From 7b759bcb1ff0ebb064865b74d2afcd546667b169 Mon Sep 17 00:00:00 2001
From: Dongjoon Hyun <dongjoon@apache.org>
Date: Mon, 16 Jan 2023 22:08:05 -0800
Subject: [PATCH] GH-15265: [Java] Publish SBOM artifacts (#15267)

This closes #15265
* Closes: #15265

Authored-by: Dongjoon Hyun <dongjoon@apache.org>
Signed-off-by: Jacob Wujciak-Jens <jacob@wujciak.de>
---
 .github/workflows/java_nightly.yml |  2 +-
 ci/scripts/java_full_build.sh      |  8 ++++-
 dev/tasks/java-jars/github.yml     |  2 ++
 dev/tasks/tasks.yml                | 48 ++++++++++++++++++++++++++++++
 java/pom.xml                       | 13 ++++++++
 5 files changed, 71 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/java_nightly.yml b/.github/workflows/java_nightly.yml
index d4f2ca9517a56..24d8c7c54eefc 100644
--- a/.github/workflows/java_nightly.yml
+++ b/.github/workflows/java_nightly.yml
@@ -107,7 +107,7 @@ jobs:
           fi
           PATTERN_TO_GET_LIB_AND_VERSION='([a-z].+)-([0-9]+.[0-9]+.[0-9]+-SNAPSHOT)'
           mkdir -p repo/org/apache/arrow/
-          for LIBRARY in $(ls binaries/$PREFIX/java-jars | grep -E '.jar|.pom' | grep SNAPSHOT); do
+          for LIBRARY in $(ls binaries/$PREFIX/java-jars | grep -E '.jar|.json|.pom|.xml' | grep SNAPSHOT); do
             [[ $LIBRARY =~ $PATTERN_TO_GET_LIB_AND_VERSION ]]
             mkdir -p repo/org/apache/arrow/${BASH_REMATCH[1]}/${BASH_REMATCH[2]}
             mkdir -p repo/org/apache/arrow/${BASH_REMATCH[1]}/${DATE}
diff --git a/ci/scripts/java_full_build.sh b/ci/scripts/java_full_build.sh
index 1c07971bcc629..2734f3e9dbec2 100755
--- a/ci/scripts/java_full_build.sh
+++ b/ci/scripts/java_full_build.sh
@@ -65,7 +65,13 @@ find . \
      -exec echo {} ";" \
      -exec cp {} $dist_dir ";"
 find ~/.m2/repository/org/apache/arrow \
-     "(" -name "*.jar" -o -name "*.zip" -o -name "*.pom" ")" \
+     "(" \
+     -name "*.jar" -o \
+     -name "*.json" -o \
+     -name "*.pom" -o \
+     -name "*.xml" -o \
+     -name "*.zip" \
+     ")" \
      -exec echo {} ";" \
      -exec cp {} $dist_dir ";"
 
diff --git a/dev/tasks/java-jars/github.yml b/dev/tasks/java-jars/github.yml
index 3dcce6d95029a..290f198b4fc64 100644
--- a/dev/tasks/java-jars/github.yml
+++ b/dev/tasks/java-jars/github.yml
@@ -211,5 +211,7 @@ jobs:
             $GITHUB_WORKSPACE/arrow \
             $GITHUB_WORKSPACE/arrow/java-dist
       {{ macros.github_upload_releases(["arrow/java-dist/*.jar",
+                                        "arrow/java-dist/*.json",
                                         "arrow/java-dist/*.pom",
+                                        "arrow/java-dist/*.xml",
                                         "arrow/java-dist/*.zip"])|indent }}
diff --git a/dev/tasks/tasks.yml b/dev/tasks/tasks.yml
index ed75166536ac2..8459fa381f293 100644
--- a/dev/tasks/tasks.yml
+++ b/dev/tasks/tasks.yml
@@ -801,91 +801,131 @@ tasks:
     ci: github
     template: java-jars/github.yml
     artifacts:
+      - arrow-algorithm-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-algorithm-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-algorithm-{no_rc_snapshot_version}-javadoc.jar
       - arrow-algorithm-{no_rc_snapshot_version}-sources.jar
       - arrow-algorithm-{no_rc_snapshot_version}-tests.jar
       - arrow-algorithm-{no_rc_snapshot_version}.jar
       - arrow-algorithm-{no_rc_snapshot_version}.pom
+      - arrow-avro-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-avro-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-avro-{no_rc_snapshot_version}-javadoc.jar
       - arrow-avro-{no_rc_snapshot_version}-sources.jar
       - arrow-avro-{no_rc_snapshot_version}-tests.jar
       - arrow-avro-{no_rc_snapshot_version}.jar
       - arrow-avro-{no_rc_snapshot_version}.pom
+      - arrow-c-data-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-c-data-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-c-data-{no_rc_snapshot_version}-javadoc.jar
       - arrow-c-data-{no_rc_snapshot_version}-sources.jar
       - arrow-c-data-{no_rc_snapshot_version}-tests.jar
       - arrow-c-data-{no_rc_snapshot_version}.jar
       - arrow-c-data-{no_rc_snapshot_version}.pom
+      - arrow-compression-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-compression-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-compression-{no_rc_snapshot_version}-javadoc.jar
