refactoring/527_spdx-sbom

.github/workflows/build.yml

@@ -88,6 +88,21 @@ jobs:
             !product/target/openfasttrace-*-sources.jar
           if-no-files-found: error
 
+      - name: Generate SPDX SBOM
+        if: ${{ env.DEFAULT_OS == matrix.os && env.DEFAULT_JAVA == matrix.java }}
+        run: |
+          mvn --batch-mode -pl product spdx:createSPDX \
+              -Dossindex.skip=true \
+              -Djava.version=${{ matrix.java }}
+
+      - name: Upload SPDX SBOM
+        uses: actions/upload-artifact@v7
+        if: ${{ env.DEFAULT_OS == matrix.os && env.DEFAULT_JAVA == matrix.java }}
+        with:
+          name: openfasttrace-spdx
+          path: product/target/site/*.spdx.json
+          if-no-files-found: error
+
       - name: Run self-trace
         run: ./oft-self-trace.sh
 

SECURITY.md

@@ -0,0 +1,13 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+We are very grateful for any security reports and see them as a valuable way to improve the quality and reliability of our codebase. As a non-profit open-source project, we appreciate the time and effort the community puts into helping us keep OpenFastTrace secure.
+
+Please note that we do not offer bug bounties.
+
+To report a vulnerability, please use the [GitHub Security Advisory reporting feature](https://github.com/itsallcode/openfasttrace/security/advisories/new) or contact the maintainers directly. We strive to address all security concerns in a timely and professional manner.
+
+## Software Bill of Materials (SBOM)
+
+To enhance transparency and security, SPDX SBOMs (Software Bill of Materials) are included with the GitHub releases starting from version 4.6.0. These files provide a comprehensive list of all components and dependencies used in the project.

api/pom.xml

@@ -4,6 +4,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>openfasttrace-api</artifactId>
     <name>OpenFastTrace API</name>
+    <description>Public API of OpenFastTrace</description>
     <parent>
         <relativePath>../openfasttrace-mc-deployable-parent/pom.xml</relativePath>
         <groupId>org.itsallcode.openfasttrace</groupId>

core/pom.xml

@@ -4,6 +4,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>openfasttrace-core</artifactId>
     <name>OpenFastTrace Core</name>
+    <description>OpenFastTrace core logic (specification items, linking and base modules for importers, exporters and reporters)</description>
     <parent>
         <relativePath>../openfasttrace-mc-deployable-parent/pom.xml</relativePath>
         <groupId>org.itsallcode.openfasttrace</groupId>

doc/changes/changes_4.6.0.md

@@ -4,8 +4,15 @@ Code name: ??
 
 ## Summary
 
-We moved some GitHub action permissions from workflow-level to job-level.
+We moved some GitHub action permissions from workflow-level to job-level and fixed a number of Sonar findings that we accumulated with Sonar introducing new rules.
+
+And, we now create an SPDX SBOM. You can find the SBOM of the product JAR attached to all new GitHub releases.
 
 ## Security
 
-* #
+* #
+
+## Refactoring
+
+* #527: Introduced SPDX SBOM
+* #536: Fixed a large number of Sonar findings that came with new sonar rules.

doc/developer_guide.md

@@ -237,6 +237,23 @@ This project is configured to produce exactly the same artifacts each time when
 
 The build will use the last Git commit timestamp as timestamp for files in `.jar` archives.
 
+## SBOM
+
+The Project generates and [SPDX](https://spdx.dev/) SBOM using the [SPDX Maven Plugin](https://github.com/spdx/spdx-maven-plugin).
+
+The build order is very important when creating the SBOM. Since the plugin tries to extract the metadata of the submodules from POM files of installed Maven packages, those POM files need to be in the local Maven repository first. We don't want to download them during the build, since the latest ones are on the local machine. That means, we build the modules, install them in the local Maven cache and then create the SBOM.
+
+
+You can create the SBOM with the following sequence of Maven commands module:
+
+```shell
+mvn install
+mvn -pl product spdx:createSPDX
+```
+
+> [!IMPORTANT]
+> OFT does not include 3rd-party packages in the production JAR. The JRE we depend on is a runtime dependency on the machine OFT is executed. Therefore our SBOM only contains the OFT modules. We also did not include the test packages because they are not relevant for OFT users. 
+
 ## Creating a Release
 
