paketo-buildpacks
Support ability to use cyclonedx-maven-plugin
Currently, Syft is used to generate SBOMs. The fidelity of the resulting SBOM is very low. It does not contain provenance information of included dependencies. This information is typically included in the case of CycloneDX when leveraging the CycloneDX maven plugin as a part of the build. Maven plugins usually have access to the entire dependency graph during build time which means the SBOM contains information that can only be discovered during build time:
- issue URLs
- maven repository containing the resolved dependencies
- project pages
- test dependencies
Describe the Enhancement
Allow a maven build to contribute a CycloneDX document generated during build time.
Possible Solution
Java buildpack could discover a file such as ${project.artifactId}-${project.version}-cyclonedx.xml or ${project.artifactId}-${project.version}-cyclonedx.json and include it in the resulting cnb-sboms layer.
Motivation
CycloneDX documents generated during the maven build process will have access to more information about dependencies that can be fed into the bill of material CycloneDX document.
