Merge branch 'master' into patch-2

.github/linters/.gitleaks.toml

@@ -0,0 +1,5 @@
+title = "gitleaks config"
+[allowlist]
+files = [
+    "cyclonedx-lib/dependency_data/dependency_data.properties"
+]

.github/linters/suppressed-java.xml

@@ -28,4 +28,5 @@
     <suppress files="." checks="LineLength" />
     <suppress files="." checks="Header" /> <!-- Disabled as we don't use headers in our project for the test files -->
     <suppress files="." checks="FileTabCharacter" /> <!-- Disabled as it generally doesn't matter if tabs are disabled or not -->
-</suppressions>
+    <suppress files="." checks="ParameterNumber" />
+</suppressions>

.github/workflows/build.yml

@@ -35,10 +35,6 @@ jobs:
   build_linux:
     name: Linux
     runs-on: ubuntu-latest
-    env:
-      ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: 'true'
-    container:
-      image: ${{ matrix.image }}
     strategy:
       fail-fast: false
       matrix:
@@ -80,24 +76,23 @@ jobs:
             variant: bisheng
             image: adoptopenjdk/centos7_build_image
     steps:
-    # pinned at v3 to as Node.js 20.x is not supported on Centos 7
-    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+    - uses: actions/checkout@v4
 
-    - name: Build Linux
-      run: ./build-farm/make-adopt-build-farm.sh
-      env:
-        JAVA_TO_BUILD: ${{ matrix.version }}
-        ARCHITECTURE: x64
-        VARIANT: ${{ matrix.variant }}
-        TARGET_OS: ${{ matrix.os }}
-        FILENAME: OpenJDK.tar.gz
-        # Don't set the OS as we use both linux and alpine-linux
-        PLATFORM_CONFIG_LOCATION: adoptium/temurin-build/master/build-farm/platform-specific-configurations
-        BUILD_ARGS: --create-sbom
-        CONFIGURE_ARGS: --with-native-debug-symbols=none
-
-    # pinned at v3 to as Node.js 20.x is not supported on Centos 7
-    - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+    - name: Build Linux within container image "${{ matrix.image }}"
+      run: |
+          docker run --rm -w /home/jenkins -v "$PWD":"/home/jenkins" \
+                      -e "JAVA_TO_BUILD=${{ matrix.version }}" \
+                      -e "ARCHITECTURE=x64" \
+                      -e "VARIANT=${{ matrix.variant }}" \
+                      -e "TARGET_OS=${{ matrix.os }}" \
+                      -e "FILENAME=OpenJDK.tar.gz" \
+                      -e "PLATFORM_CONFIG_LOCATION=adoptium/temurin-build/master/build-farm/platform-specific-configurations" \
+                      -e "BUILD_ARGS=--create-sbom" \
+                      -e "CONFIGURE_ARGS=--with-native-debug-symbols=none" \
+                      "${{ matrix.image }}" \
+                      ./build-farm/make-adopt-build-farm.sh
+
+    - uses: actions/upload-artifact@v4
       name: Collect and Archive Artifacts
       with:
         name: ${{matrix.version}}-${{matrix.os}}-${{matrix.variant}}
@@ -110,17 +105,33 @@ jobs:
     - name: Set root of jdk image dir
       run: |
         imageroot=$(find "${HOME}/JDK" -name release -type f)
-        echo "TEST_JDK_HOME=$(dirname "${imageroot}")" >> "$GITHUB_ENV"
-    - name: Smoke test
-      uses: adoptium/run-aqa@6bacb4e732ad546eda1b09665b9067cdc87651f4 # v2
+        # TEST_JDK_HOME needs to be mapped to the docker container /home/jenkins mapping
+        echo "TEST_JDK_HOME=$(dirname "${imageroot}")" | sed "s,${HOME},/home/jenkins," >> "$GITHUB_ENV"
+
+    - name: Checkout aqa-tests repo
+      uses: actions/checkout@v4
       with:
-        build_list: 'functional/buildAndPackage'
-        target: '_extended.functional'
-        vendor_testRepos: "${{ github.event.pull_request.head.repo.html_url }}.git"
-        vendor_testBranches: "${{ github.head_ref }}"
-        vendor_testDirs: "/test/functional"
-    # pinned at v3 to as Node.js 20.x is not supported on Centos 7
-    - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        repository: adoptium/aqa-tests
+        path: aqa-tests
+    - name: Run Smoke test within container image "${{ matrix.image }}"
+      env:
+        VENDOR_REPOS: ${{ github.event.pull_request.head.repo.html_url }}.git
+        VENDOR_BRANCH: ${{ github.head_ref }}
+      run: |
+        WORK_DIR="${PWD//${HOME}//home/jenkins}"
+        docker run --rm -w /home/jenkins -v "$HOME":"/home/jenkins" \
+            -e "TEST_JDK_HOME=${TEST_JDK_HOME}" \
+            -e "BUILD_LIST=functional/buildAndPackage" \
+            "${{ matrix.image }}" \
+            sh -c "cd ${WORK_DIR}/aqa-tests && \
+             ./get.sh --vendor_repos ${VENDOR_REPOS} \
+                      --vendor_branches ${VENDOR_BRANCH} \
+                      --vendor_dirs /test/functional && \
+             cd TKG && \
+             make compile && \
+             make _extended.functional"
+        
+    - uses: actions/upload-artifact@v4
       name: Collect and Archive SmokeTest Results
       if: failure()
       with:

