CDXA XML and JSON support for temurin-build cyclonedx Java client

.github/linters/.gitleaks.toml

@@ -0,0 +1,5 @@
+title = "gitleaks config"
+[allowlist]
+files = [
+    "cyclonedx-lib/dependency_data/dependency_data.properties"
+]

.github/linters/suppressed-java.xml

@@ -28,4 +28,5 @@
     <suppress files="." checks="LineLength" />
     <suppress files="." checks="Header" /> <!-- Disabled as we don't use headers in our project for the test files -->
     <suppress files="." checks="FileTabCharacter" /> <!-- Disabled as it generally doesn't matter if tabs are disabled or not -->
-</suppressions>
+    <suppress files="." checks="ParameterNumber" />
+</suppressions>

.github/workflows/testsbom.yml → .github/workflows/testcyclonedx.yml

@@ -1,5 +1,5 @@
 # ********************************************************************************
-# Copyright (c) 2023 Contributors to the Eclipse Foundation
+# Copyright (c) 2023, 2024 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) with this work for additional
 # information regarding copyright ownership.
@@ -12,7 +12,7 @@
 # ********************************************************************************
 
 ---
-name: TestSBOM
+name: TestCycloneDX
 
 on:
   pull_request:
@@ -30,30 +30,49 @@ permissions:
   contents: read
 
 jobs:
-  test_sbom_gen:
-    name: gen_sbom
+  test_cyclonedx_gen:
+    name: gen_cyclonedx
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      # Build with jdk8 to ensure TemurinGenSBOM meets min compatibility
+      # Build with jdk8 to ensure TemurinGen* meets min compatibility
       - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
         id: setup-java
         with:
           java-version: 8
           distribution: 'temurin'
 
-      - name: Build TemurinGenSBOM.java
+      - name: Build TemurinGenSBOM.java and TemurinGenCDXA.java
         run: |
           ant -noinput -buildfile cyclonedx-lib/build.xml clean
           ant -noinput -buildfile cyclonedx-lib/build.xml build
 
       - name: Run TemurinGenSBOM Unit test
         run: ant -noinput -buildfile cyclonedx-lib/build.xml run
 
+      - name: Run TemurinGenCDXA Unit test
+        run: ant -noinput -buildfile cyclonedx-lib/build.xml runCDXA
+
+      - name: Validate generated SBOM and CDXA documents using cyclonedx-cli validate
+        run: |
+          curl -L -O https://github.com/CycloneDX/cyclonedx-cli/releases/latest/download/cyclonedx-linux-x64
+          chmod +x cyclonedx-linux-x64
+          ./cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testSBOM.json --fail-on-errors --input-version v1_6
+          ./cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testSBOM.xml --fail-on-errors --input-version v1_6
+          ./cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testCDXA.json --fail-on-errors --input-version v1_6
+          ./cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testCDXA.xml --fail-on-errors --input-version v1_6
+
       - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         name: Collect and Archive TemurinGenSBOM Artifacts
         with:
           name: testSBOM
-          path: cyclonedx-lib/build/testSBOM.json
+          path: cyclonedx-lib/build/testSBOM.*
+
+      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        name: Collect and Archive TemurinGenCDXA Artifacts
+        with:
+          name: testCDXA
+          path: cyclonedx-lib/build/testCDXA.*
+

