From 93842b7b3ebb09497a90c9c6cbee1e2ba7e17e0d Mon Sep 17 00:00:00 2001 From: redcatbaer Date: Fri, 29 May 2026 20:16:25 +0200 Subject: [PATCH 1/5] #527: SPDX SBOM first part. --- doc/developer_guide.md | 10 ++++++++++ parent/pom.xml | 27 +++++++++++++++++++++++++-- 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/doc/developer_guide.md b/doc/developer_guide.md index ea69b416..baf19ce2 100644 --- a/doc/developer_guide.md +++ b/doc/developer_guide.md @@ -237,6 +237,16 @@ This project is configured to produce exactly the same artifacts each time when The build will use the last Git commit timestamp as timestamp for files in `.jar` archives. +## SBOM + +The Project generates and [SPDX](https://spdx.dev/) SBOM using the [SPDX Maven Plugin](https://github.com/spdx/spdx-maven-plugin). + +You can create the SBOM with the following command in the `product` module: + +```sh +mvn spdx:createSPDX +``` + ## Creating a Release **NOTE**: This currently only works for release version numbers, not SNAPSHOT versions. diff --git a/parent/pom.xml b/parent/pom.xml index 166ea445..4e47f828 100644 --- a/parent/pom.xml +++ b/parent/pom.xml @@ -24,7 +24,7 @@ - GNU General Public License v3.0 + GPL-3.0-only https://www.gnu.org/licenses/gpl-3.0.html repo @@ -528,7 +528,7 @@ 2.21.0 - + org.apache.maven.plugins maven-deploy-plugin 3.1.4 @@ -536,6 +536,29 @@ true + + org.spdx + spdx-maven-plugin + 1.0.3 + + + build-spdx + + createSPDX + + + + + build + false + GPL-3.0-only + GPL-3.0-only + Copyright (c) itsallcode.org + GPL-3.0-only + GPL-3.0-only + Copyright (c) itsallcode.org + + From 8833bc9e110be32506d5b3f65cf25c7ea38d1b8d Mon Sep 17 00:00:00 2001 From: redcatbaer Date: Sat, 13 Jun 2026 09:59:09 +0200 Subject: [PATCH 2/5] #527: Added descriptions to all packages in the individual POM files. --- api/pom.xml | 1 + core/pom.xml | 1 + doc/changes/changes_4.6.0.md | 11 ++++++++-- exporter/common/pom.xml | 1 + exporter/specobject/pom.xml | 1 + importer/lightweightmarkup/pom.xml | 1 + importer/markdown/pom.xml | 1 + importer/restructuredtext/pom.xml | 1 + importer/specobject/pom.xml | 1 + importer/tag/pom.xml | 1 + importer/xmlparser/pom.xml | 1 + importer/zip/pom.xml | 1 + openfasttrace-mc-deployable-parent/pom.xml | 2 +- parent/pom.xml | 20 +++++++++-------- pom.xml | 24 +++++++++++++++++++++ product/pom.xml | 25 ++++++++++++++++++++++ reporter/aspec/pom.xml | 1 + reporter/html/pom.xml | 1 + reporter/plaintext/pom.xml | 1 + testutil/pom.xml | 1 + 20 files changed, 85 insertions(+), 12 deletions(-) diff --git a/api/pom.xml b/api/pom.xml index e0ee8615..9d7d0c13 100644 --- a/api/pom.xml +++ b/api/pom.xml @@ -4,6 +4,7 @@ 4.0.0 openfasttrace-api OpenFastTrace API + Public API of OpenFastTrace ../openfasttrace-mc-deployable-parent/pom.xml org.itsallcode.openfasttrace diff --git a/core/pom.xml b/core/pom.xml index 4f8b3a5b..265d929f 100644 --- a/core/pom.xml +++ b/core/pom.xml @@ -4,6 +4,7 @@ 4.0.0 openfasttrace-core OpenFastTrace Core + OpenFastTrace core logic (specification items, linking and base modules for importers, exporters and reporters) ../openfasttrace-mc-deployable-parent/pom.xml org.itsallcode.openfasttrace diff --git a/doc/changes/changes_4.6.0.md b/doc/changes/changes_4.6.0.md index 4368a932..aec07c80 100644 --- a/doc/changes/changes_4.6.0.md +++ b/doc/changes/changes_4.6.0.md @@ -4,8 +4,15 @@ Code name: ?? ## Summary -We moved some GitHub action permissions from workflow-level to job-level. +We moved some GitHub action permissions from workflow-level to job-level and fixed a number of Sonar findings that we accumulated with Sonar introducing new rules. + +And, we now create an SPDX SBOM. ## Security -* # \ No newline at end of file +* # + +## Refactoring + +* #527: Introduced SPDX SBOM +* #536: Fixed a large number of Sonar findings that came with new sonar rules. \ No newline at end of file diff --git a/exporter/common/pom.xml