diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 47e21b38..91b29b56 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -88,6 +88,21 @@ jobs:
!product/target/openfasttrace-*-sources.jar
if-no-files-found: error
+ - name: Generate SPDX SBOM
+ if: ${{ env.DEFAULT_OS == matrix.os && env.DEFAULT_JAVA == matrix.java }}
+ run: |
+ mvn --batch-mode -pl product spdx:createSPDX \
+ -Dossindex.skip=true \
+ -Djava.version=${{ matrix.java }}
+
+ - name: Upload SPDX SBOM
+ uses: actions/upload-artifact@v7
+ if: ${{ env.DEFAULT_OS == matrix.os && env.DEFAULT_JAVA == matrix.java }}
+ with:
+ name: openfasttrace-spdx
+ path: product/target/site/*.spdx.json
+ if-no-files-found: error
+
- name: Run self-trace
run: ./oft-self-trace.sh
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..efffbf0c
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,13 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+We are very grateful for any security reports and see them as a valuable way to improve the quality and reliability of our codebase. As a non-profit open-source project, we appreciate the time and effort the community puts into helping us keep OpenFastTrace secure.
+
+Please note that we do not offer bug bounties.
+
+To report a vulnerability, please use the [GitHub Security Advisory reporting feature](https://github.com/itsallcode/openfasttrace/security/advisories/new) or contact the maintainers directly. We strive to address all security concerns in a timely and professional manner.
+
+## Software Bill of Materials (SBOM)
+
+To enhance transparency and security, SPDX SBOMs (Software Bill of Materials) are included with the GitHub releases starting from version 4.6.0. These files provide a comprehensive list of all components and dependencies used in the project.
diff --git a/api/pom.xml b/api/pom.xml
index e0ee8615..9d7d0c13 100644
--- a/api/pom.xml
+++ b/api/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-api
OpenFastTrace API
+ Public API of OpenFastTrace
../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/core/pom.xml b/core/pom.xml
index 4f8b3a5b..265d929f 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-core
OpenFastTrace Core
+ OpenFastTrace core logic (specification items, linking and base modules for importers, exporters and reporters)
../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/doc/changes/changes_4.6.0.md b/doc/changes/changes_4.6.0.md
index 4368a932..e573dd6a 100644
--- a/doc/changes/changes_4.6.0.md
+++ b/doc/changes/changes_4.6.0.md
@@ -4,8 +4,15 @@ Code name: ??
## Summary
-We moved some GitHub action permissions from workflow-level to job-level.
+We moved some GitHub action permissions from workflow-level to job-level and fixed a number of Sonar findings that we accumulated with Sonar introducing new rules.
+
+And, we now create an SPDX SBOM. You can find the SBOM of the product JAR attached to all new GitHub releases.
## Security
-* #
\ No newline at end of file
+* #
+
+## Refactoring
+
+* #527: Introduced SPDX SBOM
+* #536: Fixed a large number of Sonar findings that came with new sonar rules.
\ No newline at end of file
diff --git a/doc/developer_guide.md b/doc/developer_guide.md
index ea69b416..a7e6f734 100644
--- a/doc/developer_guide.md
+++ b/doc/developer_guide.md
@@ -237,6 +237,23 @@ This project is configured to produce exactly the same artifacts each time when
The build will use the last Git commit timestamp as timestamp for files in `.jar` archives.
+## SBOM
+
+The Project generates and [SPDX](https://spdx.dev/) SBOM using the [SPDX Maven Plugin](https://github.com/spdx/spdx-maven-plugin).
+
+The build order is very important when creating the SBOM. Since the plugin tries to extract the metadata of the submodules from POM files of installed Maven packages, those POM files need to be in the local Maven repository first. We don't want to download them during the build, since the latest ones are on the local machine. That means, we build the modules, install them in the local Maven cache and then create the SBOM.
+
+
+You can create the SBOM with the following sequence of Maven commands module:
+
+```shell
+mvn install
+mvn -pl product spdx:createSPDX
+```
+
+> [!IMPORTANT]
+> OFT does not include 3rd-party packages in the production JAR. The JRE we depend on is a runtime dependency on the machine OFT is executed. Therefore our SBOM only contains the OFT modules. We also did not include the test packages because they are not relevant for OFT users.
