From 6eb0011ae06f63f0e681e76859bcebe5c572b6a8 Mon Sep 17 00:00:00 2001 From: Arnout Engelen Date: Sat, 19 Oct 2024 17:17:29 +0200 Subject: [PATCH] Disable serial number by default As it's not generated in a reproducible way. The `includeBomSerialNumber` parameter is also found in the Maven plugin. --- .../com/github/sbt/sbom/BomExtractor.scala | 2 +- .../github/sbt/sbom/BomExtractorParams.scala | 6 +++++- .../com/github/sbt/sbom/BomSbtPlugin.scala | 4 ++++ .../com/github/sbt/sbom/BomSbtSettings.scala | 18 ++++++++++++++++-- .../scala/com/github/sbt/sbom/BomTask.scala | 7 +++++-- 5 files changed, 31 insertions(+), 6 deletions(-) diff --git a/src/main/scala/com/github/sbt/sbom/BomExtractor.scala b/src/main/scala/com/github/sbt/sbom/BomExtractor.scala index 395c791..e8b26ef 100644 --- a/src/main/scala/com/github/sbt/sbom/BomExtractor.scala +++ b/src/main/scala/com/github/sbt/sbom/BomExtractor.scala @@ -16,7 +16,7 @@ class BomExtractor(settings: BomExtractorParams, report: UpdateReport, log: Logg def bom: Bom = { val bom = new Bom - if (settings.schemaVersion != Version.VERSION_10) { + if (settings.includeBomSerialNumber && settings.schemaVersion != Version.VERSION_10) { bom.setSerialNumber(serialNumber) } bom.setComponents(components.asJava) diff --git a/src/main/scala/com/github/sbt/sbom/BomExtractorParams.scala b/src/main/scala/com/github/sbt/sbom/BomExtractorParams.scala index 9dab825..93aa22c 100644 --- a/src/main/scala/com/github/sbt/sbom/BomExtractorParams.scala +++ b/src/main/scala/com/github/sbt/sbom/BomExtractorParams.scala @@ -3,4 +3,8 @@ package com.github.sbt.sbom import org.cyclonedx.Version import sbt.Configuration -case class BomExtractorParams(schemaVersion: Version, configuration: Configuration) +case class BomExtractorParams( + schemaVersion: Version, + configuration: Configuration, + includeBomSerialNumber: Boolean, +) diff --git a/src/main/scala/com/github/sbt/sbom/BomSbtPlugin.scala b/src/main/scala/com/github/sbt/sbom/BomSbtPlugin.scala index 23ef8f0..1bc8ed7 100644 --- a/src/main/scala/com/github/sbt/sbom/BomSbtPlugin.scala +++ b/src/main/scala/com/github/sbt/sbom/BomSbtPlugin.scala @@ -22,6 +22,9 @@ object BomSbtPlugin extends AutoPlugin { lazy val bomSchemaVersion: SettingKey[String] = settingKey[String]( s"bom schema version; must be one of ${supportedVersionsDescr}; default is ${defaultSupportedVersionDescr}" ) + lazy val includeBomSerialNumber: SettingKey[Boolean] = settingKey[Boolean]( + "should the resulting BOM contain a serial number? default is false, because the current mechanism for determining the serial number is not reproducible" + ) lazy val makeBom: TaskKey[sbt.File] = taskKey[sbt.File]("Generates bom file") lazy val listBom: TaskKey[String] = taskKey[String]("Returns the bom") lazy val components: TaskKey[Component] = taskKey[Component]("Returns the bom") @@ -42,6 +45,7 @@ object BomSbtPlugin extends AutoPlugin { Seq( bomFileName := bomFileNameSetting.value, bomSchemaVersion := defaultSupportedVersion.getVersionString, + includeBomSerialNumber := false, makeBom := Def.taskDyn(BomSbtSettings.makeBomTask(Classpaths.updateTask.value, Compile)).value, listBom := Def.taskDyn(BomSbtSettings.listBomTask(Classpaths.updateTask.value, Compile)).value, Test / makeBom := Def.taskDyn(BomSbtSettings.makeBomTask(Classpaths.updateTask.value, Test)).value, diff --git a/src/main/scala/com/github/sbt/sbom/BomSbtSettings.scala b/src/main/scala/com/github/sbt/sbom/BomSbtSettings.scala index 899f288..d6fb9ed 100644 --- a/src/main/scala/com/github/sbt/sbom/BomSbtSettings.scala +++ b/src/main/scala/com/github/sbt/sbom/BomSbtSettings.scala @@ -8,14 +8,28 @@ object BomSbtSettings { def makeBomTask(report: UpdateReport, currentConfiguration: Configuration): Def.Initialize[Task[sbt.File]] = Def.task[File] { new MakeBomTask( - BomTaskProperties(report, currentConfiguration, sLog.value, bomSchemaVersion.value), + BomTaskProperties( + report, + currentConfiguration, + sLog.value, + bomSchemaVersion.value, + includeBomSerialNumber.value + ), target.value / (currentConfiguration / bomFileName).value ).execute } def listBomTask(report: UpdateReport, currentConfiguration: Configuration): Def.Initialize[Task[String]] = Def.task[String] { - new ListBomTask(BomTaskProperties(report, currentConfiguration, sLog.value, bomSchemaVersion.value)).execute + new ListBomTask( + BomTaskProperties( + report, + currentConfiguration, + sLog.value, + bomSchemaVersion.value, + includeBomSerialNumber.value + ) + ).execute } def bomConfigurationTask(currentConfiguration: Option[Configuration]): Def.Initialize[Task[Seq[Configuration]]] = diff --git a/src/main/scala/com/github/sbt/sbom/BomTask.scala b/src/main/scala/com/github/sbt/sbom/BomTask.scala index 932e2c6..d586662 100644 --- a/src/main/scala/com/github/sbt/sbom/BomTask.scala +++ b/src/main/scala/com/github/sbt/sbom/BomTask.scala @@ -15,7 +15,8 @@ case class BomTaskProperties( report: UpdateReport, currentConfiguration: Configuration, log: Logger, - schemaVersion: String + schemaVersion: String, + includeBomSerialNumber: Boolean, ) abstract class BomTask[T](protected val properties: BomTaskProperties) { @@ -55,7 +56,7 @@ abstract class BomTask[T](protected val properties: BomTaskProperties) { } private def extractorParams(currentConfiguration: Configuration): BomExtractorParams = - BomExtractorParams(schemaVersion, currentConfiguration) + BomExtractorParams(schemaVersion, currentConfiguration, includeBomSerialNumber) private def getXmlText(bom: Bom): String = { val bomGenerator = BomGeneratorFactory.createXml(schemaVersion, bom) @@ -84,4 +85,6 @@ abstract class BomTask[T](protected val properties: BomTaskProperties) { log.error(message) throw new BomError(message) } + + protected lazy val includeBomSerialNumber: Boolean = properties.includeBomSerialNumber }