Change CycloneDx dependency jar download to use Maven Central download

Signed-off-by: Andrew Leonard <[email protected]>
adoptium · Nov 5, 2024 · 0738565 · 0738565
1 parent 4fcabfa
commit 0738565
Show file tree

Hide file tree

Showing 22 changed files with 66 additions and 51 deletions.
diff --git a/cyclonedx-lib/build.xml b/cyclonedx-lib/build.xml
@@ -23,19 +23,19 @@
         <!-- All other dependency versions are listed in the relevant ./dependency_data/versions files -->
         <property name="openkeystore-version" value="1.0.0"/>
 
-        <!-- When retrieving sbom dependency jars with default settings, we will look here. -->
-        <property name="sbom_dependency_default_location" value="https://ci.adoptium.net/view/all/job/build.getDependency/lastSuccessfulBuild/artifact/sbom_dependencies"/>
+        <!-- Retrieve sbom dependency jars, versions, sh256 and download urls -->
+        <property file="dependency_data/dependency_data.properties"/>
 
         <!-- classpath for running application -->
-        <property name="classpath" value="build/jar/temurin-gen-sbom.jar:build/jar/cyclonedx-core-java.jar:build/jar/jackson-core.jar:build/jar/jackson-dataformat-xml.jar:build/jar/jackson-databind.jar:build/jar/jackson-annotations.jar:build/jar/json-schema.jar:build/jar/commons-codec.jar:build/jar/commons-io.jar:build/jar/github-package-url.jar:build/jar/webpki.org-libext-1.00.jar:build/jar/temurin-sign-sbom.jar:build/jar/commons-collections4.jar"/>
+        <property name="classpath" value="build/jar/temurin-gen-sbom.jar:build/jar/cyclonedx-core-java.jar:build/jar/jackson-core.jar:build/jar/jackson-dataformat-xml.jar:build/jar/jackson-databind.jar:build/jar/jackson-annotations.jar:build/jar/json-schema-validator.jar:build/jar/commons-codec.jar:build/jar/commons-io.jar:build/jar/github-package-url.jar:build/jar/webpki.org-libext-1.00.jar:build/jar/temurin-sign-sbom.jar:build/jar/commons-collections4.jar"/>
 
         <target name="dep-checks">
                 <available file="build/jar/cyclonedx-core-java.jar" property="cyclonedx_available"/>
                 <available file="build/jar/jackson-core.jar" property="jackson-core_available"/>
                 <available file="build/jar/jackson-dataformat-xml.jar" property="jackson-dataformat_available"/>
                 <available file="build/jar/jackson-databind.jar" property="jackson-databind_available"/>
                 <available file="build/jar/jackson-annotations.jar" property="jackson-annotations_available"/>
-                <available file="build/jar/json-schema.jar" property="json-schema_available"/>
+                <available file="build/jar/json-schema-validator.jar" property="json-schema-validator_available"/>
                 <available file="build/jar/commons-codec.jar" property="commons-codec_available"/>
                 <available file="build/jar/commons-io.jar" property="commons-io_available"/>
                 <available file="build/jar/commons-collections4.jar" property="commons-collections4_available"/>
@@ -45,12 +45,12 @@
 
         <target name="download-cyclonedx" unless="cyclonedx_available">
                 <echo message="Downloading cyclonedx-core-java"/>
-                <download-file-with-default-options destfile="cyclonedx-core-java.jar"/>
+                <download-component component="cyclonedx-core-java"/>
 	    </target>
 
         <target name="download-jackson-core" unless="jackson-core_available">
                 <echo message="Downloading jackson-core"/>
-                <download-file-with-default-options destfile="jackson-core.jar"/>
+                <download-component component="jackson-core"/>
         </target>
 
         <target name="clone-and-build-openkeystore" unless="openkeystore_available">
@@ -66,7 +66,7 @@
                 </move>
         </target>
 