+
## Creating a Release
**NOTE**: This currently only works for release version numbers, not SNAPSHOT versions.
diff --git a/exporter/common/pom.xml b/exporter/common/pom.xml
index 52b9e58a..5ad9570b 100644
--- a/exporter/common/pom.xml
+++ b/exporter/common/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-exporter-common
OpenFastTrace Exporters Utils
+ Common logic for OpenFastTrace exporters
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/exporter/specobject/pom.xml b/exporter/specobject/pom.xml
index 39b20762..55ae0d01 100644
--- a/exporter/specobject/pom.xml
+++ b/exporter/specobject/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-exporter-specobject
OpenFastTrace Specobject Exporter
+ Specobject (ReqM2 exchange format) exporter
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/importer/lightweightmarkup/pom.xml b/importer/lightweightmarkup/pom.xml
index 37fe269b..d8357d2a 100644
--- a/importer/lightweightmarkup/pom.xml
+++ b/importer/lightweightmarkup/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-importer-lightweightmarkup
OpenFastTrace Lightweight Markup Importer Base
+ Base module for OpenFastTrace importers based on lightweight markup languages (e.g., Markdown and RST)
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/importer/markdown/pom.xml b/importer/markdown/pom.xml
index 42c96065..3fb410fd 100644
--- a/importer/markdown/pom.xml
+++ b/importer/markdown/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-importer-markdown
OpenFastTrace Markdown Importer
+ Importer for OpenFastTrace specification items embedded into Markdown text
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/importer/restructuredtext/pom.xml b/importer/restructuredtext/pom.xml
index 4f66ed9d..db3c182d 100644
--- a/importer/restructuredtext/pom.xml
+++ b/importer/restructuredtext/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-importer-restructuredtext
OpenFastTrace reStructuredText Importer
+ Importer for OpenFastTrace specification items embedded into reStructuredText (RST)
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/importer/specobject/pom.xml b/importer/specobject/pom.xml
index 91dbab26..fe079d7a 100644
--- a/importer/specobject/pom.xml
+++ b/importer/specobject/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-importer-specobject
OpenFastTrace Specobject Importer
+ Importer for OpenFastTrace specification items from Specobject (ReqM2 format)
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/importer/tag/pom.xml b/importer/tag/pom.xml
index 165ed118..3649d98d 100644
--- a/importer/tag/pom.xml
+++ b/importer/tag/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-importer-tag
OpenFastTrace Tag Importer
+ Importer for OpenFastTrace specification items embedded source code marker tags
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/importer/xmlparser/pom.xml b/importer/xmlparser/pom.xml
index b8723191..9a2ac786 100644
--- a/importer/xmlparser/pom.xml
+++ b/importer/xmlparser/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-importer-xmlparser
OpenFastTrace Common XML Parser
+ Importer for OpenFastTrace specification items embedded into XML
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/importer/zip/pom.xml b/importer/zip/pom.xml
index c82ff929..95055477 100644
--- a/importer/zip/pom.xml
+++ b/importer/zip/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-importer-zip
OpenFastTrace Zip Importer
+ Recursive importer for OpenFastTrace specification items in ZIP archives
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/openfasttrace-mc-deployable-parent/pom.xml b/openfasttrace-mc-deployable-parent/pom.xml
index 4de7d681..0d12e0df 100644
--- a/openfasttrace-mc-deployable-parent/pom.xml
+++ b/openfasttrace-mc-deployable-parent/pom.xml
@@ -16,6 +16,7 @@ It is maintained separately from the main parent POM for the following reasons:
openfasttrace-mc-deployable-parent
${revision}
OpenFastTrace Parent for modules deployed to Maven Central
+ Maven-central-specific deployment module for OpenFastTrace
pom
../parent/pom.xml
@@ -23,7 +24,6 @@ It is maintained separately from the main parent POM for the following reasons:
openfasttrace-parent
${revision}
- Free requirement tracking suite
https://github.com/itsallcode/openfasttrace
