Introduce ApplicationManifestsBuildItem that holds all the manifests

available in a build

Author: aloubyansky

core/deployment/src/main/java/io/quarkus/deployment/sbom/ApplicationManifestsBuildItem.java

@@ -0,0 +1,27 @@
+package io.quarkus.deployment.sbom;
+
+import java.util.Collection;
+
+import io.quarkus.builder.item.SimpleBuildItem;
+import io.quarkus.sbom.ApplicationManifest;
+
+/**
+ * Application manifests collected in a build
+ */
+public final class ApplicationManifestsBuildItem extends SimpleBuildItem {
+
+    private final Collection<ApplicationManifest> manifests;
+
+    public ApplicationManifestsBuildItem(Collection<ApplicationManifest> manifests) {
+        this.manifests = manifests;
+    }
+
+    /**
+     * Application manifests from which SBOMs can be generated.
+     *
+     * @return collected application manifests
+     */
+    public Collection<ApplicationManifest> getManifests() {
+        return manifests;
+    }
+}

core/deployment/src/main/java/io/quarkus/deployment/sbom/ApplicationManifestsBuildStep.java

@@ -0,0 +1,30 @@
+package io.quarkus.deployment.sbom;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import io.quarkus.deployment.annotations.BuildStep;
+import io.quarkus.deployment.pkg.builditem.ArtifactResultBuildItem;
+import io.quarkus.sbom.ApplicationManifest;
+
+public class ApplicationManifestsBuildStep {
+
+    /**
+     * Aggregates application manifest configurations and creates application manifests from which
+     * SBOMs could be generated by SBOM generating build steps.
+     *
+     * @param artifactResultBuildItems artifact results
+     * @return application manifests for SBOM generation
+     */
+    @BuildStep
+    public ApplicationManifestsBuildItem generate(List<ArtifactResultBuildItem> artifactResultBuildItems) {
+        final List<ApplicationManifest> manifests = new ArrayList<>(artifactResultBuildItems.size());
+        for (var artifactResult : artifactResultBuildItems) {
+            var manifestConfig = artifactResult.getManifestConfig();
+            if (manifestConfig != null) {
+                manifests.add(ApplicationManifest.fromConfig(manifestConfig));
+            }
+        }
+        return new ApplicationManifestsBuildItem(List.copyOf(manifests));
+    }
+}

extensions/cyclonedx/deployment/src/main/java/io/quarkus/cyclonedx/deployment/CdxSbomBuildStep.java

@@ -1,47 +1,49 @@
 package io.quarkus.cyclonedx.deployment;
 
-import java.util.List;
-
 import io.quarkus.cyclonedx.generator.CycloneDxSbomGenerator;
 import io.quarkus.deployment.annotations.BuildProducer;
 import io.quarkus.deployment.annotations.BuildStep;
 import io.quarkus.deployment.builditem.AppModelProviderBuildItem;
-import io.quarkus.deployment.pkg.builditem.ArtifactResultBuildItem;
 import io.quarkus.deployment.pkg.builditem.OutputTargetBuildItem;
+import io.quarkus.deployment.sbom.ApplicationManifestsBuildItem;
 import io.quarkus.deployment.sbom.SbomBuildItem;
-import io.quarkus.sbom.ApplicationManifest;
 
 /**
  * Generates SBOMs for packaged applications if the corresponding config is enabled.
  * The API around this is still in development and will likely change in the near future.
  */
 public class CdxSbomBuildStep {
 
+    /**
+     * Generates CycloneDX SBOMs from application manifests.
+     *
+     * @param applicationManifestsBuildItem application manifests
+     * @param outputTargetBuildItem build output
+     * @param appModelProviderBuildItem application model provider
+     * @param cdxSbomConfig CycloneDX SBOM generation configuration
+     * @param sbomProducer SBOM build item producer
+     */
     @BuildStep
-    public void generate(List<ArtifactResultBuildItem> artifactResultBuildItems,
+    public void generate(ApplicationManifestsBuildItem applicationManifestsBuildItem,
             OutputTargetBuildItem outputTargetBuildItem,
             AppModelProviderBuildItem appModelProviderBuildItem,
             CycloneDxConfig cdxSbomConfig,
             BuildProducer<SbomBuildItem> sbomProducer) {
-        if (cdxSbomConfig.skip()) {
+        if (cdxSbomConfig.skip() || applicationManifestsBuildItem.getManifests().isEmpty()) {
             // until there is a proper way to request the desired build items as build outcome
             return;
         }
         var depInfoProvider = appModelProviderBuildItem.getDependencyInfoProvider().get();
-        for (var artifactResult : artifactResultBuildItems) {
-            var manifestConfig = artifactResult.getManifestConfig();
-            if (manifestConfig != null) {
-                var manifest = ApplicationManifest.fromConfig(manifestConfig);
-                for (var sbom : CycloneDxSbomGenerator.newInstance()
-                        .setManifest(manifest)
-                        .setOutputDirectory(outputTargetBuildItem.getOutputDirectory())
-                        .setEffectiveModelResolver(depInfoProvider == null ? null : depInfoProvider.getMavenModelResolver())
-                        .setFormat(cdxSbomConfig.format())
-                        .setSchemaVersion(cdxSbomConfig.schemaVersion().orElse(null))
-                        .setIncludeLicenseText(cdxSbomConfig.includeLicenseText())
-                        .generate()) {
-                    sbomProducer.produce(new SbomBuildItem(sbom));
-                }
+        for (var manifest : applicationManifestsBuildItem.getManifests()) {
+            for (var sbom : CycloneDxSbomGenerator.newInstance()
+                    .setManifest(manifest)
+                    .setOutputDirectory(outputTargetBuildItem.getOutputDirectory())
+                    .setEffectiveModelResolver(depInfoProvider == null ? null : depInfoProvider.getMavenModelResolver())
+                    .setFormat(cdxSbomConfig.format())
+                    .setSchemaVersion(cdxSbomConfig.schemaVersion().orElse(null))
+                    .setIncludeLicenseText(cdxSbomConfig.includeLicenseText())
+                    .generate()) {
+                sbomProducer.produce(new SbomBuildItem(sbom));
             }
         }
     }