-        <target name="build-sign-sbom" depends="dep-checks, clone-and-build-openkeystore, download-cyclonedx, download-jackson-core, download-jackson-dataformat-xml, download-jackson-databind, download-jackson-annotations, download-json-schema, download-commons-codec, download-commons-io, download-commons-collections4, download-github-package-url, compile-sign-sbom, jar-sign-sbom">
+        <target name="build-sign-sbom" depends="dep-checks, clone-and-build-openkeystore, download-cyclonedx, download-jackson-core, download-jackson-dataformat-xml, download-jackson-databind, download-jackson-annotations, download-json-schema-validator, download-commons-codec, download-commons-io, download-commons-collections4, download-github-package-url, compile-sign-sbom, jar-sign-sbom">
                 <echo message="Building cyclonedx-lib TemurinSignSBOM"/>
         </target>
 
@@ -87,45 +87,45 @@
 
         <target name="download-jackson-dataformat-xml" unless="jackson-dataformat_available">
                 <echo message="Downloading jackson-dataformat-xml"/>
-                <download-file-with-default-options destfile="jackson-dataformat-xml.jar"/>
+                <download-component component="jackson-dataformat-xml"/>
         </target>
 
         <target name="download-jackson-databind" unless="jackson-databind_available">
                 <echo message="Downloading jackson-databind"/>
-                <download-file-with-default-options destfile="jackson-databind.jar"/>
+                <download-component component="jackson-databind"/>
         </target>
 
         <target name="download-jackson-annotations" unless="jackson-annotations_available">
                 <echo message="Downloading jackson-annotations"/>
-                <download-file-with-default-options destfile="jackson-annotations.jar"/>
+                <download-component component="jackson-annotations"/>
         </target>
 
-        <target name="download-json-schema" unless="json-schema_available">
-                <echo message="Downloading json-schema"/>
-                <download-file-with-default-options destfile="json-schema.jar"/>
+        <target name="download-json-schema-validator" unless="json-schema-validator_available">
+                <echo message="Downloading json-schema-validator"/>
+                <download-component component="json-schema-validator"/>
         </target>
 
         <target name="download-commons-codec" unless="commons-codec_available">
                 <echo message="Downloading commons-codec"/>
-                <download-file-with-default-options destfile="commons-codec.jar"/>
+                <download-component component="commons-codec"/>
         </target>
 
         <target name="download-commons-io" unless="commons-io_available">
                 <echo message="Downloading commons-io"/>
-                <download-file-with-default-options destfile="commons-io.jar"/>
+                <download-component component="commons-io"/>
         </target>
 
         <target name="download-commons-collections4" unless="commons-collections4_available">
                 <echo message="Downloading commons-collections4"/>
-                <download-file-with-default-options destfile="commons-collections4.jar"/>
+                <download-component component="commons-collections4"/>
         </target>
 
         <target name="download-github-package-url" unless="github-package-url_available">
                 <echo message="Downloading github-package-url"/>
-                <download-file-with-default-options destfile="github-package-url.jar"/>
+                <download-component component="github-package-url"/>
         </target>
 
-	      <target name="build" depends="dep-checks, download-cyclonedx, download-jackson-core, download-jackson-dataformat-xml, download-jackson-databind, download-jackson-annotations, download-json-schema, download-commons-codec, download-commons-io, download-commons-collections4, download-github-package-url, compile, jar">
+	      <target name="build" depends="dep-checks, download-cyclonedx, download-jackson-core, download-jackson-dataformat-xml, download-jackson-databind, download-jackson-annotations, download-json-schema-validator, download-commons-codec, download-commons-io, download-commons-collections4, download-github-package-url, compile, jar">
                 <echo message="Building cyclonedx-lib"/>
         </target>
 
