Skip to content

Commit

Permalink
Implement and document SBOM (#1707)
Browse files Browse the repository at this point in the history
  • Loading branch information
vy committed Oct 20, 2023
1 parent 99da49f commit ee9c39b
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 15 deletions.
20 changes: 20 additions & 0 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -524,6 +524,26 @@

<plugins>

<!-- `cyclonedx-maven-plugin` doesn't exclude not installed/deployed modules: https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/409
This `generate-sbom` execution override configures such exclusions. -->
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<executions>
<execution>
<id>generate-sbom</id>
<configuration combine.self="append">
<excludeArtifactId>log4j-api-java9</excludeArtifactId>
<excludeArtifactId>log4j-core-its</excludeArtifactId>
<excludeArtifactId>log4j-core-java9</excludeArtifactId>
<excludeArtifactId>log4j-layout-template-json-test</excludeArtifactId>
<excludeArtifactId>log4j-osgi-test</excludeArtifactId>
<excludeArtifactId>log4j-perf-test</excludeArtifactId>
</configuration>
</execution>
</executions>
</plugin>

<!-- Enable BOM flattening -->
<plugin>
<groupId>org.codehaus.mojo</groupId>
Expand Down
20 changes: 12 additions & 8 deletions src/site/markdown/maven-artifacts.md.vm
Original file line number Diff line number Diff line change
Expand Up @@ -123,15 +123,14 @@ To build with [SBT](http://www.scala-sbt.org/), add the dependencies listed belo

#sbt(['log4j-api', 'log4j-core'])

$h2 Bill of Material
$h2 Maven Bill of Materials (BOM)

To keep your Log4j module versions in sync with each other, a
<abbr id="Bill of Material">BOM</abbr>
pom.xml file is provided for your convenience. To use this with
[Maven](https://maven.apache.org/), add the dependency listed below to your
`pom.xml`
file. When you specify the version identifier in this section, you don't have to specify the version in your
`<dependencies/>` section.
To keep your Log4j module versions aligned, a [Maven Bill of Materials (BOM) POM](https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#bill-of-materials-bom-poms) is provided for your convenience.

To use this with Maven, add the dependency listed below to your `pom.xml` file.
Note that the `<dependencyManagement>` nesting and the `<scope>import</scope>` instruction.
This will *import* all modules bundled with the associated Log4j release to your `dependencyManagement`.
As a result, you don't have to specify versions of the imported modules (`log4j-api`, `log4j-core`, etc.) while adding them using `<dependency>` elements.

`pom.xml`

Expand Down Expand Up @@ -188,6 +187,11 @@ dependencies {
}
```

$h2 CycloneDX Software Bill of Materials (SBOM)

Starting with version `2.22.0`, Log4j distributes [CyclenoDX Software Bill of Materials (SBOM)](https://cyclonedx.org/capabilities/sbom/) along with each deployed artifact.
This is streamlined by `logging-parent`, see https://logging.apache.org/logging-parent/latest/#cyclonedx-sbom[its website] for details.

$h2 Optional Components

Log4j 2.x contains several optional components that can be included in an application.
Expand Down
15 changes: 8 additions & 7 deletions src/site/site.xml
Original file line number Diff line number Diff line change
Expand Up @@ -46,13 +46,14 @@
<item name="Download" href="/download.html"/>
<item name="Support" href="/support.html"/>
<item name="Maven, Ivy, Gradle Artifacts" href="/maven-artifacts.html" collapse="true">
<item name="Maven" href="/maven-artifacts.html#Using_Log4j_in_your_Apache_Maven_build" />
<item name="Ivy" href="/maven-artifacts.html#Using_Log4j_in_your_Apache_Ivy_build" />
<item name="Gradle" href="/maven-artifacts.html#Using_Log4j_in_your_Gradle_build" />
<item name="SBT" href="/maven-artifacts.html#Using_Log4j_in_your_SBT_build" />
<item name="Bill of Material" href="/maven-artifacts.html#Bill_of_Material" />
<item name="Optional Components" href="/maven-artifacts.html#Optional_Components" />
<item name="Snapshot builds" href="/maven-artifacts.html#Snapshot_builds" />
<item name="Maven" href="/maven-artifacts.html#using-log4j-in-your-apache-maven-build" />
<item name="Ivy" href="/maven-artifacts.html#using-log4j-in-your-apache-ivy-build" />
<item name="Gradle" href="/maven-artifacts.html#using-log4j-in-your-gradle-build" />
<item name="SBT" href="/maven-artifacts.html#using-log4j-in-your-sbt-build" />
<item name="Maven Bill of Materials (BOM)" href="/maven-artifacts.html#maven-bill-of-materials-bom" />
<item name="CycloneDX Software Bill of Materials (SBOM)" href="/maven-artifacts.html#cyclonedx-software-bill-of-materials-sbom" />
<item name="Optional Components" href="/maven-artifacts.html#optional-components" />
<item name="Snapshot builds" href="/maven-artifacts.html#snapshot-builds" />
</item>
<item name="Release Notes" href="/release-notes.html"/>
<item name="FAQ" href="/faq.html"/>
Expand Down

0 comments on commit ee9c39b

Please sign in to comment.