Create CycloneDX SBOM by default as a Jenkins Artifact

[andrew-m-leonard]

Jenkins builds currently produce a CycloneDX SBOM printed in the Console output, when a BUILD_ARG of "--create-sbom" is specified.
Extended this to actually produce the json as a Jenkins artifact by default in all builds.

[sophia-guo]

@smlambert I can help this if you have other high priority jobs.

[smlambert]

@sophia-guo - that will be great! I have assigned us both (as I want to stay close on this, because I think there will be several pieces but I know you will be able to progress it faster than I will, thanks for the offer!).

[smlambert]

FYI @sophia-guo that first step is in @zdtsw 's PR adoptium/ci-jenkins-pipelines#296 enables the printing of SBOM to console

@zdtsw - have you also put your name against SBOM work? Here is one way it could be broken down and shared...

1. enable the commandline argument (via ci-jenkins-pipelines/pull/296)
2. make any necessary changes to have it create an actual json file in the event it just prints to console (code here)
3. archive the file to the Jenkins job.
4. can be done in tandem with the other steps is to ensure the contents of the SBOM are more complete (related: Determine exact SBOM for building a single JDK linux library using strace #2813)
5. push the SBOM to the releases repository
6. update the API to be able to serve up the SBOM
7. additional enhancements to SBOM, such as, if latest version of cycloneDX available 1.5 will have a 'platform' type, if so, we should consider switching from using 'application' to 'platform' for Temurin

[zdtsw]

FYI @sophia-guo that first step is in @zdtsw 's PR adoptium/ci-jenkins-pipelines#296 enables the printing of SBOM to console

@zdtsw - have you also put your name against SBOM work? Here is one way it could be broken down and shared...

1. enable the commandline argument (via ci-jenkins-pipelines/pull/296)
2. make any necessary changes to have it create an actual json file in the event it just prints to console (code here)
3. archive the file to the Jenkins job.
4. can be done in tandem with the other steps is to ensure the contents of the SBOM are more complete (related: Determine exact Bill of Materials for building a single JDK linux library using strace #2813)
5. push the SBOM to the releases repository
6. update the API to be able to serve up the SBOM
7. additional enhancements to SBOM, such as, if latest version of cycloneDX available 1.5 will have a 'platform' type, if so, we should consider switching from using 'application' to 'platform' for Temurin

@smlambert I actually changed my mind to move the "enabler" function into ci-jenkins-pipeline PR which has a better switch on/off by different pipeline.
this PR does cover 1) enable CLI with new flag and 2) calling cyclonedb jar but not directly to the jenkins artifact part and steps afterwards

I did not put my name on any SBOM issue, because it is was not clear what #2785 is about, and i did not read detail about #2900, but look like the enabler is part of #2900

[zdtsw]

Another question:

could we de-couple the implementation of cyclonedb-lib into its own git repo?
so we can build different version and update cyclonedx-core-java to newer version (7.1.4 at the moment) without updates in this repo.
also we do not need to build it every time in pipeline esp. when it becomes a default behavior.

[smlambert]

re: #2900 (comment) as per discussion today, we will leave things in the temurin-build repo for now, as its only a handful of classes and compile time is nominal. This can be revisited later as needed.

[zdtsw]

To make this issue easy to be split and assigned

• [:+1: ] enable the commandline argument (via feat: enable SBOM as default behavior #2926)

• [:+1: ] make any necessary changes to have it create an actual json file in the event it just prints to console (code here) : same PR as above, verification work

• [:+1: ] archive the file to the Jenkins job. can be done in tandem with the other steps is to ensure the contents of the SBOM are more complete (related: Determine exact SBOM for building a single JDK linux library using strace #2813)

• [ 👍 ] push the SBOM to the releases repository
  not really need to add function, all filed archived are uploaded to temurin-binaries git repo

• [:hourglass: ] update the API to be able to serve up the SBOM

• [ TODO]: additional enhancements to SBOM, such as, if latest version of cycloneDX available 1.5 will have a 'platform' type, if so, we should consider switching from using 'application' to 'platform' for Temurin

[zdtsw]

changed back to old solution to enable OS except windows and aix for the time being:

• feat: enable --create-sbom to set in ci-jenkins-pipeline instead default #2929 set default back to "false"
• feat: enable --create-sbom (in temurin-build) by passing new flag into BUILD_ARGS ci-jenkins-pipelines#297 set extra buildArgs for OS*jdk

[zdtsw]

assume the new Type is framework, not platform ? if so, it has been updated. @smlambert
11:43:45 "components" : [ 11:43:45 { 11:43:45 "author" : "Vendor: Eclipse", 11:43:45 "group" : "Eclipse Temurin", 11:43:45 "name" : "Temurin", 11:43:45 "version" : "19-beta+24-202205300937", 11:43:45 "type" : "framework" 11:43:45 }, 11:43:45 { 11:43:45 "name" : "JDK", 11:43:45 "description" : "Temurin JDK Component", 11:43:45 "properties" : [ 11:43:45 { 11:43:45 "name" : "scmRef", 11:43:45 "value" : "1102dba08df" 11:43:45 }, 11:43:45 { 11:43:45 "name" : "openjdkSourceCommit", 11:43:45 "value" : "https://github.com/adoptium/jdk/commit/1102dba08df" 11:43:45 }, 11:43:45 { 11:43:45 "name" : "buildRef", 11:43:45 "value" : "https://github.com/adoptium/temurin-build/commit/dd97246" 11:43:45 }, 11:43:45 { 11:43:45 "name" : "builtConfig", ...