cyclonedx-lib/dependency_data/dependency_data.properties

@@ -21,11 +21,14 @@ commons-codec.jar=commons-codec-${commons-codec.version}.jar
 commons-collections4.version=4.4
 commons-collections4.sha256=1df8b9430b5c8ed143d7815e403e33ef5371b2400aadbe9bda0883762e0846d1
 commons-collections4.jar=commons-collections4-${commons-collections4.version}.jar
+commons-lang3.version=3.17.0
+commons-lang3.sha256=6ee731df5c8e5a2976a1ca023b6bb320ea8d3539fbe64c8a1d5cb765127c33b4
+commons-lang3.jar=commons-lang3-${commons-lang3.version}.jar
 commons-io.version=2.16.1
 commons-io.sha256=f41f7baacd716896447ace9758621f62c1c6b0a91d89acee488da26fc477c84f
 commons-io.jar=commons-io-${commons-io.version}.jar
-cyclonedx-core-java.version=9.0.5
-cyclonedx-core-java.sha256=9474c73a81d9be6206367d357a3449e03e70c69bc672d82be04f15806ef170fa
+cyclonedx-core-java.version=9.1.0
+cyclonedx-core-java.sha256=a911ee5e5ebdabc2b2c08d08f9c92c673c21965ee1b982f40fc166d80f1eb088
 cyclonedx-core-java.jar=cyclonedx-core-java-${cyclonedx-core-java.version}.jar
 github-package-url.version=1.5.0
 github-package-url.sha256=e45551727707acc0c56ac62d56964332ea0f138d6cc3656d988b9369150f5247
@@ -45,10 +48,17 @@ jackson-dataformat-xml.jar=jackson-dataformat-xml-${jackson-dataformat-xml.versi
 json-schema-validator.version=1.5.1
 json-schema-validator.sha256=de015f79d4a63d22c002bad76bb30c039cafa205465eef8770e2c6b85880ded7
 json-schema-validator.jar=json-schema-validator-${json-schema-validator.version}.jar
+stax2-api.version=4.2.2
+stax2-api.sha256=a61c48d553efad78bc01fffc4ac528bebbae64cbaec170b2a5e39cf61eb51abe
+stax2-api.jar=stax2-api-${stax2-api.version}.jar
+woodstox-core.version=7.1.0
+woodstox-core.sha256=81266920a1cdc47306a8a2b4726c99ec89b3fbf31c2470e4f5e477d9d857ca9f
+woodstox-core.jar=woodstox-core-${woodstox-core.version}.jar
 
 # Download URLs
 commons-codec.url=${maven.central.repo}/commons-codec/commons-codec/${commons-codec.version}/${commons-codec.jar}
 commons-collections4.url=${maven.central.repo}/org/apache/commons/commons-collections4/${commons-collections4.version}/${commons-collections4.jar}
+commons-lang3.url=${maven.central.repo}/org/apache/commons/commons-lang3/${commons-lang3.version}/${commons-lang3.jar}
 commons-io.url=${maven.central.repo}/commons-io/commons-io/${commons-io.version}/${commons-io.jar}
 cyclonedx-core-java.url=${maven.central.repo}/org/cyclonedx/cyclonedx-core-java/${cyclonedx-core-java.version}/${cyclonedx-core-java.jar}
 github-package-url.url=${maven.central.repo}/com/github/package-url/packageurl-java/${github-package-url.version}/${github-package-url.jar}
@@ -57,4 +67,6 @@ jackson-core.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-core/$
 jackson-databind.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-databind/${jackson-databind.version}/${jackson-databind.jar}
 jackson-dataformat-xml.url=${maven.central.repo}/com/fasterxml/jackson/dataformat/jackson-dataformat-xml/${jackson-dataformat-xml.version}/${jackson-dataformat-xml.jar}
 json-schema-validator.url=${maven.central.repo}/com/networknt/json-schema-validator/${json-schema-validator.version}/${json-schema-validator.jar}
+stax2-api.url=${maven.central.repo}/org/codehaus/woodstox/stax2-api/${stax2-api.version}/${stax2-api.jar}
+woodstox-core.url=${maven.central.repo}/com/fasterxml/woodstox/woodstox-core/${woodstox-core.version}/${woodstox-core.jar}
 

cyclonedx-lib/sign_src/TemurinSignSBOM.java

@@ -60,7 +60,7 @@ private TemurinSignSBOM() {
      * @param args Arguments for sbom operation.
      */
     public static void main(final String[] args) {
-        String cmd = null;
+        String cmd = "";
         String privateKeyFile = null;
         String publicKeyFile = null;
         String fileName = null;
@@ -95,6 +95,8 @@ public static void main(final String[] args) {
         } else if (cmd.equals("verifySignature")) {
             success = verifySignature(fileName, publicKeyFile); // set success to the result of verifySignature
             System.out.println("Signature verification result: " + (success ? "Valid" : "Invalid"));
+        } else {
+            System.out.println("Please enter a command.");
         }
 
         // Set success to true only when the operation is completed successfully.