Generate an SBOM for the javaagent artifact (#11075)

Co-authored-by: Lauri Tulmin <ltulmin@splunk.com>
Co-authored-by: Trask Stalnaker <trask.stalnaker@gmail.com>

.github/workflows/build-common.yml

@@ -155,7 +155,7 @@ jobs:
         env:
           GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }}
         # javadoc task fails sporadically fetching https://docs.oracle.com/javase/8/docs/api/
-        run: ./gradlew check -x javadoc -x spotlessCheck -PskipTests=true ${{ inputs.no-build-cache && '--no-build-cache' || '' }}
+        run: ./gradlew check spdxSbom -x javadoc -x spotlessCheck -PskipTests=true ${{ inputs.no-build-cache && '--no-build-cache' || '' }}
 
       - name: Check for jApiCmp diffs
         run: |
@@ -174,10 +174,21 @@ jobs:
       - name: Upload agent jar
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
-          name: opentelemetry-javaagent
+          name: opentelemetry-javaagent.jar
           path: javaagent/build/libs/opentelemetry-javaagent-*-SNAPSHOT.jar
           if-no-files-found: ignore
 
+      - name: Collect SBOMs
+        run: |
+          mkdir sboms
+          cp javaagent/build/spdx/*.spdx.json sboms
+
+      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        name: Upload SBOMs
+        with:
+          name: opentelemetry-java-instrumentation-SBOM.zip
+          path: "sboms/*.json"
+
   test:
     name: test${{ matrix.test-partition }} (${{ matrix.test-java-version }}, ${{ matrix.vm }})
     runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -94,7 +94,7 @@ jobs:
           SONATYPE_KEY: ${{ secrets.SONATYPE_KEY }}
           GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
           GPG_PASSWORD: ${{ secrets.GPG_PASSWORD }}
-        run: ./gradlew assemble publishToSonatype closeAndReleaseSonatypeStagingRepository
+        run: ./gradlew assemble spdxSbom publishToSonatype closeAndReleaseSonatypeStagingRepository
 
       - name: Build and publish gradle plugins
         env:
@@ -108,6 +108,18 @@ jobs:
         run: ./gradlew build publishPlugins publishPluginMavenPublicationToSonatypeRepository closeAndReleaseSonatypeStagingRepository
         working-directory: gradle-plugins
 
+      - name: Collect SBOMs
+        run: |
+          mkdir sboms
+          cp javaagent/build/spdx/*.spdx.json sboms
+          zip opentelemetry-java-instrumentation-SBOM.zip sboms/*
+
+      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        name: Upload SBOMs
+        with:
+          name: opentelemetry-java-instrumentation-SBOM
+          path: "sboms/*.json"
+
       - name: Generate release notes
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -161,7 +173,8 @@ jobs:
                             --title "Version $VERSION" \
                             --notes-file /tmp/release-notes.txt \
                             v$VERSION \
-                            opentelemetry-javaagent.jar
+                            opentelemetry-javaagent.jar \
+                            opentelemetry-java-instrumentation-SBOM.zip
 
           echo "version=$VERSION" >> $GITHUB_OUTPUT
 

conventions/build.gradle.kts

@@ -62,6 +62,7 @@ dependencies {
   implementation("com.gradle.develocity:com.gradle.develocity.gradle.plugin:3.17.4")
   implementation("org.owasp:dependency-check-gradle:9.2.0")
   implementation("ru.vyarus:gradle-animalsniffer-plugin:1.7.1")
+  implementation("org.spdx:spdx-gradle-plugin:0.5.0")
   // When updating, also update dependencyManagement/build.gradle.kts
   implementation("net.bytebuddy:byte-buddy-gradle-plugin:1.14.15")
   implementation("gradle.plugin.io.morethan.jmhreport:gradle-jmh-report:0.9.6")

javaagent/build.gradle.kts

@@ -1,6 +1,7 @@
 import com.github.jengelman.gradle.plugins.shadow.tasks.ShadowJar
 import com.github.jk1.license.filter.LicenseBundleNormalizer
 import com.github.jk1.license.render.InventoryMarkdownReportRenderer
+import java.util.UUID
 
 plugins {
   id("com.github.jk1.dependency-license-report")
@@ -8,6 +9,7 @@ plugins {
   id("otel.java-conventions")
   id("otel.publish-conventions")
   id("io.opentelemetry.instrumentation.javaagent-shadowing")
+  id("org.spdx.sbom")
 }
 
 description = "OpenTelemetry Javaagent"
@@ -271,6 +273,36 @@ with(components["java"] as AdhocComponentWithVariants) {
   }
 }
 
+spdxSbom {
+  targets {
+    // Create a target to match the published jar name.
+    // This is used for the task name (spdxSbomFor<SbomName>)
+    // and output file (<sbomName>.spdx.json).
+    create("opentelemetry-javaagent") {
+      configurations.set(listOf("baseJavaagentLibs"))
+      scm {
+        uri.set("https://github.com/" + System.getenv("GITHUB_REPOSITORY"))
+        revision.set(System.getenv("GITHUB_SHA"))
+      }
+      document {
+        name.set("opentelemetry-javaagent")
+        namespace.set("https://opentelemetry.io/spdx/" + UUID.randomUUID())
+      }
+    }
+  }
+}
+tasks.withType<AbstractPublishToMaven> {
+  dependsOn("spdxSbom")
+}
+project.afterEvaluate {
+  tasks.withType<PublishToMavenLocal>().configureEach {
+    this.publication.artifact("${layout.buildDirectory.get()}/spdx/opentelemetry-javaagent.spdx.json") {
+      classifier = "spdx"
+      extension = "json"
+    }
+  }
+}
+
 licenseReport {
   outputDir = rootProject.file("licenses").absolutePath