b/exporter/common/pom.xml index 52b9e58a..5ad9570b 100644 --- a/exporter/common/pom.xml +++ b/exporter/common/pom.xml @@ -4,6 +4,7 @@ 4.0.0 openfasttrace-exporter-common OpenFastTrace Exporters Utils + Common logic for OpenFastTrace exporters ../../openfasttrace-mc-deployable-parent/pom.xml org.itsallcode.openfasttrace diff --git a/exporter/specobject/pom.xml b/exporter/specobject/pom.xml index 39b20762..55ae0d01 100644 --- a/exporter/specobject/pom.xml +++ b/exporter/specobject/pom.xml @@ -4,6 +4,7 @@ 4.0.0 openfasttrace-exporter-specobject OpenFastTrace Specobject Exporter + Specobject (ReqM2 exchange format) exporter ../../openfasttrace-mc-deployable-parent/pom.xml org.itsallcode.openfasttrace diff --git a/importer/lightweightmarkup/pom.xml b/importer/lightweightmarkup/pom.xml index 37fe269b..d8357d2a 100644 --- a/importer/lightweightmarkup/pom.xml +++ b/importer/lightweightmarkup/pom.xml @@ -4,6 +4,7 @@ 4.0.0 openfasttrace-importer-lightweightmarkup OpenFastTrace Lightweight Markup Importer Base + Base module for OpenFastTrace importers based on lightweight markup languages (e.g., Markdown and RST) ../../openfasttrace-mc-deployable-parent/pom.xml org.itsallcode.openfasttrace diff --git a/importer/markdown/pom.xml b/importer/markdown/pom.xml index 42c96065..3fb410fd 100644 --- a/importer/markdown/pom.xml +++ b/importer/markdown/pom.xml @@ -4,6 +4,7 @@ 4.0.0 openfasttrace-importer-markdown OpenFastTrace Markdown Importer + Importer for OpenFastTrace specification items embedded into Markdown text ../../openfasttrace-mc-deployable-parent/pom.xml org.itsallcode.openfasttrace diff --git a/importer/restructuredtext/pom.xml b/importer/restructuredtext/pom.xml index 4f66ed9d..db3c182d 100644 --- a/importer/restructuredtext/pom.xml +++ b/importer/restructuredtext/pom.xml @@ -4,6 +4,7 @@ 4.0.0 openfasttrace-importer-restructuredtext OpenFastTrace reStructuredText Importer + Importer for OpenFastTrace specification items embedded into reStructuredText (RST) ../../openfasttrace-mc-deployable-parent/pom.xml org.itsallcode.openfasttrace diff --git a/importer/specobject/pom.xml b/importer/specobject/pom.xml index 91dbab26..fe079d7a 100644 --- a/importer/specobject/pom.xml +++ b/importer/specobject/pom.xml @@ -4,6 +4,7 @@ 4.0.0 openfasttrace-importer-specobject OpenFastTrace Specobject Importer + Importer for OpenFastTrace specification items from Specobject (ReqM2 format) ../../openfasttrace-mc-deployable-parent/pom.xml org.itsallcode.openfasttrace diff --git a/importer/tag/pom.xml b/importer/tag/pom.xml index 165ed118..3649d98d 100644 --- a/importer/tag/pom.xml +++ b/importer/tag/pom.xml @@ -4,6 +4,7 @@ 4.0.0 openfasttrace-importer-tag OpenFastTrace Tag Importer + Importer for OpenFastTrace specification items embedded source code marker tags ../../openfasttrace-mc-deployable-parent/pom.xml org.itsallcode.openfasttrace diff --git a/importer/xmlparser/pom.xml b/importer/xmlparser/pom.xml index b8723191..9a2ac786 100644 --- a/importer/xmlparser/pom.xml +++ b/importer/xmlparser/pom.xml @@ -4,6 +4,7 @@ 4.0.0 openfasttrace-importer-xmlparser OpenFastTrace Common XML Parser + Importer for OpenFastTrace specification items embedded into XML ../../openfasttrace-mc-deployable-parent/pom.xml org.itsallcode.openfasttrace diff --git a/importer/zip/pom.xml b/importer/zip/pom.xml index c82ff929..95055477 100644 --- a/importer/zip/pom.xml +++ b/importer/zip/pom.xml @@ -4,6 +4,7 @@ 4.0.0 openfasttrace-importer-zip OpenFastTrace Zip Importer + Recursive importer for OpenFastTrace specification items in ZIP archives ../../openfasttrace-mc-deployable-parent/pom.xml org.itsallcode.openfasttrace diff --git a/openfasttrace-mc-deployable-parent/pom.xml b/openfasttrace-mc-deployable-parent/pom.xml index 4de7d681..0d12e0df 100644 --- a/openfasttrace-mc-deployable-parent/pom.xml +++ b/openfasttrace-mc-deployable-parent/pom.xml @@ -16,6 +16,7 @@ It is maintained separately from the main parent POM for the following reasons: openfasttrace-mc-deployable-parent ${revision} OpenFastTrace Parent for modules deployed to Maven Central + Maven-central-specific deployment module for OpenFastTrace pom ../parent/pom.xml @@ -23,7 +24,6 @@ It is maintained separately from the main parent POM for the following reasons: openfasttrace-parent ${revision} - Free requirement tracking suite https://github.com/itsallcode/openfasttrace false diff --git a/parent/pom.xml b/parent/pom.xml index 38c99d47..f83811cf 100644 --- a/parent/pom.xml +++ b/parent/pom.xml @@ -7,10 +7,9 @@ ${revision} OpenFastTrace Parent pom - Free requirement tracking suite https://github.com/itsallcode/openfasttrace - 4.5.0 + 4.6.0 17 6.1.0-M1 6.1.0 @@ -21,11 +20,13 @@ ${reproducible.build.timestamp} -Duser.language=en false + GPL-3.0-only + Copyright (c) itsallcode.org GPL-3.0-only - https://www.gnu.org/licenses/gpl-3.0.html + https://spdx.org/licenses/GPL-3.0-only.html repo @@ -551,12 +552,13 @@ build false - GPL-3.0-only - GPL-3.0-only - Copyright (c) itsallcode.org - GPL-3.0-only - GPL-3.0-only - Copyright (c) itsallcode.org + ${spdx.license} + ${spdx.license} + ${spdx.copyright} + false + ${spdx.license} + ${spdx.license} + ${spdx.copyright} diff --git a/pom.xml b/pom.xml index 813a87ff..b5c0e563 100644 --- a/pom.xml +++ b/pom.xml @@ -47,6 +47,30 @@ true + + org.spdx + spdx-maven-plugin + 1.0.3 + + + aggregate-spdx + + aggregateSPDX + + + + + build + false + GPL-3.0-only + GPL-3.0-only + Copyright (c) itsallcode.org + false + GPL-3.0-only + GPL-3.0-only + Copyright (c) itsallcode.org + + diff --git a/product/pom.xml b/product/pom.xml index 58214bd1..b40e78c1 100644 --- a/product/pom.xml +++ b/product/pom.xml @@ -3,6 +3,7 @@ 4.0.0 openfasttrace OpenFastTrace Product + OpenFastTrace aggregated library (includes all official base modules) ../openfasttrace-mc-deployable-parent/pom.xml org.itsallcode.openfasttrace @@ -133,6 +134,30 @@ + + org.spdx + spdx-maven-plugin + 1.0.3 + + + aggregate-spdx + + aggregateSPDX + + + + + build + false + ${spdx.license} + ${spdx.license} + ${spdx.copyright} + false + ${spdx.license} + ${spdx.license} + ${spdx.copyright} + + diff --git a/reporter/aspec/pom.xml b/reporter/aspec/pom.xml index f47a75f3..80964064 100644 --- a/reporter/aspec/pom.xml +++ b/reporter/aspec/pom.xml @@ -4,6 +4,7 @@ 4.0.0 openfasttrace-reporter-aspec OpenFastTrace augmented specobject Reporter + Report an OpenFastTrace requirement trace as Augmented Specobject (ReqM2 format) ../../openfasttrace-mc-deployable-parent/pom.xml org.itsallcode.openfasttrace diff --git a/reporter/html/pom.xml b/reporter/html/pom.xml index 288f2a61..dc4a7711 100644 --- a/reporter/html/pom.xml +++ b/reporter/html/pom.xml @@ -4,6 +4,7 @@ 4.0.0 openfasttrace-reporter-html OpenFastTrace HTML Reporter + Generate HTML report from an OpenFastTrace requirement trace ../../openfasttrace-mc-deployable-parent/pom.xml org.itsallcode.openfasttrace diff --git a/reporter/plaintext/pom.xml b/reporter/plaintext/pom.xml index a0719c1d..fefd1284 100644 --- a/reporter/plaintext/pom.xml +++ b/reporter/plaintext/pom.xml @@ -4,6 +4,7 @@ 4.0.0 openfasttrace-reporter-plaintext OpenFastTrace Plaintext Reporter + Generate plain text report from an OpenFastTrace requirement trace ../../openfasttrace-mc-deployable-parent/pom.xml org.itsallcode.openfasttrace diff --git a/testutil/pom.xml b/testutil/pom.xml index 9f5f12f3..9d1a0536 100644 --- a/testutil/pom.xml +++ b/testutil/pom.xml @@ -4,6 +4,7 @@ 4.0.0 openfasttrace-testutil OpenFastTrace Test utilities + Shared test utilities used in multiple OpenFastTrace modules jar ../parent/pom.xml From 878c8eae95976c6cde64a64835e31ecb97918f71 Mon Sep 17 00:00:00 2001 From: redcatbaer Date: Sat, 13 Jun 2026 11:22:33 +0200 Subject: [PATCH 3/5] #527: Got a minimal SPDX SBOM that looks