This repository includes two GitHub Actions to handle SBOM (Software Bill of Materials) management for multiple Apache Maven-related projects. These workflows automate the process of generating and/or fetching SBOMs and uploading them to DependencyTrack for continuous vulnerability tracking.
This workflow:
- Clones each repository listed in
repos.json - Builds it locally using Maven
- Generates an SBOM using the CycloneDX Maven plugin
- Uploads the generated SBOM to DependencyTrack
Use this when you want SBOMs built from source.
This workflow:
- Fetches published artifact metadata from Maven Central
- Downloads any available pre-generated CycloneDX JSON SBOMs
- Uploads them to DependencyTrack
Use this when SBOMs are already published to Maven Central.
The list of repositories is maintained in the repos.json file. Each entry must include:
name: Unique display name used for DependencyTrackurl: Git repository URL (used only by thebuild-upload-sboms.ymlworkflow)groupId: Maven group ID (used to construct the Maven Central path)artifactId: Maven artifact ID
{
"name": "maven-dependency-plugin",
"url": "https://github.com/apache/maven-dependency-plugin.git",
"groupId": "org.apache.maven.plugins",
"artifactId": "maven-dependency-plugin"
}