.github/workflows/ca-cert-updater.yml

@@ -35,7 +35,7 @@ jobs:
         working-directory: ./security
         run: "./mk-ca-bundle.pl"
 
-      - uses: gr2m/create-or-update-pull-request-action@488876a65a2ca38b7eb05e9086166337087f5323 # v1.10.0
+      - uses: gr2m/create-or-update-pull-request-action@b65137ca591da0b9f43bad7b24df13050ea45d1b # v1.10.1
         env:
           GITHUB_TOKEN: ${{ secrets.ADOPTIUM_TEMURIN_BOT_TOKEN }}
         with:

.github/workflows/codeql.yml

@@ -58,7 +58,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -68,7 +68,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/autobuild@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -81,6 +81,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/ossf-scorecard.yml

@@ -46,6 +46,6 @@ jobs:
         name: SARIF file
         path: results.sarif
         retention-days: 5
-    - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v2.13.4
+    - uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v2.13.4
       with:
         sarif_file: results.sarif

.github/workflows/testsbom.yml → .github/workflows/testcyclonedx.yml

@@ -1,5 +1,5 @@
 # ********************************************************************************
-# Copyright (c) 2023 Contributors to the Eclipse Foundation
+# Copyright (c) 2023, 2024 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) with this work for additional
 # information regarding copyright ownership.
@@ -12,7 +12,7 @@
 # ********************************************************************************
 
 ---
-name: TestSBOM
+name: TestCycloneDX
 
 on:
   pull_request:
@@ -30,30 +30,49 @@ permissions:
   contents: read
 
 jobs:
-  test_sbom_gen:
-    name: gen_sbom
+  test_cyclonedx_gen:
+    name: gen_cyclonedx
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      # Build with jdk8 to ensure TemurinGenSBOM meets min compatibility
+      # Build with jdk8 to ensure TemurinGen* meets min compatibility
       - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
         id: setup-java
         with:
           java-version: 8
           distribution: 'temurin'
 
-      - name: Build TemurinGenSBOM.java
+      - name: Build TemurinGenSBOM.java and TemurinGenCDXA.java
         run: |
           ant -noinput -buildfile cyclonedx-lib/build.xml clean
           ant -noinput -buildfile cyclonedx-lib/build.xml build
 
       - name: Run TemurinGenSBOM Unit test
         run: ant -noinput -buildfile cyclonedx-lib/build.xml run
 