 **NOTE**: This currently only works for release version numbers, not SNAPSHOT versions.

exporter/common/pom.xml

@@ -4,6 +4,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>openfasttrace-exporter-common</artifactId>
     <name>OpenFastTrace Exporters Utils</name>
+    <description>Common logic for OpenFastTrace exporters</description>
     <parent>
         <relativePath>../../openfasttrace-mc-deployable-parent/pom.xml</relativePath>
         <groupId>org.itsallcode.openfasttrace</groupId>

exporter/specobject/pom.xml

@@ -4,6 +4,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>openfasttrace-exporter-specobject</artifactId>
     <name>OpenFastTrace Specobject Exporter</name>
+    <description>Specobject (ReqM2 exchange format) exporter</description>
     <parent>
         <relativePath>../../openfasttrace-mc-deployable-parent/pom.xml</relativePath>
         <groupId>org.itsallcode.openfasttrace</groupId>

importer/lightweightmarkup/pom.xml

@@ -4,6 +4,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>openfasttrace-importer-lightweightmarkup</artifactId>
     <name>OpenFastTrace Lightweight Markup Importer Base</name>
+    <description>Base module for OpenFastTrace importers based on lightweight markup languages (e.g., Markdown and RST)</description>
     <parent>
         <relativePath>../../openfasttrace-mc-deployable-parent/pom.xml</relativePath>
         <groupId>org.itsallcode.openfasttrace</groupId>

importer/markdown/pom.xml

@@ -4,6 +4,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>openfasttrace-importer-markdown</artifactId>
     <name>OpenFastTrace Markdown Importer</name>
+    <description>Importer for OpenFastTrace specification items embedded into Markdown text</description>
     <parent>
         <relativePath>../../openfasttrace-mc-deployable-parent/pom.xml</relativePath>
         <groupId>org.itsallcode.openfasttrace</groupId>

importer/restructuredtext/pom.xml

@@ -4,6 +4,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>openfasttrace-importer-restructuredtext</artifactId>
     <name>OpenFastTrace reStructuredText Importer</name>
+    <description>Importer for OpenFastTrace specification items embedded into reStructuredText (RST)</description>
     <parent>
         <relativePath>../../openfasttrace-mc-deployable-parent/pom.xml</relativePath>
         <groupId>org.itsallcode.openfasttrace</groupId>

importer/specobject/pom.xml

@@ -4,6 +4,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>openfasttrace-importer-specobject</artifactId>
     <name>OpenFastTrace Specobject Importer</name>
+    <description>Importer for OpenFastTrace specification items from Specobject (ReqM2 format)</description>
     <parent>
         <relativePath>../../openfasttrace-mc-deployable-parent/pom.xml</relativePath>
         <groupId>org.itsallcode.openfasttrace</groupId>

importer/tag/pom.xml

@@ -4,6 +4,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>openfasttrace-importer-tag</artifactId>
     <name>OpenFastTrace Tag Importer</name>
+    <description>Importer for OpenFastTrace specification items embedded source code marker tags</description>
     <parent>
         <relativePath>../../openfasttrace-mc-deployable-parent/pom.xml</relativePath>
         <groupId>org.itsallcode.openfasttrace</groupId>

importer/xmlparser/pom.xml

@@ -4,6 +4,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>openfasttrace-importer-xmlparser</artifactId>
     <name>OpenFastTrace Common XML Parser</name>
+    <description>Importer for OpenFastTrace specification items embedded into XML</description>
     <parent>
         <relativePath>../../openfasttrace-mc-deployable-parent/pom.xml</relativePath>
         <groupId>org.itsallcode.openfasttrace</groupId>

importer/zip/pom.xml

@@ -4,6 +4,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>openfasttrace-importer-zip</artifactId>
     <name>OpenFastTrace Zip Importer</name>
+    <description>Recursive importer for OpenFastTrace specification items in ZIP archives</description>
     <parent>
         <relativePath>../../openfasttrace-mc-deployable-parent/pom.xml</relativePath>
         <groupId>org.itsallcode.openfasttrace</groupId>

openfasttrace-mc-deployable-parent/pom.xml

@@ -16,14 +16,14 @@ It is maintained separately from the main parent POM for the following reasons:
     <artifactId>openfasttrace-mc-deployable-parent</artifactId>
     <version>${revision}</version>
     <name>OpenFastTrace Parent for modules deployed to Maven Central</name>
+    <description>Maven-central-specific deployment module for OpenFastTrace</description>
     <packaging>pom</packaging>
     <parent>
         <relativePath>../parent/pom.xml</relativePath>
         <groupId>org.itsallcode.openfasttrace</groupId>
         <artifactId>openfasttrace-parent</artifactId>
         <version>${revision}</version>
     </parent>
-    <description>Free requirement tracking suite</description>
     <url>https://github.com/itsallcode/openfasttrace</url>
     <properties>
         <centralPublishingSkipPublishing>false</centralPublishingSkipPublishing>