       - arrow-compression-{no_rc_snapshot_version}-sources.jar
       - arrow-compression-{no_rc_snapshot_version}-tests.jar
       - arrow-compression-{no_rc_snapshot_version}.jar
       - arrow-compression-{no_rc_snapshot_version}.pom
+      - arrow-dataset-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-dataset-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-dataset-{no_rc_snapshot_version}-javadoc.jar
       - arrow-dataset-{no_rc_snapshot_version}-sources.jar
       - arrow-dataset-{no_rc_snapshot_version}-tests.jar
       - arrow-dataset-{no_rc_snapshot_version}.jar
       - arrow-dataset-{no_rc_snapshot_version}.pom
+      - arrow-flight-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-flight-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-flight-{no_rc_snapshot_version}.pom
+      - arrow-format-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-format-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-format-{no_rc_snapshot_version}-javadoc.jar
       - arrow-format-{no_rc_snapshot_version}-sources.jar
       - arrow-format-{no_rc_snapshot_version}-tests.jar
       - arrow-format-{no_rc_snapshot_version}.jar
       - arrow-format-{no_rc_snapshot_version}.pom
+      - arrow-gandiva-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-gandiva-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-gandiva-{no_rc_snapshot_version}-javadoc.jar
       - arrow-gandiva-{no_rc_snapshot_version}-sources.jar
       - arrow-gandiva-{no_rc_snapshot_version}-tests.jar
       - arrow-gandiva-{no_rc_snapshot_version}.jar
       - arrow-gandiva-{no_rc_snapshot_version}.pom
+      - arrow-java-root-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-java-root-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-java-root-{no_rc_snapshot_version}-source-release.zip
       - arrow-java-root-{no_rc_snapshot_version}.pom
+      - arrow-jdbc-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-jdbc-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-jdbc-{no_rc_snapshot_version}-javadoc.jar
       - arrow-jdbc-{no_rc_snapshot_version}-sources.jar
       - arrow-jdbc-{no_rc_snapshot_version}-tests.jar
       - arrow-jdbc-{no_rc_snapshot_version}.jar
       - arrow-jdbc-{no_rc_snapshot_version}.pom
+      - arrow-memory-core-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-memory-core-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-memory-core-{no_rc_snapshot_version}-javadoc.jar
       - arrow-memory-core-{no_rc_snapshot_version}-sources.jar
       - arrow-memory-core-{no_rc_snapshot_version}-tests.jar
       - arrow-memory-core-{no_rc_snapshot_version}.jar
       - arrow-memory-core-{no_rc_snapshot_version}.pom
+      - arrow-memory-netty-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-memory-netty-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-memory-netty-{no_rc_snapshot_version}-javadoc.jar
       - arrow-memory-netty-{no_rc_snapshot_version}-sources.jar
       - arrow-memory-netty-{no_rc_snapshot_version}-tests.jar
       - arrow-memory-netty-{no_rc_snapshot_version}.jar
       - arrow-memory-netty-{no_rc_snapshot_version}.pom
+      - arrow-memory-unsafe-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-memory-unsafe-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-memory-unsafe-{no_rc_snapshot_version}-javadoc.jar
       - arrow-memory-unsafe-{no_rc_snapshot_version}-sources.jar
       - arrow-memory-unsafe-{no_rc_snapshot_version}-tests.jar
       - arrow-memory-unsafe-{no_rc_snapshot_version}.jar
       - arrow-memory-unsafe-{no_rc_snapshot_version}.pom
+      - arrow-memory-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-memory-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-memory-{no_rc_snapshot_version}.pom
+      - arrow-orc-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-orc-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-orc-{no_rc_snapshot_version}-javadoc.jar
       - arrow-orc-{no_rc_snapshot_version}-sources.jar
       - arrow-orc-{no_rc_snapshot_version}-tests.jar
       - arrow-orc-{no_rc_snapshot_version}.jar
       - arrow-orc-{no_rc_snapshot_version}.pom
+      - arrow-performance-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-performance-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-performance-{no_rc_snapshot_version}-sources.jar
