Added project for Vaadin core SBOM checks

pom.xml

@@ -35,6 +35,7 @@
             <id>sbom</id>
             <modules>
                 <module>vaadin-platform-sbom</module>
+                <module>vaadin-core-sbom</module>
             </modules>
         </profile>
         <profile>

scripts/generateAndCheckSBOM.js

@@ -11,6 +11,7 @@ const path = require('path');
 const VAADIN_LICENSE = 'https://vaadin.com/commercial-license-and-service-terms';
 const SBOM_URL = 'https://github.com/vaadin/platform/releases/download/%%VERSION%%/Software.Bill.Of.Materials.json'
 const testProject = path.resolve('vaadin-platform-sbom');
+const coreProject = path.resolve('vaadin-core-sbom');
 const licenseWhiteList = [
   'ISC',
   'MIT',
@@ -49,6 +50,8 @@ const licenseWhiteList = [
   'https://opensource.org/licenses/MIT'
 ];
 
+const coreLicensesWhiteList = licenseWhiteList.toSpliced(licenseWhiteList.indexOf(VAADIN_LICENSE),1);
+
 const cveWhiteList = {
   'pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.4' : {
     cves: ['CVE-2023-35116'],
@@ -89,7 +92,7 @@ pre[b] {border: solid 1px darkgrey}
 </style>`;
 
 const cmd = {
-  useBomber: true, useOSV: true, useOWASP: true,
+  useBomber: true, useOSV: true, useOWASP: true, checkCoreLicenses : true,
   hasOssToken: !!(process.env.OSSINDEX_USER && process.env.OSSINDEX_TOKEN)
 };
 for (let i = 2, l = process.argv.length; i < l; i++) {
@@ -102,9 +105,10 @@ for (let i = 2, l = process.argv.length; i < l; i++) {
     case '--version': cmd.version = process.argv[++i]; break;
     case '--compare': cmd.org = process.argv[++i]; break;
     case '--quick': cmd.quick = true; break;
+    case '--skip-check-core-licenses' : cmd.checkCoreLicenses = false; break;
     default:
       console.log(`Usage: ${path.relative('.', process.argv[1])}
-       [--useSnapshots] [--disable-bomber] [--disable-osv-scan] [--disable-owasp] [--enable-full-owasp] [--version x.x.x] [--quick]`);
+       [--useSnapshots] [--disable-bomber] [--disable-osv-scan] [--disable-owasp] [--enable-full-owasp] [--version x.x.x] [--quick] [--skip-check-core-licenses]`);
       process.exit(1);
   }
 }
@@ -387,10 +391,10 @@ function sumarizeOWASP(f, summary) {
   return summary;
 }
 
-function checkLicenses(licenses) {
+function checkLicenses(licenses, whiteList) {
   let ret = "";
   Object.keys(licenses).forEach(lic => {
-    if (licenseWhiteList.indexOf(lic) < 0) {
+    if (whiteList.indexOf(lic) < 0) {
       ret += `  - Invalid license '${lic}' in: ${licenses[lic].join(' and ')}\n`;
     }
   });
@@ -539,6 +543,16 @@ async function main() {
   log(`cd ${testProject}`);
   process.chdir(testProject);
 
+  let coreLicensesResult=undefined;
+  let coreLicenses=undefined;
+
+  if(cmd.checkCoreLicenses){
+    log(`generating Core SBOM`);
+    await run('mvn -ntp -B org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom -q -f ' + coreProject);
+    coreLicenses = sumarizeLicenses(coreProject+'/target/bom.json');
+    coreLicensesResult = checkLicenses(coreLicenses, coreLicensesWhiteList);
+  }
+
   if (!cmd.quick) {
     // Ensure package.json and node_modules are empty
     await run('rm -rf package.json node_modules frontend src');
@@ -590,7 +604,9 @@ async function main() {
     sumarizeOWASP('target/dependency-check-report.json', vulnerabilities);
   }
 
-  const errLic = checkLicenses(licenses);
+
+
+  const errLic = checkLicenses(licenses, licenseWhiteList);
   const errVul = checkVunerabilities(vulnerabilities).err;
   const msgVul = checkVunerabilities(vulnerabilities).msg;
   let md = "";
@@ -617,6 +633,21 @@ async function main() {
     md += `\n### 🔒 No Vulnerabilities\n`;
     html += `\n<h3>🔒 No Vulnerabilities</h3>\n`;
   }
+
+  if (cmd.checkCoreLicenses) {
+    if (coreLicensesResult) {
+      md += `\n### 🚫 Found Core License Issues\n`;
+      html += `\n<h3>>🚫 Found Core License Issues</h3>\n`;
+      errMsg += `- 📔 Found Core License Issues:\n` + coreLicensesResult+`\n`;
+      md += reportLicenses(coreLicenses).md;
+      html += reportLicenses(coreLicenses).html;
+    } else {
+      errMsg += `- 📔 No Core License Issues\n`;
+      md += `\n### 📔 CoreLicenses\n`;
+      html += `\n<h3>📔 Core Licenses</h3>\n`;
+    }
+  }
+
   if (errLic) {
     md += `\n### 🚫 Found License Issues\n`;
     html += `\n<h3>>🚫 Found License Issues</h3>\n`;

vaadin-core-sbom/pom.xml

@@ -0,0 +1,44 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>com.vaadin</groupId>
+        <artifactId>vaadin-platform-parent</artifactId>
+        <version>24.6-SNAPSHOT</version>
+    </parent>
+    <artifactId>vaadin-core-sbom</artifactId>
+    <packaging>jar</packaging>
+    <properties>
+        <maven.compiler.source>17</maven.compiler.source>
+        <maven.compiler.target>17</maven.compiler.target>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+    </properties>
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>com.vaadin</groupId>
+                <artifactId>vaadin-bom</artifactId>
+                <version>${project.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <dependencies>
+        <dependency>
+            <groupId>com.vaadin</groupId>
+            <artifactId>vaadin-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.vaadin</groupId>
+            <artifactId>vaadin-spring-boot-starter</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.vaadin</groupId>
+            <artifactId>flow-webpush</artifactId>
+        </dependency>
+    </dependencies>
+</project>