correct. --- .github/workflows/build.yml | 15 +++++++ doc/developer_guide.md | 13 ++++-- parent/pom.xml | 6 +++ product/pom.xml | 89 +++++++++++++++++++++++++++++++++++++ 4 files changed, 120 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 47e21b38..91b29b56 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -88,6 +88,21 @@ jobs: !product/target/openfasttrace-*-sources.jar if-no-files-found: error + - name: Generate SPDX SBOM + if: ${{ env.DEFAULT_OS == matrix.os && env.DEFAULT_JAVA == matrix.java }} + run: | + mvn --batch-mode -pl product spdx:createSPDX \ + -Dossindex.skip=true \ + -Djava.version=${{ matrix.java }} + + - name: Upload SPDX SBOM + uses: actions/upload-artifact@v7 + if: ${{ env.DEFAULT_OS == matrix.os && env.DEFAULT_JAVA == matrix.java }} + with: + name: openfasttrace-spdx + path: product/target/site/*.spdx.json + if-no-files-found: error + - name: Run self-trace run: ./oft-self-trace.sh diff --git a/doc/developer_guide.md b/doc/developer_guide.md index baf19ce2..69dff4f4 100644 --- a/doc/developer_guide.md +++ b/doc/developer_guide.md @@ -241,12 +241,19 @@ The build will use the last Git commit timestamp as timestamp for files in `.jar The Project generates and [SPDX](https://spdx.dev/) SBOM using the [SPDX Maven Plugin](https://github.com/spdx/spdx-maven-plugin). -You can create the SBOM with the following command in the `product` module: +The build order is very important when creating the SBOM. Since the plugin tries to extract the metadata of the submodules from POM files of installed Maven packages, those POM files need to be in the local Maven cache first. We don't want to download them during the build, since the latest ones are on the local machine. That means, we build the modules, install them in the local Maven cache and then create the SBOM. -```sh -mvn spdx:createSPDX + +You can create the SBOM with the following sequence of Maven commands module: + +```shell +mvn install +mvn -pl product spdx:createSPDX ``` +> [!IMPORTANT] +> OFT does not include 3rd-party packages in the production JAR. The JRE we depend on is a runtime dependency on the machine OFT is executed. Therefore our SBOM only contains the OFT modules. We also did not include the test packages because they are not relevant for OFT users. + ## Creating a Release **NOTE**: This currently only works for release version numbers, not SNAPSHOT versions. diff --git a/parent/pom.xml b/parent/pom.xml index f83811cf..d49ba192 100644 --- a/parent/pom.xml +++ b/parent/pom.xml @@ -547,6 +547,9 @@ createSPDX + + none + @@ -559,6 +562,9 @@ ${spdx.license} ${spdx.license} ${spdx.copyright} + true + false + false diff --git a/product/pom.xml b/product/pom.xml index b40e78c1..e044916a 100644 --- a/product/pom.xml +++ b/product/pom.xml @@ -156,6 +156,95 @@ ${spdx.license} ${spdx.license} ${spdx.copyright} + + + + both + org.itsallcode.openfasttrace + openfasttrace-api + GPL-3.0-only + + + both + org.itsallcode.openfasttrace + openfasttrace-core + GPL-3.0-only + + + both + org.itsallcode.openfasttrace + openfasttrace-exporter-common + GPL-3.0-only + + + both + org.itsallcode.openfasttrace + openfasttrace-exporter-specobject + GPL-3.0-only + + + both + org.itsallcode.openfasttrace + openfasttrace-importer-lightweightmarkup + GPL-3.0-only + + + both + org.itsallcode.openfasttrace + openfasttrace-importer-markdown + GPL-3.0-only + + + both + org.itsallcode.openfasttrace + openfasttrace-importer-restructuredtext + GPL-3.0-only + + + both + org.itsallcode.openfasttrace + openfasttrace-importer-specobject + GPL-3.0-only + + + both + org.itsallcode.openfasttrace + openfasttrace-importer-tag + GPL-3.0-only + + + both + org.itsallcode.openfasttrace + openfasttrace-importer-xmlparser + GPL-3.0-only + + + both + org.itsallcode.openfasttrace + openfasttrace-importer-zip + GPL-3.0-only + + + both + org.itsallcode.openfasttrace + openfasttrace-reporter-aspec + GPL-3.0-only + + + both + org.itsallcode.openfasttrace + openfasttrace-reporter-html + GPL-3.0-only + + + both + org.itsallcode.openfasttrace + openfasttrace-reporter-plaintext + GPL-3.0-only + + From 82a8391d32ecfaff49baf64bec908c3614c681db Mon Sep 17 00:00:00 2001 From: redcatbaer Date: Sun, 14 Jun 2026 09:28:33 +0200 Subject: [PATCH 4/5] #527: Added security policy. --- SECURITY.