From 035ee69a4efab262e668e896092083252e4464d0 Mon Sep 17 00:00:00 2001
From: Dongjoon Hyun <dongjoon@apache.org>
Date: Mon, 9 Jan 2023 01:18:00 -0800
Subject: [PATCH 1/5] GH-15265: [Java] Publish SBOM artifacts

---
 java/pom.xml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/java/pom.xml b/java/pom.xml
index 44137d819e6c6..3c34eb4558800 100644
--- a/java/pom.xml
+++ b/java/pom.xml
@@ -355,6 +355,19 @@
           </execution>
         </executions>
       </plugin>
+      <plugin>
+        <groupId>org.cyclonedx</groupId>
+        <artifactId>cyclonedx-maven-plugin</artifactId>
+        <version>2.7.3</version>
+        <executions>
+          <execution>
+            <phase>package</phase>
+            <goals>
+              <goal>makeBom</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
 
     <pluginManagement>

From 785ceac01f8cd31369a190536bd3500e4f1d70b0 Mon Sep 17 00:00:00 2001
From: Dongjoon Hyun <dongjoon@apache.org>
Date: Mon, 9 Jan 2023 09:44:46 -0800
Subject: [PATCH 2/5] Address comment

---
 ci/scripts/java_full_build.sh  | 8 +++++++-
 dev/tasks/java-jars/github.yml | 2 ++
 dev/tasks/tasks.yml            | 2 ++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/ci/scripts/java_full_build.sh b/ci/scripts/java_full_build.sh
index 1c07971bcc629..dba9a1b358873 100755
--- a/ci/scripts/java_full_build.sh
+++ b/ci/scripts/java_full_build.sh
@@ -61,7 +61,13 @@ mvn clean \
 
 # copy all jar, zip and pom files to the distribution folder
 find . \
-     "(" -name "*-javadoc.jar" -o -name "*-sources.jar" ")" \
+     "(" \
+     -name "*.jar" -o \
+     -name "*.json" -o \
+     -name "*.pom" -o \
+     -name "*.xml" -o \
+     -name "*.zip" \
+     ")" \
      -exec echo {} ";" \
      -exec cp {} $dist_dir ";"
 find ~/.m2/repository/org/apache/arrow \
diff --git a/dev/tasks/java-jars/github.yml b/dev/tasks/java-jars/github.yml
index 3dcce6d95029a..290f198b4fc64 100644
--- a/dev/tasks/java-jars/github.yml
+++ b/dev/tasks/java-jars/github.yml
@@ -211,5 +211,7 @@ jobs:
             $GITHUB_WORKSPACE/arrow \
             $GITHUB_WORKSPACE/arrow/java-dist
       {{ macros.github_upload_releases(["arrow/java-dist/*.jar",
+                                        "arrow/java-dist/*.json",
                                         "arrow/java-dist/*.pom",
+                                        "arrow/java-dist/*.xml",
                                         "arrow/java-dist/*.zip"])|indent }}
diff --git a/dev/tasks/tasks.yml b/dev/tasks/tasks.yml
index ed75166536ac2..29aad6f0cc3d8 100644
--- a/dev/tasks/tasks.yml
+++ b/dev/tasks/tasks.yml
@@ -801,6 +801,8 @@ tasks:
     ci: github
     template: java-jars/github.yml
     artifacts:
+      - arrow-algorithm-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-algorithm-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-algorithm-{no_rc_snapshot_version}-javadoc.jar
       - arrow-algorithm-{no_rc_snapshot_version}-sources.jar
       - arrow-algorithm-{no_rc_snapshot_version}-tests.jar

From a2f604e326830fa40d096846b89fb9fd1a66ce7b Mon Sep 17 00:00:00 2001
From: Dongjoon Hyun <dongjoon@apache.org>
Date: Mon, 9 Jan 2023 10:57:11 -0800
Subject: [PATCH 3/5] fix

