.

Author: gamlerhart

contrib/sbom/readme.adoc

@@ -9,7 +9,7 @@ This module has some limitations at the moment:
 - Only JVM ecosystem libraries are reported.
 - Only the CycloneDX JSON format is supported
 
-To declare a module that generates an SBT extend the `mill.contrib.sbom.CycloneDXModuleTests` trait when defining your module.
+To declare a module that generates an SBOM extend the `mill.contrib.sbom.CycloneDXModuleTests` trait when defining your module.
 
 Quickstart:
 
@@ -36,7 +36,7 @@ $ mill show sbom-demo.sbomJsonFile # Creates the SBOM file in the JSON format
 ----
 
 == Uploading to Dependency Track
-Uploading the BOM to (https://dependencytrack.org/)[Dependency Track] is supported.
+Uploading the SBOM to https://dependencytrack.org/[Dependency Track] is supported.
 Add the `DependencyTrackModule` and provide the necessary details:
 
 .`build.mill`

contrib/sbom/src/mill/contrib/sbom/CycloneDX.scala

@@ -0,0 +1,76 @@
+package mill.contrib.sbom
+
+import coursier.Dependency
+import os.Path
+import upickle.default.macroRW
+import upickle.default.ReadWriter
+
+import java.math.BigInteger
+import java.security.MessageDigest
+import java.time.Instant
+import java.util.UUID
+
+object CycloneDX {
+  case class SbomJson(
+      bomFormat: String,
+      specVersion: String,
+      serialNumber: String,
+      version: Int,
+      metadata: MetaData,
+      components: Seq[Component]
+  )
+
+  case class MetaData(timestamp: String = Instant.now().toString)
+
+  case class ComponentHash(alg: String, content: String)
+
+  case class LicenseHolder(license: License)
+
+  case class License(name: String, url: Option[String])
+
+  case class Component(
+      `type`: String,
+      `bom-ref`: String,
+      group: String,
+      name: String,
+      version: String,
+      description: String,
+      licenses: Seq[LicenseHolder],
+      hashes: Seq[ComponentHash]
+  )
+
+  object Component {
+    def fromDeps(path: Path, dep: Dependency, licenses: Seq[coursier.Info.License]): Component = {
+      val compLicenses = licenses.map { lic =>
+        LicenseHolder(License(lic.name, lic.url))
+      }
+      Component(
+        "library",
+        s"pkg:maven/${dep.module.organization.value}/${dep.module.name.value}@${dep.version}?type=jar",
+        dep.module.organization.value,
+        dep.module.name.value,
+        dep.version,
+        dep.module.orgName,
+        compLicenses,
+        Seq(ComponentHash("SHA-256", sha256(path)))
+      )
+    }
+  }
+
+  implicit val sbomRW: ReadWriter[SbomJson] = macroRW
+  implicit val metaRW: ReadWriter[MetaData] = macroRW
+  implicit val componentHashRW: ReadWriter[ComponentHash] = macroRW
+  implicit val componentRW: ReadWriter[Component] = macroRW
+  implicit val licenceHolderRW: ReadWriter[LicenseHolder] = macroRW
+  implicit val licenceRW: ReadWriter[License] = macroRW
+
+  private def sha256(f: Path): String = {
+    val md = MessageDigest.getInstance("SHA-256")
+    val fileContent = os.read.bytes(f)
+    val digest = md.digest(fileContent)
+    String.format("%0" + (digest.length << 1) + "x", new BigInteger(1, digest))
+  }
+
+  case class SbomHeader(serialNumber: UUID, timestamp: Instant)
+
+}