parent/pom.xml

@@ -7,10 +7,9 @@
     <version>${revision}</version>
     <name>OpenFastTrace Parent</name>
     <packaging>pom</packaging>
-    <description>Free requirement tracking suite</description>
     <url>https://github.com/itsallcode/openfasttrace</url>
     <properties>
-        <revision>4.5.0</revision>
+        <revision>4.6.0</revision>
         <java.version>17</java.version>
         <junit.version>6.1.0-M1</junit.version>
         <junit.version>6.1.0</junit.version>
@@ -21,11 +20,13 @@
         <project.build.outputTimestamp>${reproducible.build.timestamp}</project.build.outputTimestamp>
         <test.args>-Duser.language=en</test.args>
         <ossindex.skip>false</ossindex.skip>
+        <spdx.license>GPL-3.0-only</spdx.license>
+        <spdx.copyright>Copyright (c) itsallcode.org</spdx.copyright>
     </properties>
     <licenses>
         <license>
-            <name>GNU General Public License v3.0</name>
-            <url>https://www.gnu.org/licenses/gpl-3.0.html</url>
+            <name>GPL-3.0-only</name>
+            <url>https://spdx.org/licenses/GPL-3.0-only.html</url>
             <distribution>repo</distribution>
         </license>
     </licenses>
@@ -528,14 +529,44 @@
                 <version>2.21.0</version>
             </plugin>
             <plugin>
-                <!-- Deployment of this module not required -->
+                <!-- Deployment of this module is not required -->
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-deploy-plugin</artifactId>
                 <version>3.1.4</version>
                 <configuration>
                     <skip>true</skip>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>org.spdx</groupId>
+                <artifactId>spdx-maven-plugin</artifactId>
+                <version>1.0.3</version>
+                <executions>
+                    <execution>
+                        <id>build-spdx</id>
+                        <goals>
+                            <goal>createSPDX</goal>
+                        </goals>
+                        <phase>
+                            none
+                        </phase>
+                    </execution>
+                </executions>
+                <configuration>
+                    <sbomType>build</sbomType>
+                    <includeTestScope>false</includeTestScope>
+                    <licenseDeclared>${spdx.license}</licenseDeclared>
+                    <licenseConcluded>${spdx.license}</licenseConcluded>
+                    <copyrightText>${spdx.copyright}</copyrightText>
+                    <createExternalRefs>false</createExternalRefs>
+                    <defaultFileConcludedLicense>${spdx.license}</defaultFileConcludedLicense>
+                    <defaultLicenseInformationInFile>${spdx.license}</defaultLicenseInformationInFile>
+                    <defaultFileCopyright>${spdx.copyright}</defaultFileCopyright>
+                    <includeCompileScope>true</includeCompileScope>
+                    <includeTestScope>false</includeTestScope>
+                    <includeTransitiveDependencies>true</includeTransitiveDependencies>
+                </configuration>
+            </plugin>
         </plugins>
         <pluginManagement>
             <plugins>

pom.xml

@@ -47,6 +47,30 @@
                     <skip>true</skip>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>org.spdx</groupId>
+                <artifactId>spdx-maven-plugin</artifactId>
+                <version>1.0.3</version>
+                <executions>
+                    <execution>
+                        <id>aggregate-spdx</id>
+                        <goals>
+                            <goal>aggregateSPDX</goal>
+                        </goals>
+                    </execution>
+                </executions>
+                <configuration>
+                    <sbomType>build</sbomType>
+                    <includeTestScope>false</includeTestScope>
+                    <licenseDeclared>GPL-3.0-only</licenseDeclared>
+                    <licenseConcluded>GPL-3.0-only</licenseConcluded>
+                    <copyrightText>Copyright (c) itsallcode.org</copyrightText>
+                    <createExternalRefs>false</createExternalRefs>
+                    <defaultFileConcludedLicense>GPL-3.0-only</defaultFileConcludedLicense>
+                    <defaultLicenseInformationInFile>GPL-3.0-only</defaultLicenseInformationInFile>
+                    <defaultFileCopyright>Copyright (c) itsallcode.org</defaultFileCopyright>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
 </project>