Improve documentation for CycloneDX integration

Closes gh-41506
2024-10-14 11:37:54 +02:00 · 2024-10-14 11:37:54 +02:00 · 5754be36f1
parent 2e086365fe
commit 5754be36f1
4 changed files with 45 additions and 26 deletions
--- a/buildSrc/src/main/resources/org/springframework/boot/build/antora/antora-asciidoc-attributes.properties
+++ b/buildSrc/src/main/resources/org/springframework/boot/build/antora/antora-asciidoc-attributes.properties
@ -7,6 +7,9 @@ include-kotlin= ROOT:example$kotlin/org/springframework/boot/docs

 url-ant-docs=https://ant.apache.org/manual
 url-buildpacks-docs=https://buildpacks.io/docs
+url-cyclonedx-docs-gradle-plugin=https://github.com/CycloneDX/cyclonedx-gradle-plugin
+url-cyclonedx-docs-maven-plugin=https://github.com/CycloneDX/cyclonedx-maven-plugin
+url-download-liberica-nik=https://bell-sw.com/pages/downloads/native-image-kit/#/nik-22-17
 url-dynatrace-docs=https://docs.dynatrace.com/docs
 url-dynatrace-docs-shortlink={url-dynatrace-docs}/shortlink
 url-github-raw=https://raw.githubusercontent.com/{github-repo}/{github-ref}
@ -25,7 +28,6 @@ url-gradle-javadoc=https://docs.gradle.org/current/javadoc
 url-kotlin-docs-kotlin-plugin={url-kotlin-docs}/using-gradle.html
 url-micrometer-docs-concepts={url-micrometer-docs}/concepts
 url-micrometer-docs-implementations={url-micrometer-docs}/implementations
-url-download-liberica-nik=https://bell-sw.com/pages/downloads/native-image-kit/#/nik-22-17
 url-native-build-tools-docs=https://graalvm.github.io/native-build-tools/{version-native-build-tools}
 url-native-build-tools-docs-gradle-plugin={url-native-build-tools-docs}/gradle-plugin.html
 url-native-build-tools-docs-maven-plugin={url-native-build-tools-docs}/maven-plugin.html
--- a/spring-boot-project/spring-boot-docs/src/docs/antora/modules/how-to/pages/build.adoc
+++ b/spring-boot-project/spring-boot-docs/src/docs/antora/modules/how-to/pages/build.adoc
@ -87,6 +87,37 @@ Using this format lets the time be parsed into a `Date` and its format, when ser



+[[howto.build.generate-cyclonedx-sbom]]
+== Generate a CycloneDX SBOM
+
+Both Maven and Gradle allow generating a CycloneDX SBOM at project build time.
+
+For Maven users, the `spring-boot-starter-parent` POM includes a pre-configured plugin to generate the SBOM.
+To use it, add the following declaration for the {url-cyclonedx-docs-maven-plugin}[`cyclonedx-maven-plugin`] to your POM:
+
+[source,xml]
+----
+<build>
+    <plugins>
+        <plugin>
+            <groupId>org.cyclonedx</groupId>
+            <artifactId>cyclonedx-maven-plugin</artifactId>
+        </plugin>
+    </plugins>
+</build>
+----
+
+Gradle users can achieve the same result by using the {url-cyclonedx-docs-gradle-plugin}[`cyclonedx-gradle-plugin`] plugin, as shown in the following example:
+
+[source,gradle]
+----
+plugins {
+    id 'org.cyclonedx.bom' version '1.8.2'
+}
+----
+
+
+
 [[howto.build.customize-dependency-versions]]
 == Customize Dependency Versions

--- a/spring-boot-project/spring-boot-docs/src/docs/antora/modules/reference/pages/actuator/endpoints.adoc
+++ b/spring-boot-project/spring-boot-docs/src/docs/antora/modules/reference/pages/actuator/endpoints.adoc
@ -1256,33 +1256,10 @@ If you reach the `info` endpoint, you should see a response that contains the fo
 The `sbom` endpoint exposes the https://en.wikipedia.org/wiki/Software_supply_chain[Software Bill of Materials].
 CycloneDX SBOMs can be auto-detected, but other formats can be manually configured, too.

-The `spring-boot-starter-parent` Maven parent and the Spring Boot Gradle plugin configure the https://github.com/CycloneDX/cyclonedx-maven-plugin[CycloneDX Maven plugin] and the https://github.com/CycloneDX/cyclonedx-gradle-plugin[CycloneDX Gradle plugin] respectively.
-
-To get a CycloneDX SBOM, you'll need to add this to your Maven build:
-
-[source,xml]
----
-<build>
-    <plugins>
-        <plugin>
-            <groupId>org.cyclonedx</groupId>
-            <artifactId>cyclonedx-maven-plugin</artifactId>
-        </plugin>
-    </plugins>
-</build>
----
-
-For Gradle, you'll need to apply the CycloneDX Gradle plugin:
-
-[source,groovy]
----
-plugins {
-    id 'org.cyclonedx.bom' version '1.8.2'
-}
----
-
 The `sbom` actuator endpoint will then expose an SBOM called "application", which describes the contents of your application.

+TIP: To automatically generate a CycloneDX SBOM at project build time, please see the xref:how-to:build.adoc#howto.build.generate-cyclonedx-sbom[] section.
+


 [[actuator.endpoints.sbom.other-formats]]
--- a/spring-boot-project/spring-boot-tools/spring-boot-gradle-plugin/src/docs/antora/modules/gradle-plugin/pages/reacting.adoc
+++ b/spring-boot-project/spring-boot-tools/spring-boot-gradle-plugin/src/docs/antora/modules/gradle-plugin/pages/reacting.adoc
@ -92,3 +92,12 @@ When the {url-native-build-tools-docs-gradle-plugin}[GraalVM Native Image plugin
 . Configures the `bootBuildImage` task to use `paketobuildpacks/builder-jammy-tiny:latest` as its builder and to set `BP_NATIVE_IMAGE` to `true` in its environment.


+
+[[reacting-to-other-plugins.cyclonedx]]
+== Reacting to the CycloneDX Plugin
+
+When the {url-cyclonedx-docs-gradle-plugin}[CycloneDX plugin] is applied to a project, the Spring Boot plugin:
+
+. Configures the `cyclonedxBom` task to use the `application` project type and output the SBOM to the `application.cdx` file in JSON format without full license texts.
+. Adds the SBOM under `META-INF/sbom` in the generated jar or war file.
+. Adds the `Sbom-Format` and `Sbom-Location` to the manifest of the jar or war file.