Add CycloneDX SBOM generation

[stevespringett]

Added CycloneDX SBOM generation. CycloneDX is a OWASP Bill of Materials standard purpose-built for cybersecurity use cases. It exceeds the minimum requirements necessary to comply with EO 14028.

[garydgregory]

Hello @stevespringett ,
You'll need to provide some reason why this is needed. If I install this PR in my local repo and update Apache Commons VFS to use commons-parent 54-SNAPSHOT, it generates 32 files like the example below. Now what?

19:01:19.95 [C:\private\git\apache\commons-vfs]dir *-bom.xml /s

 Directory of C:\private\git\apache\commons-vfs\commons-vfs2\target

07/13/2022  06:59 PM            53,779 commons-vfs2-2.10.0-SNAPSHOT-bom.xml
07/13/2022  07:01 PM            42,511 commons-vfs2-distribution-2.10.0-SNAPSHOT-bom.xml
07/13/2022  07:00 PM            42,511 commons-vfs2-examples-2.10.0-SNAPSHOT-bom.xml
07/13/2022  06:59 PM            42,511 commons-vfs2-jackrabbit1-2.10.0-SNAPSHOT-bom.xml
07/13/2022  07:00 PM            42,511 commons-vfs2-jackrabbit2-2.10.0-SNAPSHOT-bom.xml
               5 File(s)        223,823 bytes

 Directory of C:\private\git\apache\commons-vfs\commons-vfs2-distribution\target

07/13/2022  07:01 PM            56,610 commons-vfs2-distribution-2.10.0-SNAPSHOT-bom.xml
               1 File(s)         56,610 bytes

 Directory of C:\private\git\apache\commons-vfs\commons-vfs2-examples\target

07/13/2022  07:01 PM             8,154 commons-vfs2-distribution-2.10.0-SNAPSHOT-bom.xml
07/13/2022  07:00 PM            55,904 commons-vfs2-examples-2.10.0-SNAPSHOT-bom.xml
               2 File(s)         64,058 bytes

 Directory of C:\private\git\apache\commons-vfs\commons-vfs2-jackrabbit1\target

07/13/2022  07:01 PM             9,393 commons-vfs2-distribution-2.10.0-SNAPSHOT-bom.xml
07/13/2022  07:00 PM             9,393 commons-vfs2-examples-2.10.0-SNAPSHOT-bom.xml
07/13/2022  07:00 PM            54,504 commons-vfs2-jackrabbit1-2.10.0-SNAPSHOT-bom.xml
07/13/2022  07:00 PM             9,393 commons-vfs2-jackrabbit2-2.10.0-SNAPSHOT-bom.xml
               4 File(s)         82,683 bytes

 Directory of C:\private\git\apache\commons-vfs\commons-vfs2-jackrabbit2\target

07/13/2022  07:01 PM             7,182 commons-vfs2-distribution-2.10.0-SNAPSHOT-bom.xml
07/13/2022  07:00 PM             7,182 commons-vfs2-examples-2.10.0-SNAPSHOT-bom.xml
07/13/2022  07:00 PM            55,218 commons-vfs2-jackrabbit2-2.10.0-SNAPSHOT-bom.xml
               3 File(s)         69,582 bytes

 Directory of C:\private\git\apache\commons-vfs\target

07/13/2022  06:58 PM            54,120 commons-vfs2-project-2.10.0-SNAPSHOT-bom.xml
               1 File(s)         54,120 bytes

     Total Files Listed:
              16 File(s)        550,876 bytes
               0 Dir(s)  14,197,334,016 bytes free

19:01:37.59 [C:\private\git\apache\commons-vfs]dir *-bom.json /s
 Volume in drive C is OSDisk
 Volume Serial Number is 8CC8-3D1B

 Directory of C:\private\git\apache\commons-vfs\commons-vfs2\target

07/13/2022  06:59 PM            61,988 commons-vfs2-2.10.0-SNAPSHOT-bom.json
07/13/2022  07:01 PM            49,605 commons-vfs2-distribution-2.10.0-SNAPSHOT-bom.json
07/13/2022  07:00 PM            49,605 commons-vfs2-examples-2.10.0-SNAPSHOT-bom.json
07/13/2022  06:59 PM            49,605 commons-vfs2-jackrabbit1-2.10.0-SNAPSHOT-bom.json
07/13/2022  07:00 PM            49,605 commons-vfs2-jackrabbit2-2.10.0-SNAPSHOT-bom.json
               5 File(s)        260,408 bytes

 Directory of C:\private\git\apache\commons-vfs\commons-vfs2-distribution\target

07/13/2022  07:01 PM            65,635 commons-vfs2-distribution-2.10.0-SNAPSHOT-bom.json
               1 File(s)         65,635 bytes

