From 260f64354f23889a073b9b66487351a35c0a7295 Mon Sep 17 00:00:00 2001 From: "Mark S. Lewis" Date: Sat, 29 Jun 2024 08:57:49 +0100 Subject: [PATCH] Remove CycloneDX Java SBOM generation This was used to generate an SBOM containing transitive dependencies for OSV-Scanner. OSV-Scanner v1.8.1 and later can natively scan transitive dependencies in Maven pom.xml files so the CycloneDX SBOM generation step is no longer required. Signed-off-by: Mark S. Lewis --- Makefile | 8 +++----- java/pom.xml | 27 --------------------------- 2 files changed, 3 insertions(+), 32 deletions(-) diff --git a/Makefile b/Makefile index c8c57fde8..5b83d50fc 100644 --- a/Makefile +++ b/Makefile @@ -110,7 +110,7 @@ scan-go-nancy: .PHONY: scan-go-osv-scanner scan-go-osv-scanner: go install github.com/google/osv-scanner/cmd/osv-scanner@latest - osv-scanner --lockfile='$(base_dir)/go.mod' || [ \( $$? -gt 1 \) -a \( $$? -lt 127 \) ] + osv-scanner scan --lockfile='$(base_dir)/go.mod' || [ \( $$? -gt 1 \) -a \( $$? -lt 127 \) ] .PHONY: scan-node scan-node: scan-node-npm-audit scan-node-osv-scanner @@ -127,7 +127,7 @@ scan-node-osv-scanner: cd '$(node_dir)' && \ npm install && \ npm run sbom && \ - osv-scanner --sbom=sbom.json + osv-scanner scan --sbom=sbom.json .PHONY: scan-java scan-java: scan-java-dependency-check scan-java-osv-scanner @@ -140,9 +140,7 @@ scan-java-dependency-check: .PHONY: scan-java-osv-scanner scan-java-osv-scanner: go install github.com/google/osv-scanner/cmd/osv-scanner@latest - cd '$(java_dir)' && \ - mvn --activate-profiles sbom -DskipTests install - osv-scanner --sbom='$(java_dir)/target/bom.json' + osv-scanner scan --lockfile='$(java_dir)/pom.xml' .PHONY: generate generate: diff --git a/java/pom.xml b/java/pom.xml index 64397758a..7b0a0bc47 100644 --- a/java/pom.xml +++ b/java/pom.xml @@ -433,33 +433,6 @@ - - sbom - - - - org.cyclonedx - cyclonedx-maven-plugin - 2.7.11 - - true - false - true - false - false - - - - package - - makeAggregateBom - - - - - - - release