JSTEP 14

Back to JSTEP page)

Generate, publish SBOMs for Jackson components

Author

Tatu Saloranta (@cowtowncoder)

Version history

• 2025-11-16: Note on being fixed for 2.21, 3.1
• 2025-05-02: Completed
• 2025-04-23: Created first proposal

Status

Completed initial version; all repos publishing SBOMs (including Scala). Classifier used: sbom-cyclonedx

NOTE: although initially planned for 2.20 / 3.0, publishing was not working due to issues with Sonatype Central publishing: working versions are 2.21 and 3.1 (and beyond).

Related

• Discussion: https://github.com/FasterXML/jackson-future-ideas/discussions/85

Overview

Use of SBOMs (Software Bill Of Material) is starting to increase. For an overview of SBOMs see:

• https://www.cisa.gov/sbom
• https://about.gitlab.com/blog/2022/10/25/the-ultimate-guide-to-sboms/

It would make sense to produce SBOM Artifacts for Jackson components as part of build process, and to publish them to Maven Central.

Timing

Due to proximity to 2.19.0 release, we waited for creation of branch for 2.20 until publishing SBOMs for all artifacts.

Technical details

Proof-of-Concept: generating SBOMs

Adding this to pom.xml

<build>
  <plugins>
      <plugin>
        <groupId>org.cyclonedx</groupId>
        <artifactId>cyclonedx-maven-plugin</artifactId>
        <executions>
          <execution>
            <phase>package</phase>
            <goals>
              <goal>makeAggregateBom</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
  </plugins>
</build>

will generate target/bom.json and target/bom.xml artifacts.

Proof-of-Concept: publishing SBOMs

Looks like the plug-in will by default "attach" sbom artifacts in a way to be publishable.

One open question is the "classifier" to use for SBOM artifacts. The default of "cyclonedx" produces:

jackson-core-2.20.0-SNAPSHOT-cyclonedx.json

but some frameworks use different classifier: Quarkus seems to default to "dependency-cyclonedx" instead, for example.

If attach did not happen, we could manually attach by:

<plugin>
    <groupId>org.codehaus.mojo</groupId>
    <artifactId>build-helper-maven-plugin</artifactId>
    <executions>
        <execution>
            <id>attach-sbom</id>
            <phase>package</phase>
            <goals>
                <goal>attach-artifact</goal>
            </goals>
            <configuration>
                <artifacts>
                    <artifact>
                        <file>${project.build.directory}/bom.xml</file>
                        <type>bom.xml</type>
                    </artifact>
                    <artifact>
                        <file>${project.build.directory}/bom.json</file>
                        <type>bom.json</type>
                    </artifact>
                </artifacts>
            </configuration>
        </execution>
    </executions>
</plugin>

Classifier used

For the first version, we went with sbom-cyclonedx (02-May-2025). May be revisited in future.