+      - name: Run TemurinGenCDXA Unit test
+        run: ant -noinput -buildfile cyclonedx-lib/build.xml runCDXA
+
+      - name: Validate generated SBOM and CDXA documents using cyclonedx-cli validate
+        run: |
+          curl -L -O https://github.com/CycloneDX/cyclonedx-cli/releases/latest/download/cyclonedx-linux-x64
+          chmod +x cyclonedx-linux-x64
+          ./cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testSBOM.json --fail-on-errors --input-version v1_6
+          ./cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testSBOM.xml --fail-on-errors --input-version v1_6
+          ./cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testCDXA.json --fail-on-errors --input-version v1_6
+          ./cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testCDXA.xml --fail-on-errors --input-version v1_6
+
       - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         name: Collect and Archive TemurinGenSBOM Artifacts
         with:
           name: testSBOM
-          path: cyclonedx-lib/build/testSBOM.json
+          path: cyclonedx-lib/build/testSBOM.*
+
+      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        name: Collect and Archive TemurinGenCDXA Artifacts
+        with:
+          name: testCDXA
+          path: cyclonedx-lib/build/testCDXA.*
+

.licenserc.yaml

@@ -46,6 +46,7 @@ header:
     - 'security/certdata.txt'
     - 'sbin/*.template'
     - '.github/linters/*'
+    - '.github/workflows/dependabot-auto-merge.yml'
     - 'cyclonedx-lib/getDependencies'
     - 'cyclonedx-lib/dependency_data/**'
     - 'makejdk-any-platform.1'

README.md

@@ -185,6 +185,13 @@ the one you are trying to build.
 -k, --keep
 if using docker, keep the container after the build.
 
+--local-dependency-cache-dir <Local dependency cache directory>
+specify the location of a local cache of required build dependency jars. If not specified
+the following default locations are searched
+Windows: c:/dependency_cache
+MacOS: ${HOME}/dependency_cache
+Unix: /usr/local/dependency_cache
+
 --make-exploded-image
 creates an exploded image (useful for codesigning jmods). Use --assemble-exploded-image once you have signed the jmods to complete the packaging steps.
 

RELEASING.md

@@ -149,7 +149,7 @@ flowchart TD
 
 </details>
 
-Disable nightly testing so the release builds aren't delayed by any nightly test runs (set `enableTests : false` in [defaults.json](https://github.com/adoptium/ci-jenkins-pipelines/blob/master/pipelines/defaults.json)). Ensure the build pipeline generator job runs successfully (<https://ci.adoptium.net/job/build-scripts/job/utils/job/build-pipeline-generator/>), and the flag is disabled by bringing up the Build pipeline job and check the  `enableTests` checkbox is unticked.
+Scheduled pipeline Testing is automatically disabled from the Saturday prior to "release Tuesday", to the Sunday after, see: https://github.com/adoptium/ci-jenkins-pipelines/blob/5bd79eb1d95a033c4ee364a8f9fcc270ad653178/pipelines/build/common/trigger_beta_build.groovy#L51
 
 Add a banner to the website to indicate that the releases are coming in the near future ([Example Changes](https://github.com/adoptium/adoptium.net/blob/main/src/components/Banner.tsx)).
 

SmokeTesting.md

@@ -7,8 +7,9 @@ These are the general steps to execute the Smoke Tests found in[/test/functional
 1. export TEST_JDK_HOME=/someLocation // set test JDK home. On windows, the windows path format is expected. (i.e., TEST_JDK_HOME=C:\someLocation )
 1. git clone [https://github.com/adoptium/aqa-tests.git](https://github.com/adoptium/aqa-tests) to /testLocation
 1. cd aqa-tests
-1. ./get.sh
+1. ./get.sh --vendor_repos https://github.com/adoptium/temurin-build --vendor_branches master --vendor_dirs /test/functional
+1. ( When running get.sh ensure the vendor parameters are passed correctly, the above example shows how to run the smoke tests contained within the temurin-build repository )
 1. cd TKG
-1. Export environment variables suitable for the SDK under test and for the test materials being used (i.e., export BUILD_LIST=functional/buildAndPackage, VENDOR_TEST_REPOS=https://github.com/adoptium/temurin-build, VENDOR_TEST_BRANCHES=master, VENDOR_TEST_DIRS=/test/functional )
+1. Export environment variables suitable for the SDK under test and for the test materials being used (i.e., export BUILD_LIST=functional/buildAndPackage, this value details which test material that should be compiled.
 1. make compile // fetches test material and compiles it, based on build.xml files in the test directories
 1. make _extended.functional // executes the test target (can be test group, level, level.group or specific test). i.e., openjdk (all tests in openjdk group), sanity.functional (all functional tests labelled at sanity level), or in the case of smoke tests which are all tagged to belong to level=extended and group=functional, we use `_extended.functional` and because we have limited BUILD_LIST to the directory where the smoke test material lives, we will only run tests from that directory tagged as extended.functional.