---
 ci/scripts/java_full_build.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ci/scripts/java_full_build.sh b/ci/scripts/java_full_build.sh
index dba9a1b358873..2734f3e9dbec2 100755
--- a/ci/scripts/java_full_build.sh
+++ b/ci/scripts/java_full_build.sh
@@ -61,6 +61,10 @@ mvn clean \
 
 # copy all jar, zip and pom files to the distribution folder
 find . \
+     "(" -name "*-javadoc.jar" -o -name "*-sources.jar" ")" \
+     -exec echo {} ";" \
+     -exec cp {} $dist_dir ";"
+find ~/.m2/repository/org/apache/arrow \
      "(" \
      -name "*.jar" -o \
      -name "*.json" -o \
@@ -70,9 +74,5 @@ find . \
      ")" \
      -exec echo {} ";" \
      -exec cp {} $dist_dir ";"
-find ~/.m2/repository/org/apache/arrow \
-     "(" -name "*.jar" -o -name "*.zip" -o -name "*.pom" ")" \
-     -exec echo {} ";" \
-     -exec cp {} $dist_dir ";"
 
 popd

From 0bd0900773dc85412ace8ecab8eb92e8fd503d05 Mon Sep 17 00:00:00 2001
From: Dongjoon Hyun <dongjoon@apache.org>
Date: Mon, 9 Jan 2023 11:26:10 -0800
Subject: [PATCH 4/5] enumerate for all jars

