Added project for Vaadin core SBOM checks

scripts/checkCoreLicenses.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+# script requires jq (sudo apt install jq) for processing JSON files
+if ! command -v jq 2>&1 >/dev/null
+then
+    echo "'jq' could not be found. Please install it."
+    exit 1
+fi
+
+cd vaadin-core-sbom
+mvn -ntp -B org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom -q -T 1C
+# create file with the licenses that have been found
+# since projects differ the actual license is listed either in components>licenses>license>id or components>licenses>license>id in the JSON file 
+cat target/bom.json | jq '.components[].licenses[].license | select(.id != null) | .id' > target/found_licenses.txt #overwrite older version if exists
+# add the ones listed under the 'name' attribute
+cat target/bom.json | jq '.components[].licenses[].license | select(.name != null) | .name' >> target/found_licenses.txt
+sort -u target/found_licenses.txt > target/found_licenses_sorted.txt
+
+grep -Fvf ../scripts/data/approved-licenses.txt target/found_licenses_sorted.txt > target/unknown_licenses.txt
+
+if [ -s target/unknown_licenses.txt ]; then 
+     echo "Found unknown licenses: "; 
+     cat target/unknown_licenses.txt;
+     exit 1;
+else echo "No unknown licenses found";
+    exit 0; 
+fi

scripts/data/approved-licenses.txt

@@ -0,0 +1,34 @@
+0BSD
+AFL-2.1
+Apache 2.0
+Apache-1.1
+Apache-2.0
+BSD-2-Clause
+BSD-3-Clause
+BSD-4-Clause
+BlueOak-1.0.0
+CC-BY-3.0
+CC-BY-4.0
+CC0-1.0
+CDDL
+CDDL-1.0
+EPL-1.0
+EPL-2.0
+GPL-2.0-with-classpath-exception
+ISC
+LGPL-2.1-only
+LGPL-2.1-or-later
+MIT
+MIT-0
+MPL-1.1
+WTFPL
+Zlib
+http://font.ubuntu.com/ufl/ubuntu-font-licence-1.0.txt
+http://oss.sgi.com/projects/FreeB
+http://www.gnu.org/licenses/lgpl-3.0.html
+http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
+http://www.spdx.org/licenses/BSD-4-Clause
+https://opensource.org/licenses/MIT
+https://www.bouncycastle.org/licence.html
+https://www.gnu.org/software/classpath/license.html
+https://www.highcharts.com/license

vaadin-core-sbom/pom.xml

@@ -0,0 +1,87 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>com.vaadin</groupId>
+        <artifactId>vaadin-platform-parent</artifactId>
+        <version>24.5.3</version>
+    </parent>
+    <artifactId>vaadin-core-sbom</artifactId>
+    <packaging>jar</packaging>
+    <properties>
+        <maven.compiler.source>17</maven.compiler.source>
+        <maven.compiler.target>17</maven.compiler.target>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+    </properties>
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>com.vaadin</groupId>
+                <artifactId>vaadin-bom</artifactId>
+                <version>${project.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <dependencies>
+        <dependency>
+            <groupId>com.vaadin</groupId>
+            <artifactId>vaadin-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.vaadin</groupId>
+            <artifactId>vaadin-spring-boot-starter</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.vaadin</groupId>
+            <artifactId>flow-webpush</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.vaadin</groupId>
+            <artifactId>copilot</artifactId>
+        </dependency>
+        <!-- <dependency>
+         <groupId>com.vaadin</groupId>
+        <artifactId>ui-tests</artifactId>
+        <version>1.0.0</version>
+        </dependency> -->
+
+
+    </dependencies>
+    <profiles>
+        <profile>
+            <id>production</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>com.vaadin</groupId>
+                        <artifactId>vaadin-maven-plugin</artifactId>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>prepare-frontend</goal>
+                                    <goal>build-frontend</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                    <plugin>
+                        <groupId>org.eclipse.jetty</groupId>
+                        <artifactId>jetty-maven-plugin</artifactId>
+                        <version>${jetty.version}</version>
+                    </plugin>
+                </plugins>
+            </build>
+            <dependencies>
+                <dependency>
+                    <groupId>com.vaadin</groupId>
+                    <artifactId>flow-server-production-mode</artifactId>
+                </dependency>
+            </dependencies>
+        </profile>
+    </profiles>
+</project>