build-farm/platform-specific-configurations/alpine-linux.sh

@@ -49,7 +49,7 @@ export GNUPGHOME
 
 BOOT_JDK_VARIABLE="JDK${JDK_BOOT_VERSION}_BOOT_DIR"
 if [ ! -d "$(eval echo "\$$BOOT_JDK_VARIABLE")" ]; then
-  bootDir="$PWD/jdk-$JDK_BOOT_VERSION"
+  bootDir="$PWD/jdk$JDK_BOOT_VERSION"
   # Note we export $BOOT_JDK_VARIABLE (i.e. JDKXX_BOOT_DIR) here
   # instead of BOOT_JDK_VARIABLE (no '$').
   export "${BOOT_JDK_VARIABLE}"="$bootDir"

build-farm/platform-specific-configurations/linux.sh

@@ -51,11 +51,11 @@ function locateDragonwell8BootJDK()
     export "${BOOT_JDK_VARIABLE}"=/usr/lib/jvm/dragonwell8
   else
     echo Dragonwell 8 requires a Dragonwell boot JDK - downloading one ...
-    mkdir -p "$PWD/jdk-8"
+    mkdir -p "$PWD/jdk8"
     # if [ "$(uname -m)" = "x86_64" ]; then
-    #   curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.11.12_jdk8u332-ga/Alibaba_Dragonwell_8.11.12_x64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8"
+    #   curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.11.12_jdk8u332-ga/Alibaba_Dragonwell_8.11.12_x64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk8"
     # elif [ "$(uname -m)" = "aarch64" ]; then
-    #   curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.8.9_jdk8u302-ga/Alibaba_Dragonwell_8.8.9_aarch64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk-8"
+    #   curl -L "https://github.com/alibaba/dragonwell8/releases/download/dragonwell-8.8.9_jdk8u302-ga/Alibaba_Dragonwell_8.8.9_aarch64_linux.tar.gz" | tar xpzf - --strip-components=1 -C "$PWD/jdk8"
     # else
     #   echo "Unknown architecture $(uname -m) for building Dragonwell - cannot download boot JDK"
     #   exit 1
@@ -86,11 +86,11 @@ function locateDragonwell8BootJDK()
     fi
 
     # Extract the downloaded file
-    tar xpzf "$TMP_FILE" --strip-components=1 -C "$PWD/jdk-8"
+    tar xpzf "$TMP_FILE" --strip-components=1 -C "$PWD/jdk8"
 
     # Clean up the temporary file
     rm "$TMP_FILE"
-    export "${BOOT_JDK_VARIABLE}"="$PWD/jdk-8"
+    export "${BOOT_JDK_VARIABLE}"="$PWD/jdk8"
   fi
 }
 