false
diff --git a/parent/pom.xml b/parent/pom.xml
index 86dfe2a2..e66514f1 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -7,10 +7,9 @@
${revision}
OpenFastTrace Parent
pom
- Free requirement tracking suite
https://github.com/itsallcode/openfasttrace
- 4.5.0
+ 4.6.0
17
6.1.0-M1
6.1.0
@@ -21,11 +20,13 @@
${reproducible.build.timestamp}
-Duser.language=en
false
+ GPL-3.0-only
+ Copyright (c) itsallcode.org
- GNU General Public License v3.0
- https://www.gnu.org/licenses/gpl-3.0.html
+ GPL-3.0-only
+ https://spdx.org/licenses/GPL-3.0-only.html
repo
@@ -528,7 +529,7 @@
2.21.0
-
+
org.apache.maven.plugins
maven-deploy-plugin
3.1.4
@@ -536,6 +537,36 @@
true
+
+ org.spdx
+ spdx-maven-plugin
+ 1.0.3
+
+
+ build-spdx
+
+ createSPDX
+
+
+ none
+
+
+
+
+ build
+ false
+ ${spdx.license}
+ ${spdx.license}
+ ${spdx.copyright}
+ false
+ ${spdx.license}
+ ${spdx.license}
+ ${spdx.copyright}
+ true
+ false
+ true
+
+
diff --git a/pom.xml b/pom.xml
index 813a87ff..b5c0e563 100644
--- a/pom.xml
+++ b/pom.xml
@@ -47,6 +47,30 @@
true
+
+ org.spdx
+ spdx-maven-plugin
+ 1.0.3
+
+
+ aggregate-spdx
+
+ aggregateSPDX
+
+
+
+
+ build
+ false
+ GPL-3.0-only
+ GPL-3.0-only
+ Copyright (c) itsallcode.org
+ false
+ GPL-3.0-only
+ GPL-3.0-only
+ Copyright (c) itsallcode.org
+
+
diff --git a/product/pom.xml b/product/pom.xml
index 58214bd1..e044916a 100644
--- a/product/pom.xml
+++ b/product/pom.xml
@@ -3,6 +3,7 @@
4.0.0
openfasttrace
OpenFastTrace Product
+ OpenFastTrace aggregated library (includes all official base modules)
../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
@@ -133,6 +134,119 @@
+
+ org.spdx
+ spdx-maven-plugin
+ 1.0.3
+
+
+ aggregate-spdx
+
+ aggregateSPDX
+
+
+
+
+ build
+ false
+ ${spdx.license}
+ ${spdx.license}
+ ${spdx.copyright}
+ false
+ ${spdx.license}
+ ${spdx.license}
+ ${spdx.copyright}
+
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-api
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-core
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-exporter-common
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-exporter-specobject
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-importer-lightweightmarkup
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-importer-markdown
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-importer-restructuredtext
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-importer-specobject
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-importer-tag
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-importer-xmlparser
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-importer-zip
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-reporter-aspec
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-reporter-html
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-reporter-plaintext
+ GPL-3.0-only
+
+
+
+
diff --git a/reporter/aspec/pom.xml b/reporter/aspec/pom.xml
index f47a75f3..80964064 100644
--- a/reporter/aspec/pom.xml
+++ b/reporter/aspec/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-reporter-aspec
OpenFastTrace augmented specobject Reporter
+ Report an OpenFastTrace requirement trace as Augmented Specobject (ReqM2 format)
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/reporter/html/pom.xml b/reporter/html/pom.xml
index 288f2a61..dc4a7711 100644
--- a/reporter/html/pom.xml
+++ b/reporter/html/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-reporter-html
OpenFastTrace HTML Reporter
+ Generate HTML report from an OpenFastTrace requirement trace
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/reporter/plaintext/pom.xml b/reporter/plaintext/pom.xml
index a0719c1d..fefd1284 100644
--- a/reporter/plaintext/pom.xml
+++ b/reporter/plaintext/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-reporter-plaintext
OpenFastTrace Plaintext Reporter
+ Generate plain text report from an OpenFastTrace requirement trace
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/testutil/pom.xml b/testutil/pom.xml
index 9f5f12f3..9d1a0536 100644
--- a/testutil/pom.xml
+++ b/testutil/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-testutil
OpenFastTrace Test utilities
+ Shared test utilities used in multiple OpenFastTrace modules
jar
../parent/pom.xml