Implement and document SBOM (#1707)
diff --git a/pom.xml b/pom.xml
index 26d4ccd..9968075 100644
--- a/pom.xml
+++ b/pom.xml
@@ -524,6 +524,26 @@
<plugins>
+ <!-- `cyclonedx-maven-plugin` doesn't exclude not installed/deployed modules: https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/409
+ This `generate-sbom` execution override configures such exclusions. -->
+ <plugin>
+ <groupId>org.cyclonedx</groupId>
+ <artifactId>cyclonedx-maven-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>generate-sbom</id>
+ <configuration combine.self="append">
+ <excludeArtifactId>log4j-api-java9</excludeArtifactId>
+ <excludeArtifactId>log4j-core-its</excludeArtifactId>
+ <excludeArtifactId>log4j-core-java9</excludeArtifactId>
+ <excludeArtifactId>log4j-layout-template-json-test</excludeArtifactId>
+ <excludeArtifactId>log4j-osgi-test</excludeArtifactId>
+ <excludeArtifactId>log4j-perf-test</excludeArtifactId>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+
<!-- Enable BOM flattening -->
<plugin>
<groupId>org.codehaus.mojo</groupId>
diff --git a/src/site/markdown/maven-artifacts.md.vm b/src/site/markdown/maven-artifacts.md.vm
index 50d640d..4459c30 100644
--- a/src/site/markdown/maven-artifacts.md.vm
+++ b/src/site/markdown/maven-artifacts.md.vm
@@ -123,15 +123,14 @@
#sbt(['log4j-api', 'log4j-core'])
-$h2 Bill of Material
+$h2 Maven Bill of Materials (BOM)
-To keep your Log4j module versions in sync with each other, a
-<abbr id="Bill of Material">BOM</abbr>
-pom.xml file is provided for your convenience. To use this with
-[Maven](https://maven.apache.org/), add the dependency listed below to your
-`pom.xml`
-file. When you specify the version identifier in this section, you don't have to specify the version in your
-`<dependencies/>` section.
+To keep your Log4j module versions aligned, a [Maven Bill of Materials (BOM) POM](https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#bill-of-materials-bom-poms) is provided for your convenience.
+
+To use this with Maven, add the dependency listed below to your `pom.xml` file.
+Note that the `<dependencyManagement>` nesting and the `<scope>import</scope>` instruction.
+This will *import* all modules bundled with the associated Log4j release to your `dependencyManagement`.
+As a result, you don't have to specify versions of the imported modules (`log4j-api`, `log4j-core`, etc.) while adding them using `<dependency>` elements.
`pom.xml`
@@ -188,6 +187,11 @@
}
```
+$h2 CycloneDX Software Bill of Materials (SBOM)
+
+Starting with version `2.22.0`, Log4j distributes [CyclenoDX Software Bill of Materials (SBOM)](https://cyclonedx.org/capabilities/sbom/) along with each deployed artifact.
+This is streamlined by `logging-parent`, see https://logging.apache.org/logging-parent/latest/#cyclonedx-sbom[its website] for details.
+
$h2 Optional Components
Log4j 2.x contains several optional components that can be included in an application.
diff --git a/src/site/site.xml b/src/site/site.xml
index 75e6c4e..3eda690 100644
--- a/src/site/site.xml
+++ b/src/site/site.xml
@@ -46,13 +46,14 @@
<item name="Download" href="/download.html"/>
<item name="Support" href="/support.html"/>
<item name="Maven, Ivy, Gradle Artifacts" href="/maven-artifacts.html" collapse="true">
- <item name="Maven" href="/maven-artifacts.html#Using_Log4j_in_your_Apache_Maven_build" />
- <item name="Ivy" href="/maven-artifacts.html#Using_Log4j_in_your_Apache_Ivy_build" />
- <item name="Gradle" href="/maven-artifacts.html#Using_Log4j_in_your_Gradle_build" />
- <item name="SBT" href="/maven-artifacts.html#Using_Log4j_in_your_SBT_build" />
- <item name="Bill of Material" href="/maven-artifacts.html#Bill_of_Material" />
- <item name="Optional Components" href="/maven-artifacts.html#Optional_Components" />
- <item name="Snapshot builds" href="/maven-artifacts.html#Snapshot_builds" />
+ <item name="Maven" href="/maven-artifacts.html#using-log4j-in-your-apache-maven-build" />
+ <item name="Ivy" href="/maven-artifacts.html#using-log4j-in-your-apache-ivy-build" />
+ <item name="Gradle" href="/maven-artifacts.html#using-log4j-in-your-gradle-build" />
+ <item name="SBT" href="/maven-artifacts.html#using-log4j-in-your-sbt-build" />
+ <item name="Maven Bill of Materials (BOM)" href="/maven-artifacts.html#maven-bill-of-materials-bom" />
+ <item name="CycloneDX Software Bill of Materials (SBOM)" href="/maven-artifacts.html#cyclonedx-software-bill-of-materials-sbom" />
+ <item name="Optional Components" href="/maven-artifacts.html#optional-components" />
+ <item name="Snapshot builds" href="/maven-artifacts.html#snapshot-builds" />
</item>
<item name="Release Notes" href="/release-notes.html"/>
<item name="FAQ" href="/faq.html"/>
