From ca088f81b9c6c3bdb79a72cf1b99fc8fe030613e Mon Sep 17 00:00:00 2001
From: Tomasz Janiszewski <tomek@redhat.com>
Date: Wed, 28 Sep 2022 18:11:56 +0200
Subject: [PATCH] Add SBOM to release page

---
 .github/workflows/main.yml               | 24 +++++++++++++++++++++++-
 stackrox-container-image-scanner/pom.xml |  6 ++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index aa7771f8..82ef488a 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -20,7 +20,7 @@ jobs:
         java-version: '8'
         cache: 'maven'
     - name: Build with Maven
-      run: stackrox-container-image-scanner/mvnw package hpi:hpi --file stackrox-container-image-scanner/pom.xml
+      run: cd stackrox-container-image-scanner && ./mvnw -B package hpi:hpi cyclonedx:makeAggregateBom
     - uses: release-drafter/release-drafter@v5
       id: release_drafter
       env:
@@ -36,4 +36,26 @@ jobs:
         asset_path: stackrox-container-image-scanner/target/stackrox-container-image-scanner.hpi
         asset_name: stackrox-container-image-scanner.hpi
         asset_content_type: application/octet-stream
+    - name: Upload SBOM XML Asset Linux
+      id: upload-release-asset-linux
+      uses: gfreezy/upload-release-asset@v1.0.2
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        release_id: ${{ steps.release_drafter.outputs.id }}
+        upload_url: ${{ steps.release_drafter.outputs.upload_url }}
+        asset_path: stackrox-container-image-scanner/target/sbom.xml
+        asset_name: sbom.xml
+        asset_content_type: text/xml
+    - name: Upload SBOM JSON Asset Linux
+      id: upload-release-asset-linux
+      uses: gfreezy/upload-release-asset@v1.0.2
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        release_id: ${{ steps.release_drafter.outputs.id }}
+        upload_url: ${{ steps.release_drafter.outputs.upload_url }}
+        asset_path: stackrox-container-image-scanner/target/sbom.json
+        asset_name: sbom.json
+        asset_content_type: application/json
 
diff --git a/stackrox-container-image-scanner/pom.xml b/stackrox-container-image-scanner/pom.xml
index 66eed6d8..612a661d 100644
--- a/stackrox-container-image-scanner/pom.xml
+++ b/stackrox-container-image-scanner/pom.xml
@@ -335,6 +335,12 @@
                     <target>8</target>
                 </configuration>
             </plugin>
+            <!-- SBOM -->
+            <plugin>
+                <groupId>org.cyclonedx</groupId>
+                <artifactId>cyclonedx-maven-plugin</artifactId>
+                <version>2.7.1</version>
+            </plugin>
         </plugins>
     </build>
 </project>