       - arrow-performance-{no_rc_snapshot_version}-tests.jar
       - arrow-performance-{no_rc_snapshot_version}.jar
       - arrow-performance-{no_rc_snapshot_version}.pom
+      - arrow-plasma-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-plasma-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-plasma-{no_rc_snapshot_version}-javadoc.jar
       - arrow-plasma-{no_rc_snapshot_version}-sources.jar
       - arrow-plasma-{no_rc_snapshot_version}-tests.jar
       - arrow-plasma-{no_rc_snapshot_version}.jar
       - arrow-plasma-{no_rc_snapshot_version}.pom
+      - arrow-tools-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-tools-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-tools-{no_rc_snapshot_version}-jar-with-dependencies.jar
       - arrow-tools-{no_rc_snapshot_version}-javadoc.jar
       - arrow-tools-{no_rc_snapshot_version}-sources.jar
       - arrow-tools-{no_rc_snapshot_version}-tests.jar
       - arrow-tools-{no_rc_snapshot_version}.jar
       - arrow-tools-{no_rc_snapshot_version}.pom
+      - arrow-vector-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-vector-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-vector-{no_rc_snapshot_version}-javadoc.jar
       - arrow-vector-{no_rc_snapshot_version}-shade-format-flatbuffers.jar
       - arrow-vector-{no_rc_snapshot_version}-sources.jar
       - arrow-vector-{no_rc_snapshot_version}-tests.jar
       - arrow-vector-{no_rc_snapshot_version}.jar
       - arrow-vector-{no_rc_snapshot_version}.pom
+      - flight-core-{no_rc_snapshot_version}-cyclonedx.json
+      - flight-core-{no_rc_snapshot_version}-cyclonedx.xml
       - flight-core-{no_rc_snapshot_version}-jar-with-dependencies.jar
       - flight-core-{no_rc_snapshot_version}-javadoc.jar
       - flight-core-{no_rc_snapshot_version}-shaded-ext.jar
@@ -894,22 +934,30 @@ tasks:
       - flight-core-{no_rc_snapshot_version}-tests.jar
       - flight-core-{no_rc_snapshot_version}.jar
       - flight-core-{no_rc_snapshot_version}.pom
+      - flight-grpc-{no_rc_snapshot_version}-cyclonedx.json
+      - flight-grpc-{no_rc_snapshot_version}-cyclonedx.xml
       - flight-grpc-{no_rc_snapshot_version}-javadoc.jar
       - flight-grpc-{no_rc_snapshot_version}-sources.jar
       - flight-grpc-{no_rc_snapshot_version}-tests.jar
       - flight-grpc-{no_rc_snapshot_version}.jar
       - flight-grpc-{no_rc_snapshot_version}.pom
+      - flight-integration-tests-{no_rc_snapshot_version}-cyclonedx.json
+      - flight-integration-tests-{no_rc_snapshot_version}-cyclonedx.xml
       - flight-integration-tests-{no_rc_snapshot_version}-jar-with-dependencies.jar
       - flight-integration-tests-{no_rc_snapshot_version}-javadoc.jar
       - flight-integration-tests-{no_rc_snapshot_version}-sources.jar
       - flight-integration-tests-{no_rc_snapshot_version}-tests.jar
       - flight-integration-tests-{no_rc_snapshot_version}.jar
       - flight-integration-tests-{no_rc_snapshot_version}.pom
+      - flight-sql-{no_rc_snapshot_version}-cyclonedx.json
+      - flight-sql-{no_rc_snapshot_version}-cyclonedx.xml
       - flight-sql-{no_rc_snapshot_version}-javadoc.jar
       - flight-sql-{no_rc_snapshot_version}-sources.jar
       - flight-sql-{no_rc_snapshot_version}-tests.jar
       - flight-sql-{no_rc_snapshot_version}.jar
       - flight-sql-{no_rc_snapshot_version}.pom
+      - flight-sql-jdbc-driver-{no_rc_snapshot_version}-cyclonedx.json
+      - flight-sql-jdbc-driver-{no_rc_snapshot_version}-cyclonedx.xml
       - flight-sql-jdbc-driver-{no_rc_snapshot_version}-javadoc.jar
       - flight-sql-jdbc-driver-{no_rc_snapshot_version}-sources.jar
       - flight-sql-jdbc-driver-{no_rc_snapshot_version}-tests.jar
diff --git a/java/pom.xml b/java/pom.xml
index 44137d819e6c6..3c34eb4558800 100644
--- a/java/pom.xml
+++ b/java/pom.xml
@@ -355,6 +355,19 @@
           </execution>
         </executions>
       </plugin>
+      <plugin>
+        <groupId>org.cyclonedx</groupId>
+        <artifactId>cyclonedx-maven-plugin</artifactId>
+        <version>2.7.3</version>
+        <executions>
+          <execution>
+            <phase>package</phase>
+            <goals>
+              <goal>makeBom</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
 
     <pluginManagement>