contrib/sbom/src/mill/contrib/sbom/CycloneDXJavaModule.scala

@@ -0,0 +1,75 @@
+package mill.contrib.sbom
+
+import coursier.{Artifacts, Resolution, VersionConstraint, core as cs}
+import mill.Task
+import mill.javalib.{BoundDep, JavaModule}
+
+/**
+ * Report the Java/Scala/Kotlin dependencies in a SBOM.
+ * By default, it reports all dependencies in the [[ivyDeps]] and [[runIvyDeps]].
+ * Other scopes and unmanaged dependencies are not added to the report.
+ *
+ * Change this behavior by  overriding [[sbomComponents]]
+ */
+trait CycloneDXJavaModule extends JavaModule with CycloneDXModule {
+  import CycloneDX.*
+
+  /**
+   * Lists of all components used for this module.
+   * By default, uses the [[ivyDeps]] and [[runIvyDeps]] for the list of components
+   */
+  def sbomComponents: Task[Seq[Component]] = Task {
+    val (resolution, artifacts) = resolvedRunIvyDepsDetails()()
+    resolvedSbomComponents(resolution, artifacts)
+  }
+
+  protected def resolvedSbomComponents(
+      resolution: Resolution,
+      artifacts: Artifacts.Result
+  ): Seq[Component] = {
+    val distinctDeps = artifacts.fullDetailedArtifacts
+      .flatMap {
+        case (dep, _, _, Some(path)) => Some(dep -> path)
+        case _ => None
+      }
+      // Artifacts.Result.files does eliminate duplicates path: Do the same
+      .distinctBy(_._2)
+      .map { case (dep, path) =>
+        val license = findLicenses(resolution, dep.module, dep.versionConstraint)
+        Component.fromDeps(os.Path(path), dep, license)
+      }
+    distinctDeps
+  }
+
+  /** Copied from [[resolvedRunIvyDeps]], but getting the raw artifacts */
+  private def resolvedRunIvyDepsDetails(): Task[(Resolution, Artifacts.Result)] = Task.Anon {
+    millResolver().artifacts(Seq(
+      BoundDep(
+        coursierDependency.withConfiguration(cs.Configuration.runtime),
+        force = false
+      )
+    ))
+  }
+
+  private def findLicenses(
+      resolution: Resolution,
+      module: coursier.core.Module,
+      version: VersionConstraint
+  ): Seq[coursier.Info.License] = {
+    val projects = resolution.projectCache0
+    val project = projects.get(module -> version)
+    project match
+      case None => Seq.empty
+      case Some((_, proj)) =>
+        val licences = proj.info.licenseInfo
+        if (licences.nonEmpty) {
+          licences
+        } else {
+          proj.parent0.map((pm, v) =>
+            findLicenses(resolution, pm, VersionConstraint.fromVersion(v))
+          )
+            .getOrElse(Seq.empty)
+        }
+  }
+
+}

contrib/sbom/src/mill/contrib/sbom/CycloneDXModule.scala

@@ -1,7 +1,6 @@
 package mill.contrib.sbom
 
 import mill.*
-import mill.contrib.sbom.CycloneDXModule.Component
 import mill.javalib.{BoundDep, JavaModule}
 import coursier.{Artifacts, Dependency, Resolution, VersionConstraint, core as cs}
 import os.Path
@@ -10,140 +9,13 @@ import upickle.default.{ReadWriter, macroRW}
 import java.math.BigInteger
 import java.security.MessageDigest
 import java.time.Instant
-import java.util.{UUID}
-
-object CycloneDXModule {
-  case class SBOM_JSON(
-      bomFormat: String,
-      specVersion: String,
-      serialNumber: String,
-      version: Int,
-      metadata: MetaData,
-      components: Seq[Component]
-  )
-
-  case class MetaData(timestamp: String = Instant.now().toString)
-
-  case class ComponentHash(alg: String, content: String)
-
-  case class LicenseHolder(license: License)
-
-  case class License(name: String, url: Option[String])
-
-  case class Component(
-      `type`: String,
-      `bom-ref`: String,
-      group: String,
-      name: String,
-      version: String,
-      description: String,
-      licenses: Seq[LicenseHolder],
-      hashes: Seq[ComponentHash]
-  )
-
-  object Component {
-    def fromDeps(path: Path, dep: Dependency, licenses: Seq[coursier.Info.License]): Component = {
-      val compLicenses = licenses.map { lic =>
-        LicenseHolder(License(lic.name, lic.url))
-      }
-      Component(
-        "library",
-        s"pkg:maven/${dep.module.organization.value}/${dep.module.name.value}@${dep.version}?type=jar",
-        dep.module.organization.value,
-        dep.module.name.value,
-        dep.version,
-        dep.module.orgName,
-        compLicenses,
-        Seq(ComponentHash("SHA-256", sha256(path)))
-      )
-    }
-  }
-
-  implicit val sbomRW: ReadWriter[SBOM_JSON] = macroRW
-  implicit val metaRW: ReadWriter[MetaData] = macroRW
-  implicit val componentHashRW: ReadWriter[ComponentHash] = macroRW
-  implicit val componentRW: ReadWriter[Component] = macroRW
-  implicit val licenceHolderRW: ReadWriter[LicenseHolder] = macroRW
-  implicit val licenceRW: ReadWriter[License] = macroRW
-
-  private def sha256(f: Path): String = {
-    val md = MessageDigest.getInstance("SHA-256")
-    val fileContent = os.read.bytes(f)
-    val digest = md.digest(fileContent)
-    String.format("%0" + (digest.length << 1) + "x", new BigInteger(1, digest))
-  }
-
-  case class SbomHeader(serialNumber: UUID, timestamp: Instant)
-
-}
-
-trait CycloneDXJavaModule extends JavaModule with CycloneDXModule {
-
-  /**
-   * Lists of all components used for this module.
-   * By default, uses the [[ivyDeps]] and [[runIvyDeps]] for the list of components
-   */
-  def sbomComponents: Task[Seq[Component]] = Task {
-    val (resolution, artifacts) = resolvedRunIvyDepsDetails()()
-    resolvedSbomComponents(resolution, artifacts)
-  }
-
-  protected def resolvedSbomComponents(
-      resolution: Resolution,
-      artifacts: Artifacts.Result
-  ): Seq[Component] = {
-    val distinctDeps = artifacts.fullDetailedArtifacts
-      .flatMap {
-        case (dep, _, _, Some(path)) => Some(dep -> path)
-        case _ => None
-      }
-      // Artifacts.Result.files does eliminate duplicates path: Do the same
-      .distinctBy(_._2)
-      .map { case (dep, path) =>
-        val license = findLicenses(resolution, dep.module, dep.versionConstraint)
-        Component.fromDeps(os.Path(path), dep, license)
-      }
-    distinctDeps
-  }
-
-  /** Copied from [[resolvedRunIvyDeps]], but getting the raw artifacts */
-  private def resolvedRunIvyDepsDetails(): Task[(Resolution, Artifacts.Result)] = Task.Anon {
-    millResolver().artifacts(Seq(
-      BoundDep(
-        coursierDependency.withConfiguration(cs.Configuration.runtime),
-        force = false
-      )
-    ))
-  }
-
-  private def findLicenses(
-      resolution: Resolution,
-      module: coursier.core.Module,
-      version: VersionConstraint
-  ): Seq[coursier.Info.License] = {
-    val projects = resolution.projectCache0
-    val project = projects.get(module -> version)
-    project match
-      case None => Seq.empty
-      case Some((_, proj)) =>
-        val licences = proj.info.licenseInfo
-        if (licences.nonEmpty) {
-          licences
-        } else {
-          proj.parent0.map((pm, v) =>
-            findLicenses(resolution, pm, VersionConstraint.fromVersion(v))
-          )
-            .getOrElse(Seq.empty)
-        }
-  }
-
-}
+import java.util.UUID
 