 Directory of C:\private\git\apache\commons-vfs\commons-vfs2-examples\target

07/13/2022  07:01 PM             8,970 commons-vfs2-distribution-2.10.0-SNAPSHOT-bom.json
07/13/2022  07:00 PM            64,725 commons-vfs2-examples-2.10.0-SNAPSHOT-bom.json
               2 File(s)         73,695 bytes

 Directory of C:\private\git\apache\commons-vfs\commons-vfs2-jackrabbit1\target

07/13/2022  07:01 PM            10,515 commons-vfs2-distribution-2.10.0-SNAPSHOT-bom.json
07/13/2022  07:00 PM            10,515 commons-vfs2-examples-2.10.0-SNAPSHOT-bom.json
07/13/2022  07:00 PM            62,917 commons-vfs2-jackrabbit1-2.10.0-SNAPSHOT-bom.json
07/13/2022  07:00 PM            10,515 commons-vfs2-jackrabbit2-2.10.0-SNAPSHOT-bom.json
               4 File(s)         94,462 bytes

 Directory of C:\private\git\apache\commons-vfs\commons-vfs2-jackrabbit2\target

07/13/2022  07:01 PM             7,978 commons-vfs2-distribution-2.10.0-SNAPSHOT-bom.json
07/13/2022  07:00 PM             7,978 commons-vfs2-examples-2.10.0-SNAPSHOT-bom.json
07/13/2022  07:00 PM            63,835 commons-vfs2-jackrabbit2-2.10.0-SNAPSHOT-bom.json
               3 File(s)         79,791 bytes

 Directory of C:\private\git\apache\commons-vfs\target

07/13/2022  06:58 PM            62,324 commons-vfs2-project-2.10.0-SNAPSHOT-bom.json
               1 File(s)         62,324 bytes

     Total Files Listed:
              16 File(s)        636,315 bytes

[darkma773r]

Adding an sbom to our maven artifacts would be quite beneficial. They provide insight into software supply chains and can be used, among other things, to help locate vulnerabilities in downstream applications (see https://cyclonedx.org/use-cases/). We are going to begin using them in my day job as part of our cybersecurity requirements and having commons projects produce these as well would be great.

As far as the example with commons-vfs goes, it seems like something might be wonky with the plugin on that project. For example, the plugin keeps generating and then replacing the generated sbom:

[INFO] CycloneDX: Writing BOM (JSON): /home/matt/projects/commons-vfs/commons-vfs2-distribution/target/commons-vfs2-jackrabbit1-2.10.0-SNAPSHOT-bom.json
[INFO] CycloneDX: Validating BOM (JSON): /home/matt/projects/commons-vfs/commons-vfs2-distribution/target/commons-vfs2-jackrabbit1-2.10.0-SNAPSHOT-bom.json
[WARNING] artifact org.apache.commons:commons-vfs2-distribution:json:cyclonedx:2.10.0-SNAPSHOT already attached, replace previous instance

If you run it with commons-text, you'll see the commons-text-1.10.0-SNAPSHOT-bom.json and commons-text-1.10.0-SNAPSHOT-bom.xml files produced as expected.

[stevespringett]

I've tested with commons-lang and commons-collections, both of which are single module projects. I just tested with commons-vfs and it appears to work as expected. Commons VFS is a multi-module project. As a result, every module will have a dedicated bom in each modules target directory.

If the commons project uses the Maven release plugin, then you can expect the CycloneDX BOMs to be attached as part of the release process and published to Maven Central.

For example:
https://repo1.maven.org/maven2/io/dropwizard/dropwizard-core/2.1.1/

This is really the ultimate goal: For every commons project to start publishing boms to Central upon release.

As @darkma773r pointed out, SBOMs are used primarily for Cybersecurity use cases - but license and other use cases are possible. Tools exist that allow consumers to analyze SBOMs to identity potential risk.

[garydgregory]

This feels like a buggy plugin ATM that duplicates the information already in the POM, so I would wait until we, as Apache, can either keep using just POMs or standardize on one format. Also MD5 and SHA1 are broken so it is ironic that they are included in a file used for security.

[stevespringett]

A pom is not a bill of material but does contain a lot of the same information. It's not possible to standardize on poms for bill of material use cases.

[darkma773r]

This seems like an important discussion that needs to happen on the dev mailing list. I'm going to send an email with the details there shortly. @stevespringett, if you are not already subscribed to the dev@commons.apache.org mailing list, please do so, at least temporarily. Your input will be needed.

[darkma773r]

Here is the email thread: https://lists.apache.org/thread/kvdz39t5wndojbtqqn84smm51rt89fnx

[darkma773r]

Scratch that. Discussion has moved here: https://lists.apache.org/thread/l8661o0t1r8498bhy01wdwg1s2kkhogy

[XenoAmess]

Well if you ask for my opinion, I would say this need to be changed at least.

First the pluginManagement part is OK, but don't change the build/plugins part.

At least make a new profile for it, as we don't always wanna generate this sbom.