@@ -273,16 +273,16 @@ if [ "${VARIANT}" == "${BUILD_VARIANT_DRAGONWELL}" ] && [ "$JAVA_FEATURE_VERSION
 fi
 
 if [ ! -d "$(eval echo "\$$BOOT_JDK_VARIABLE")" ]; then
-  bootDir="$PWD/jdk-$JDK_BOOT_VERSION"
+  bootDir="$PWD/jdk$JDK_BOOT_VERSION"
   # Note we export $BOOT_JDK_VARIABLE (i.e. JDKXX_BOOT_DIR) here
   # instead of BOOT_JDK_VARIABLE (no '$').
   export "${BOOT_JDK_VARIABLE}"="$bootDir"
   if [ ! -x "$bootDir/bin/javac" ]; then
     # Set to a default location as linked in the ansible playbooks
-    if [ -x "/usr/lib/jvm/jdk-${JDK_BOOT_VERSION}/bin/javac" ]; then
-      echo "Could not use ${BOOT_JDK_VARIABLE} - using /usr/lib/jvm/jdk-${JDK_BOOT_VERSION}"
+    if [ -x "/usr/lib/jvm/jdk${JDK_BOOT_VERSION}/bin/javac" ]; then
+      echo "Could not use ${BOOT_JDK_VARIABLE} - using /usr/lib/jvm/jdk${JDK_BOOT_VERSION}"
       # shellcheck disable=SC2140
-      export "${BOOT_JDK_VARIABLE}"="/usr/lib/jvm/jdk-${JDK_BOOT_VERSION}"
+      export "${BOOT_JDK_VARIABLE}"="/usr/lib/jvm/jdk${JDK_BOOT_VERSION}"
     elif [ "$JDK_BOOT_VERSION" -ge 8 ]; then # Adoptium has no build pre-8
       downloadLinuxBootJDK "${ARCHITECTURE}" "${JDK_BOOT_VERSION}" "$bootDir"
     fi

build-farm/platform-specific-configurations/mac.sh

@@ -105,13 +105,18 @@ if [ "${JDK_BOOT_VERSION}" == "7" ]; then
 fi
 BOOT_JDK_VARIABLE="JDK${JDK_BOOT_VERSION}_BOOT_DIR"
 if [ ! -d "$(eval echo "\$$BOOT_JDK_VARIABLE")" ]; then
-  bootDir="$PWD/jdk-$JDK_BOOT_VERSION"
+  bootDir="$PWD/jdk$JDK_BOOT_VERSION"
   # Note we export $BOOT_JDK_VARIABLE (i.e. JDKXX_BOOT_DIR) here
   # instead of BOOT_JDK_VARIABLE (no '$').
   export "${BOOT_JDK_VARIABLE}"="$bootDir/Contents/Home"
   if [ ! -x "$bootDir/Contents/Home/bin/javac" ]; then
-    # To support multiple vendor names we set a jdk-* symlink pointing to the actual boot JDK
-    if [ -x "/Library/Java/JavaVirtualMachines/jdk-${JDK_BOOT_VERSION}/Contents/Home/bin/javac" ]; then
+    # To support multiple vendor names we set a jdk* symlink pointing to the actual boot JDK
+    if [ -x "/Library/Java/JavaVirtualMachines/jdk${JDK_BOOT_VERSION}/Contents/Home/bin/javac" ]; then
+      echo "Could not use ${BOOT_JDK_VARIABLE} - using /Library/Java/JavaVirtualMachines/jdk${JDK_BOOT_VERSION}/Contents/Home"
+      export "${BOOT_JDK_VARIABLE}"="/Library/Java/JavaVirtualMachines/jdk${JDK_BOOT_VERSION}/Contents/Home"
+    elif [ -x "/Library/Java/JavaVirtualMachines/jdk-${JDK_BOOT_VERSION}/Contents/Home/bin/javac" ]; then
+      # TODO: This temporary ELIF allows us to accomodate undesired dashes that may be present
+      # in boot directory names (e.g. jdk-10) on Orka node images (fix pending).
       echo "Could not use ${BOOT_JDK_VARIABLE} - using /Library/Java/JavaVirtualMachines/jdk-${JDK_BOOT_VERSION}/Contents/Home"
       export "${BOOT_JDK_VARIABLE}"="/Library/Java/JavaVirtualMachines/jdk-${JDK_BOOT_VERSION}/Contents/Home"
     elif [ "$JDK_BOOT_VERSION" -ge 8 ]; then # Adoptium has no build pre-8