/xsd/assembly-2.2.0.xsd">
     <id>release</id>
     <formats>
         <format>zip</format>
@@ -52,5 +49,12 @@
                 <include>NOTICE.txt</include>
             </includes>
         </fileSet>
+        <fileSet>
+            <outputDirectory>dependency-check</outputDirectory>
+            <directory>${project.build.directory}</directory>
+            <includes>
+                <include>sbom.json</include>
+            </includes>
+        </fileSet>
     </fileSets>
 </assembly>

pom.xml

@@ -342,6 +342,17 @@ Copyright (c) 2012 - Jeremy Long
                         <ignoredVersions>.*-(alpha|beta|M|rc)[-0-9]+</ignoredVersions>
                     </configuration>
                 </plugin>
+                <plugin>
+                    <groupId>org.cyclonedx</groupId>
+                    <artifactId>cyclonedx-maven-plugin</artifactId>
+                    <version>2.9.1</version>
+                    <configuration>
+                        <includeProvidedScope>false</includeProvidedScope>
+                        <skipNotDeployed>false</skipNotDeployed>
+                        <outputName>sbom</outputName>
+                        <outputFormat>json</outputFormat>
+                    </configuration>
+                </plugin>
             </plugins>
         </pluginManagement>
         <plugins>
@@ -1040,12 +1051,6 @@ Copyright (c) 2012 - Jeremy Long
                 <artifactId>semver4j</artifactId>
                 <version>5.8.0</version>
             </dependency>
-            <dependency>
-                <groupId>org.jspecify</groupId>
-                <artifactId>jspecify</artifactId>
-                <version>1.0.0</version>
-                <optional>true</optional>
-            </dependency>
             <dependency>
                 <groupId>com.h2database</groupId>
                 <artifactId>h2</artifactId>
@@ -1254,6 +1259,20 @@ Copyright (c) 2012 - Jeremy Long
                     </exclusion>
                 </exclusions>
             </dependency>
+            <dependency>
+                <groupId>org.jspecify</groupId>
+                <artifactId>jspecify</artifactId>
+                <version>1.0.0</version>
+                <!-- Use provided scope to ensure not used at runtime, even from transitive dependencies -->
+                <scope>provided</scope>
+            </dependency>
+            <dependency>
+                <groupId>com.github.spotbugs</groupId>
+                <artifactId>spotbugs-annotations</artifactId>
+                <version>4.9.8</version>
+                <!-- Use provided scope to ensure not used at runtime, even from transitive dependencies -->
+                <scope>provided</scope>
+            </dependency>
         </dependencies>
     </dependencyManagement>
     <dependencies>
@@ -1293,15 +1312,12 @@ Copyright (c) 2012 - Jeremy Long
         <dependency>
             <groupId>org.jspecify</groupId>
             <artifactId>jspecify</artifactId>
-            <scope>compile</scope>
-            <optional>true</optional>
+            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>com.github.spotbugs</groupId>
             <artifactId>spotbugs-annotations</artifactId>
-            <version>4.9.8</version>
-            <scope>compile</scope>
-            <optional>true</optional>
+            <scope>provided</scope>
         </dependency>
         <!-- endregion -->
     </dependencies>