configure args is in the metadata file but not the main SBoM file

[sxa]

I thought we had the configure args in the main SBoM now - I guess not 😢
Ideally we'd just pull the SBoM from the API but since we need the metadata file as well I guess it makes sense to have the two lines look similar.
We typically don't want to encourage people going directly to our backend location on github.

Originally posted by @sxa in adoptium/adoptium.net#2949 (comment)

We should ensure that all information required for reproducibility is in the main SBoM file so the metadata file (Primarily for use by the adoptium API) is not required for reproducibility verification.

The goal here should be to ensure that out documentating like this for Linux/x64 does not include curl -L -O https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.4%2B7/OpenJDK21U-sbom_x64_linux_hotspot_21.0.4_7-metadata.json because all of the information has been added to the SBoM file.

[Scanteianu]

i can do this

[Scanteianu]

@sxa is this something i should somehow try doing in the TemurinGenSBOM.java (if so, how do i build it/pull in dependencies - I'm not sure how i can pull in the cyclonedx libs without having a maven/gradle build file)

[sxa]

https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/README.md contains pretty much everything I know about the SBoM generation process, and specifically my experience of adding things. Hopefully the referenced parts of build.sh in there will give you an idea of how to get started. For anything more complex we may need the assistance of @andrew-m-leonard :-)

[andrew-m-leonard]

@Scanteianu this would just need one line to add configure_args around here:

temurin-build/sbin/build.sh

Line 1110 in 4a141b1

addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Build Config" "${built_config}"

This should work I think:

addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Configure Args" "${CONFIGURE_ARGS}"

[Scanteianu]

not quite sure what @andrew-m-leonard means - is it that BUILD_CONFIGURATION_PARAM thing which is all the sbom needs (still needs converting into a name-value pair list to match the definition in https://cyclonedx.org/docs/1.4/json/#metadata_component_properties

the thing in the pr matches the validator here https://cyclonedx.github.io/cyclonedx-web-tool/validate (with the caveat that I manually bumped minor version back down to 1.5 because they don't support 1.6 yet)

[andrew-m-leonard]

the addSBOMComponentProperty should do all the work, we just need to add the following line to sbin/build.sh, so that CONFIGURE_ARGS:

addSBOMComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "${componentName}" "Configure Args" "${CONFIGURE_ARGS}"

note, CONFIGURE_ARGS is kept as a single String property value.

[sxa]

@Scanteianu Does Andrew's comment above sound good to you?

[Scanteianu]

sorry, missed the notification, not sure why. I will try to add that line