@@ -485,21 +485,15 @@
 
         </target>
 
-	<macrodef name="download-file-with-default-options" description="Use curl to download a file and retrieve its checksum from default locations.">
-		<attribute name="destfile" description="File name of the downloaded file"/>
+	<macrodef name="download-component" description="Use curl to download the given component and verify its checksum.">
+		<attribute name="component" description="Dependency component to download"/>
 		<sequential>
-			<echo message="Executing macro download-file-with-default-options"/>
-			<echo message="Fetching checksum prior to downloading file."/>
-			<loadfile property="checksum-for-@{destfile}" srcFile="dependency_data/shas/@{destfile}.sha256">
-                            <filterchain>
-                                <striplinebreaks/>
-                            </filterchain>
-                        </loadfile>
-			<echo message="Checksum found: ${checksum-for-@{destfile}}"/>
+			<echo message="Executing macro download-component for: @{component}"/>
+			<echo message="Expected checksum: ${@{component}.sha256}"/>
 			<download-file
-				checksum="${checksum-for-@{destfile}}"
-				destfile="@{destfile}"
-				srcurl="${sbom_dependency_default_location}/@{destfile}"/>
+				checksum="${@{component}.sha256}"
+				destfile="@{component}.jar"
+				srcurl="${@{component}.url}"/>
 		</sequential>
 	</macrodef>
 

