From 8ca649c165e039cac6669c08bccd9f83734f0d3d Mon Sep 17 00:00:00 2001
From: Matthias Sohn <matthias.sohn@sap.com>
Date: Thu, 5 Oct 2023 16:25:45 +0200
Subject: [PATCH] Generate SBOMs using cyclonedx maven plugin

and specify JGit's license using its SPDX identifier.

See https://gitlab.eclipse.org/eclipsefdn/emo-team/sbom/-/blob/main/docs/sbom.adoc#sbom-maven

Change-Id: I8f022002c84200ea430325916fa38c3764979c02
---
 org.eclipse.jgit.packaging/pom.xml | 37 +++++++++++++++++
 pom.xml                            | 66 ++++++++++++++----------------
 2 files changed, 68 insertions(+), 35 deletions(-)

diff --git a/org.eclipse.jgit.packaging/pom.xml b/org.eclipse.jgit.packaging/pom.xml
index 696dc5e90b..ba73e9204f 100644
--- a/org.eclipse.jgit.packaging/pom.xml
+++ b/org.eclipse.jgit.packaging/pom.xml
@@ -21,6 +21,13 @@
 
   <name>JGit Tycho Parent</name>
 
+  <licenses>
+    <license>
+      <name>BSD-3-Clause</name>
+      <url>https://www.eclipse.org/org/documents/edl-v10.php</url>
+    </license>
+  </licenses>
+
   <properties>
     <java.version>11</java.version>
     <tycho-version>4.0.2</tycho-version>
@@ -198,6 +205,36 @@
           <resolver>p2</resolver>
         </configuration>
       </plugin>
+      <plugin>
+        <groupId>org.cyclonedx</groupId>
+        <artifactId>cyclonedx-maven-plugin</artifactId>
+        <version>2.7.9</version>
+        <configuration>
+          <projectType>library</projectType>
+          <schemaVersion>1.4</schemaVersion>
+          <includeBomSerialNumber>false</includeBomSerialNumber>
+          <includeCompileScope>true</includeCompileScope>
+          <includeProvidedScope>true</includeProvidedScope>
+          <includeRuntimeScope>true</includeRuntimeScope>
+          <includeSystemScope>true</includeSystemScope>
+          <includeTestScope>false</includeTestScope>
+          <includeLicenseText>false</includeLicenseText>
+          <outputReactorProjects>true</outputReactorProjects>
+          <outputFormat>json</outputFormat>
+          <outputName>cyclonedx</outputName>
+          <outputDirectory>${project.build.directory}</outputDirectory>
+          <outputTimestamp>${project.build.outputTimestamp}</outputTimestamp>
+          <verbose>false</verbose>
+        </configuration>
+        <executions>
+          <execution>
+            <phase>package</phase>
+            <goals>
+              <goal>makeAggregateBom</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
     <pluginManagement>
       <plugins>
diff --git a/pom.xml b/pom.xml
index 3813a5cd5f..d969e33c89 100644
--- a/pom.xml
+++ b/pom.xml
@@ -101,41 +101,8 @@
 
   <licenses>
     <license>
-      <name>Eclipse Distribution License (New BSD License)</name>
-      <comments>
-       All rights reserved.
-
-       Redistribution and use in source and binary forms, with or
-       without modification, are permitted provided that the following
-       conditions are met:
-
-       - Redistributions of source code must retain the above copyright
-         notice, this list of conditions and the following disclaimer.
-
-       - Redistributions in binary form must reproduce the above
-         copyright notice, this list of conditions and the following
-         disclaimer in the documentation and/or other materials provided
-         with the distribution.
-
-       - Neither the name of the Eclipse Foundation, Inc. nor the
-         names of its contributors may be used to endorse or promote
-         products derived from this software without specific prior
-         written permission.
-
-       THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
-       CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
-       INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-       OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-       ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
-       CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-       SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-       NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-       LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-       CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-       STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-       ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
-       ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-      </comments>
+      <name>BSD-3-Clause</name>
+      <url>https://www.eclipse.org/org/documents/edl-v10.php</url>
     </license>
   </licenses>
 
@@ -600,6 +567,35 @@
           </execution>
         </executions>
       </plugin>
+      <plugin>
+        <groupId>org.cyclonedx</groupId>
+        <artifactId>cyclonedx-maven-plugin</artifactId>
+        <version>2.7.9</version>
+        <configuration>
+          <projectType>library</projectType>
+          <schemaVersion>1.4</schemaVersion>
+          <includeBomSerialNumber>true</includeBomSerialNumber>
+          <includeCompileScope>true</includeCompileScope>
+          <includeProvidedScope>true</includeProvidedScope>
+          <includeRuntimeScope>true</includeRuntimeScope>
+          <includeSystemScope>true</includeSystemScope>
+          <includeTestScope>false</includeTestScope>
+          <includeLicenseText>false</includeLicenseText>
+          <outputReactorProjects>true</outputReactorProjects>
+          <outputFormat>json</outputFormat>
+          <outputName>cyclonedx</outputName>
+          <outputDirectory>${project.build.directory}</outputDirectory>
+          <verbose>false</verbose>
+        </configuration>
+        <executions>
+          <execution>
+            <phase>package</phase>
+            <goals>
+              <goal>makeAggregateBom</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
   </build>
 
-- 
2.39.5