 trait CycloneDXModule extends Module {
-  import CycloneDXModule.*
+  import CycloneDX.*
 
   /** Lists of all components used for this module. */
-  def sbomComponents: Task[Agg[Component]]
+  def sbomComponents: Task[Seq[Component]]
 
   /**
    * Each time the SBOM is generated, a new UUID and timestamp are generated
@@ -155,11 +27,11 @@ trait CycloneDXModule extends Module {
    * Generates the SBOM Json for this module, based on the components returned by [[sbomComponents]]
    * @return
    */
-  def sbom: T[SBOM_JSON] = Target {
+  def sbom: T[SbomJson] = Target {
     val header = sbomHeader()
     val components = sbomComponents()
 
-    SBOM_JSON(
+    SbomJson(
       bomFormat = "CycloneDX",
       specVersion = "1.2",
       serialNumber = s"urn:uuid:${header.serialNumber}",

contrib/sbom/test/reference/pom.xml

@@ -26,7 +26,7 @@
         <dependency>
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-classic</artifactId>
-            <version>1.2.3</version>
+            <version>1.5.12</version>
         </dependency>
         <dependency>
             <groupId>commons-io</groupId>

contrib/sbom/test/src/mill/contrib/sbom/CycloneDXModuleTests.scala

@@ -12,20 +12,20 @@ import java.time.Instant
 
 object TestModule extends TestBaseModule {
 
-  val fixedHeader = CycloneDXModule.SbomHeader(
+  val fixedHeader = CycloneDX.SbomHeader(
     UUID.fromString("a9d6a1c7-18d4-4901-891c-cbcc8f2c5241"),
     Instant.parse("2025-03-17T17:00:56.263933698Z")
   )
 
   object noDeps extends JavaModule with CycloneDXJavaModule {}
 
   object withDeps extends JavaModule with CycloneDXJavaModule {
-    override def sbomHeader(): CycloneDXModule.SbomHeader = fixedHeader
+    override def sbomHeader(): CycloneDX.SbomHeader = fixedHeader
     override def ivyDeps = Agg(ivy"ch.qos.logback:logback-classic:1.5.12")
   }
 
   object withModuleDeps extends JavaModule with CycloneDXJavaModule {
-    override def sbomHeader(): CycloneDXModule.SbomHeader = fixedHeader
+    override def sbomHeader(): CycloneDX.SbomHeader = fixedHeader
     override def moduleDeps = Seq(withDeps)
     override def ivyDeps = Agg(ivy"commons-io:commons-io:2.18.0")
   }