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..efffbf0c --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,13 @@ +# Security Policy + +## Reporting a Vulnerability + +We are very grateful for any security reports and see them as a valuable way to improve the quality and reliability of our codebase. As a non-profit open-source project, we appreciate the time and effort the community puts into helping us keep OpenFastTrace secure. + +Please note that we do not offer bug bounties. + +To report a vulnerability, please use the [GitHub Security Advisory reporting feature](https://github.com/itsallcode/openfasttrace/security/advisories/new) or contact the maintainers directly. We strive to address all security concerns in a timely and professional manner. + +## Software Bill of Materials (SBOM) + +To enhance transparency and security, SPDX SBOMs (Software Bill of Materials) are included with the GitHub releases starting from version 4.6.0. These files provide a comprehensive list of all components and dependencies used in the project. From ccecf16226c8b04932c200bef0912fc37a3d318d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20B=C3=A4r?= Date: Sun, 14 Jun 2026 16:44:08 +0200 Subject: [PATCH 5/5] Apply suggestions from code review Co-authored-by: Christoph Pirkl <4711730+kaklakariada@users.noreply.github.com> --- doc/changes/changes_4.6.0.md | 2 +- doc/developer_guide.md | 2 +- parent/pom.xml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/changes/changes_4.6.0.md b/doc/changes/changes_4.6.0.md index aec07c80..e573dd6a 100644 --- a/doc/changes/changes_4.6.0.md +++ b/doc/changes/changes_4.6.0.md @@ -6,7 +6,7 @@ Code name: ?? We moved some GitHub action permissions from workflow-level to job-level and fixed a number of Sonar findings that we accumulated with Sonar introducing new rules. -And, we now create an SPDX SBOM. +And, we now create an SPDX SBOM. You can find the SBOM of the product JAR attached to all new GitHub releases. ## Security diff --git a/doc/developer_guide.md b/doc/developer_guide.md index 69dff4f4..a7e6f734 100644 --- a/doc/developer_guide.md +++ b/doc/developer_guide.md @@ -241,7 +241,7 @@ The build will use the last Git commit timestamp as timestamp for files in `.jar The Project generates and [SPDX](https://spdx.dev/) SBOM using the [SPDX Maven Plugin](https://github.com/spdx/spdx-maven-plugin). -The build order is very important when creating the SBOM. Since the plugin tries to extract the metadata of the submodules from POM files of installed Maven packages, those POM files need to be in the local Maven cache first. We don't want to download them during the build, since the latest ones are on the local machine. That means, we build the modules, install them in the local Maven cache and then create the SBOM. +The build order is very important when creating the SBOM. Since the plugin tries to extract the metadata of the submodules from POM files of installed Maven packages, those POM files need to be in the local Maven repository first. We don't want to download them during the build, since the latest ones are on the local machine. That means, we build the modules, install them in the local Maven cache and then create the SBOM. You can create the SBOM with the following sequence of Maven commands module: diff --git a/parent/pom.xml b/parent/pom.xml index d49ba192..e66514f1 100644 --- a/parent/pom.xml +++ b/parent/pom.xml @@ -564,7 +564,7 @@ ${spdx.copyright} true false - false + true