diff --git a/cyclonedx-lib/dependency_data/dependency_data.properties b/cyclonedx-lib/dependency_data/dependency_data.properties
@@ -0,0 +1,41 @@
+#
+#
+#
+
+# Repositories
+maven.central.repo=https://repo1.maven.org/maven2
+
+# Component versions and SHAs
+commons-codec.version=1.17.1
+commons-codec.sha256=f9f6cb103f2ddc3c99a9d80ada2ae7bf0685111fd6bffccb72033d1da4e6ff23
+commons-collections4.version=4.4
+commons-collections4.sha256=1df8b9430b5c8ed143d7815e403e33ef5371b2400aadbe9bda0883762e0846d1
+commons-io.version=2.16.1
+commons-io.sha256=f41f7baacd716896447ace9758621f62c1c6b0a91d89acee488da26fc477c84f
+cyclonedx-core-java.version=9.0.5
+cyclonedx-core-java.sha256=9474c73a81d9be6206367d357a3449e03e70c69bc672d82be04f15806ef170fa
+github-package-url.version=1.5.0
+github-package-url.sha256=e45551727707acc0c56ac62d56964332ea0f138d6cc3656d988b9369150f5247
+jackson-annotations.version=2.17.2
+jackson-annotations.sha256=873a606e23507969f9bbbea939d5e19274a88775ea5a169ba7e2d795aa5156e1
+jackson-core.version=2.17.2
+jackson-core.sha256=721a189241dab0525d9e858e5cb604d3ecc0ede081e2de77d6f34fa5779a5b46
+jackson-databind.version=2.17.2
+jackson-databind.sha256=c04993f33c0f845342653784f14f38373d005280e6359db5f808701cfae73c0c
+jackson-dataformat-xml.version=2.17.2
+jackson-dataformat-xml.sha256=517add5f3848517894b319a93a7ebfc1c21737b2c17c9acccd38fea97d6adc6f
+json-schema-validator.version=1.5.1
+json-schema-validator.sha256=de015f79d4a63d22c002bad76bb30c039cafa205465eef8770e2c6b85880ded7
+
+# Download URLs
+commons-codec.url=${maven.central.repo}/commons-codec/commons-codec/${commons-codec.version}/commons-codec-${commons-codec.version}.jar
+commons-collections4.url=${maven.central.repo}/org/apache/commons/commons-collections4/${commons-collections4.version}/commons-collections4-${commons-collections4.version}.jar
+commons-io.url=${maven.central.repo}/commons-io/commons-io/${commons-io.version}/commons-io-${commons-io.version}.jar
+cyclonedx-core-java.url=${maven.central.repo}/org/cyclonedx/cyclonedx-core-java/${cyclonedx-core-java.version}/cyclonedx-core-java-${cyclonedx-core-java.version}.jar
+github-package-url.url=${maven.central.repo}/com/github/package-url/packageurl-java/${github-package-url.version}/packageurl-java-${github-package-url.version}.jar
+jackson-annotations.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-annotations/${jackson-annotations.version}/jackson-annotations-${jackson-annotations.version}.jar
+jackson-core.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-core/${jackson-core.version}/jackson-core-${jackson-core.version}.jar
+jackson-databind.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-databind/${jackson-databind.version}/jackson-databind-${jackson-databind.version}.jar
+jackson-dataformat-xml.url=${maven.central.repo}/com/fasterxml/jackson/dataformat/jackson-dataformat-xml/${jackson-dataformat-xml.version}/jackson-dataformat-xml-${jackson-dataformat-xml.version}.jar
+json-schema-validator.url=${maven.central.repo}/com/networknt/json-schema-validator/${json-schema-validator.version}/json-schema-validator-${json-schema-validator.version}.jar
+
diff --git a/cyclonedx-lib/dependency_data/shas/commons-codec.jar.sha256 b/cyclonedx-lib/dependency_data/shas/commons-codec.jar.sha256
diff --git a/cyclonedx-lib/dependency_data/shas/commons-collections4.jar.sha256 b/cyclonedx-lib/dependency_data/shas/commons-collections4.jar.sha256
diff --git a/cyclonedx-lib/dependency_data/shas/commons-io.jar.sha256 b/cyclonedx-lib/dependency_data/shas/commons-io.jar.sha256
diff --git a/cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256 b/cyclonedx-lib/dependency_data/shas/cyclonedx-core-java.jar.sha256
diff --git a/cyclonedx-lib/dependency_data/shas/github-package-url.jar.sha256 b/cyclonedx-lib/dependency_data/shas/github-package-url.jar.sha256
diff --git a/cyclonedx-lib/dependency_data/shas/jackson-annotations.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-annotations.jar.sha256
diff --git a/cyclonedx-lib/dependency_data/shas/jackson-core.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-core.jar.sha256
diff --git a/cyclonedx-lib/dependency_data/shas/jackson-databind.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-databind.jar.sha256
diff --git a/cyclonedx-lib/dependency_data/shas/jackson-dataformat-xml.jar.sha256 b/cyclonedx-lib/dependency_data/shas/jackson-dataformat-xml.jar.sha256
diff --git a/cyclonedx-lib/dependency_data/shas/json-schema.jar.sha256 b/cyclonedx-lib/dependency_data/shas/json-schema.jar.sha256
diff --git a/cyclonedx-lib/dependency_data/versions/commons-codec.jar.version b/cyclonedx-lib/dependency_data/versions/commons-codec.jar.version
diff --git a/cyclonedx-lib/dependency_data/versions/commons-collections4.jar.version b/cyclonedx-lib/dependency_data/versions/commons-collections4.jar.version
diff --git a/cyclonedx-lib/dependency_data/versions/commons-io.jar.version b/cyclonedx-lib/dependency_data/versions/commons-io.jar.version
diff --git a/cyclonedx-lib/dependency_data/versions/cyclonedx-core-java.jar.version b/cyclonedx-lib/dependency_data/versions/cyclonedx-core-java.jar.version
diff --git a/cyclonedx-lib/dependency_data/versions/github-package-url.jar.version b/cyclonedx-lib/dependency_data/versions/github-package-url.jar.version
diff --git a/cyclonedx-lib/dependency_data/versions/jackson-annotations.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-annotations.jar.version
diff --git a/cyclonedx-lib/dependency_data/versions/jackson-core.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-core.jar.version
diff --git a/cyclonedx-lib/dependency_data/versions/jackson-databind.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-databind.jar.version
diff --git a/cyclonedx-lib/dependency_data/versions/jackson-dataformat-xml.jar.version b/cyclonedx-lib/dependency_data/versions/jackson-dataformat-xml.jar.version
diff --git a/cyclonedx-lib/dependency_data/versions/json-schema.jar.version b/cyclonedx-lib/dependency_data/versions/json-schema.jar.version