COH-31571 Enable GCAS service scanning on Coherence CE Project

dhirupandey · dhirupandey · commit 5dde26ca60d5 · 2025-01-15T02:20:25.000-05:00
[git-p4: depot-paths = "//dev/coherence-ce/main/": change = 113485]
diff --git a/sbom_generation.yaml b/sbom_generation.yaml
@@ -0,0 +1,34 @@
+# Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
+#  Licensed under the Universal Permissive License v 1.0 as shown at
+#  https://oss.oracle.com/licenses/upl.
+
+# This OCI DevOps build specification file [1] generates a Software Bill of Materials (SBOM) of the repository.
+# The file is needed to run checks for third-party vulnerabilities and business approval according to Oracle’s GitHub policies.
+# [1] https://docs.oracle.com/en-us/iaas/Content/devops/using/build_specs.htm
+
+version: 0.1
+component: build
+timeoutInSeconds: 1000
+shell: bash
+
+steps:
+  - type: Command
+    name: "Download and configure JDK 17"
+    command: |
+      wget --no-check-certificate -c --header "Cookie: oraclelicense=accept-securebackup-cookie" https://download.oracle.com/java/17/archive/jdk-17.0.10_linux-x64_bin.tar.gz
+      tar xzf jdk-17.0.10_linux-x64_bin.tar.gz -C ${OCI_PRIMARY_SOURCE_DIR}
+
+  - type: Command
+    name: "Run Maven cycloneDX plugin command"
+    command: |
+      export JAVA_HOME=${OCI_PRIMARY_SOURCE_DIR}/jdk-17.0.10
+      export PATH=$JAVA_HOME/bin:$PATH
+      cd prj
+      # For more details, visit https://github.com/CycloneDX/cyclonedx-maven-plugin/blob/master/README.md
+      mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom -DincludeRuntimeScope=true -DincludeCompileScope=true -DincludeProvidedScope=false -DincludeSystemScope=false -DincludeTestScope=false -DoutputFormat=json -DoutputName=artifactSBOM -DschemaVersion=1.4
+      mv target/artifactSBOM.json ${OCI_PRIMARY_SOURCE_DIR}/artifactSBOM.json
+outputArtifacts:
+  - name: artifactSBOM
+    type: BINARY
+    location: ${OCI_PRIMARY_SOURCE_DIR}/artifactSBOM.json
+
