-
Notifications
You must be signed in to change notification settings - Fork 6
JSTEP 14
Back to JSTEP page)
Tatu Saloranta (@cowtowncoder)
- 2025-05-02: Completed
- 2025-04-23: Created first proposal
Completed initial version; all repos publishing SBOMs (including Scala).
Classifier used: sbom-cyclonedx
Use of SBOMs (Software Bill Of Material) is starting to increase. For an overview of SBOMs see:
It would make sense to produce SBOM Artifacts for Jackson components as part of build process, and to publish them to Maven Central.
Due to proximity to 2.19.0 release, we waited for creation of branch for 2.20 until publishing SBOMs for all artifacts.
Adding this to pom.xml
<build>
<plugins>
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>will generate target/bom.json and target/bom.xml artifacts.
Looks like the plug-in will by default "attach" sbom artifacts in a way to be publishable.
One open question is the "classifier" to use for SBOM artifacts. The default of "cyclonedx" produces:
jackson-core-2.20.0-SNAPSHOT-cyclonedx.json
but some frameworks use different classifier: Quarkus seems to default to "dependency-cyclonedx" instead, for example.
If attach did not happen, we could manually attach by:
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId>
<executions>
<execution>
<id>attach-sbom</id>
<phase>package</phase>
<goals>
<goal>attach-artifact</goal>
</goals>
<configuration>
<artifacts>
<artifact>
<file>${project.build.directory}/bom.xml</file>
<type>bom.xml</type>
</artifact>
<artifact>
<file>${project.build.directory}/bom.json</file>
<type>bom.json</type>
</artifact>
</artifacts>
</configuration>
</execution>
</executions>
</plugin>
For the first version, we went with sbom-cyclonedx (02-May-2025). May re-visit before 2.20.0 / 3.0.0 release.