From 10907ed9ccf782d47c967e58cfa7e1babe0b97c5 Mon Sep 17 00:00:00 2001 From: Alexander Suter Date: Thu, 21 Nov 2024 10:29:29 +0100 Subject: [PATCH] Create sbom and analyze it with dtrack When generating standaldon sbom (not aggregated) we have a dependency graph for each single artifact. --- build/sbom/Jenkinsfile | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 build/sbom/Jenkinsfile diff --git a/build/sbom/Jenkinsfile b/build/sbom/Jenkinsfile new file mode 100644 index 0000000..e5ee59c --- /dev/null +++ b/build/sbom/Jenkinsfile @@ -0,0 +1,42 @@ +pipeline { + agent any + + options { + buildDiscarder(logRotator(numToKeepStr: '30', artifactNumToKeepStr: '20')) + } + + triggers { + cron '@midnight' + } + + stages { + stage('build') { + steps { + script { + if (isReleaseOrMasterBranch()) { + docker.build('maven').inside() { + maven cmd: "org.cyclonedx:cyclonedx-maven-plugin:makeBom -DincludeLicenseText=true -DoutputFormat=json" + withCredentials([string(credentialsId: 'dependency-track', variable: 'API_KEY')]) { + def components = ["unit-tester", "primeui-tester", "web-tester"] + for (component in components) { + def version = sh (script: "mvn -f ${component}/pom.xml help:evaluate -Dexpression=project.version -q -DforceStdout", returnStdout: true) + sh 'curl -v --fail -X POST https://api.dependency-track.ivyteam.io/api/v1/bom \ + -H "Content-Type: multipart/form-data" \ + -H "X-API-Key: ' + API_KEY + '" \ + -F "autoCreate=true" \ + -F "projectName=' + component + '" \ + -F "projectVersion=' + version + '" \ + -F "bom=@unit-tester/target/bom.json"' + } + } + } + } + } + } + } + } +} + +def isReleaseOrMasterBranch() { + return env.BRANCH_NAME == 'master' || env.BRANCH_NAME.startsWith('release/') +}