---
 dev/tasks/tasks.yml | 46 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/dev/tasks/tasks.yml b/dev/tasks/tasks.yml
index 29aad6f0cc3d8..8459fa381f293 100644
--- a/dev/tasks/tasks.yml
+++ b/dev/tasks/tasks.yml
@@ -808,86 +808,124 @@ tasks:
       - arrow-algorithm-{no_rc_snapshot_version}-tests.jar
       - arrow-algorithm-{no_rc_snapshot_version}.jar
       - arrow-algorithm-{no_rc_snapshot_version}.pom
+      - arrow-avro-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-avro-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-avro-{no_rc_snapshot_version}-javadoc.jar
       - arrow-avro-{no_rc_snapshot_version}-sources.jar
       - arrow-avro-{no_rc_snapshot_version}-tests.jar
       - arrow-avro-{no_rc_snapshot_version}.jar
       - arrow-avro-{no_rc_snapshot_version}.pom
+      - arrow-c-data-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-c-data-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-c-data-{no_rc_snapshot_version}-javadoc.jar
       - arrow-c-data-{no_rc_snapshot_version}-sources.jar
       - arrow-c-data-{no_rc_snapshot_version}-tests.jar
       - arrow-c-data-{no_rc_snapshot_version}.jar
       - arrow-c-data-{no_rc_snapshot_version}.pom
+      - arrow-compression-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-compression-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-compression-{no_rc_snapshot_version}-javadoc.jar
       - arrow-compression-{no_rc_snapshot_version}-sources.jar
       - arrow-compression-{no_rc_snapshot_version}-tests.jar
       - arrow-compression-{no_rc_snapshot_version}.jar
       - arrow-compression-{no_rc_snapshot_version}.pom
+      - arrow-dataset-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-dataset-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-dataset-{no_rc_snapshot_version}-javadoc.jar
       - arrow-dataset-{no_rc_snapshot_version}-sources.jar
       - arrow-dataset-{no_rc_snapshot_version}-tests.jar
       - arrow-dataset-{no_rc_snapshot_version}.jar
       - arrow-dataset-{no_rc_snapshot_version}.pom
+      - arrow-flight-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-flight-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-flight-{no_rc_snapshot_version}.pom
+      - arrow-format-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-format-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-format-{no_rc_snapshot_version}-javadoc.jar
       - arrow-format-{no_rc_snapshot_version}-sources.jar
       - arrow-format-{no_rc_snapshot_version}-tests.jar
       - arrow-format-{no_rc_snapshot_version}.jar
       - arrow-format-{no_rc_snapshot_version}.pom
+      - arrow-gandiva-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-gandiva-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-gandiva-{no_rc_snapshot_version}-javadoc.jar
       - arrow-gandiva-{no_rc_snapshot_version}-sources.jar
       - arrow-gandiva-{no_rc_snapshot_version}-tests.jar
       - arrow-gandiva-{no_rc_snapshot_version}.jar
       - arrow-gandiva-{no_rc_snapshot_version}.pom
+      - arrow-java-root-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-java-root-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-java-root-{no_rc_snapshot_version}-source-release.zip
       - arrow-java-root-{no_rc_snapshot_version}.pom
+      - arrow-jdbc-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-jdbc-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-jdbc-{no_rc_snapshot_version}-javadoc.jar
       - arrow-jdbc-{no_rc_snapshot_version}-sources.jar
       - arrow-jdbc-{no_rc_snapshot_version}-tests.jar
       - arrow-jdbc-{no_rc_snapshot_version}.jar
       - arrow-jdbc-{no_rc_snapshot_version}.pom
+      - arrow-memory-core-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-memory-core-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-memory-core-{no_rc_snapshot_version}-javadoc.jar
       - arrow-memory-core-{no_rc_snapshot_version}-sources.jar
       - arrow-memory-core-{no_rc_snapshot_version}-tests.jar
       - arrow-memory-core-{no_rc_snapshot_version}.jar
       - arrow-memory-core-{no_rc_snapshot_version}.pom
+      - arrow-memory-netty-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-memory-netty-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-memory-netty-{no_rc_snapshot_version}-javadoc.jar
       - arrow-memory-netty-{no_rc_snapshot_version}-sources.jar
       - arrow-memory-netty-{no_rc_snapshot_version}-tests.jar
       - arrow-memory-netty-{no_rc_snapshot_version}.jar
       - arrow-memory-netty-{no_rc_snapshot_version}.pom
+      - arrow-memory-unsafe-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-memory-unsafe-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-memory-unsafe-{no_rc_snapshot_version}-javadoc.jar
       - arrow-memory-unsafe-{no_rc_snapshot_version}-sources.jar
       - arrow-memory-unsafe-{no_rc_snapshot_version}-tests.jar
       - arrow-memory-unsafe-{no_rc_snapshot_version}.jar
       - arrow-memory-unsafe-{no_rc_snapshot_version}.pom
+      - arrow-memory-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-memory-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-memory-{no_rc_snapshot_version}.pom
+      - arrow-orc-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-orc-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-orc-{no_rc_snapshot_version}-javadoc.jar
       - arrow-orc-{no_rc_snapshot_version}-sources.jar
       - arrow-orc-{no_rc_snapshot_version}-tests.jar
       - arrow-orc-{no_rc_snapshot_version}.jar
       - arrow-orc-{no_rc_snapshot_version}.pom
+      - arrow-performance-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-performance-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-performance-{no_rc_snapshot_version}-sources.jar
       - arrow-performance-{no_rc_snapshot_version}-tests.jar
       - arrow-performance-{no_rc_snapshot_version}.jar
       - arrow-performance-{no_rc_snapshot_version}.pom
+      - arrow-plasma-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-plasma-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-plasma-{no_rc_snapshot_version}-javadoc.jar
       - arrow-plasma-{no_rc_snapshot_version}-sources.jar
       - arrow-plasma-{no_rc_snapshot_version}-tests.jar
       - arrow-plasma-{no_rc_snapshot_version}.jar
       - arrow-plasma-{no_rc_snapshot_version}.pom
+      - arrow-tools-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-tools-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-tools-{no_rc_snapshot_version}-jar-with-dependencies.jar
       - arrow-tools-{no_rc_snapshot_version}-javadoc.jar
       - arrow-tools-{no_rc_snapshot_version}-sources.jar
       - arrow-tools-{no_rc_snapshot_version}-tests.jar
       - arrow-tools-{no_rc_snapshot_version}.jar
       - arrow-tools-{no_rc_snapshot_version}.pom
+      - arrow-vector-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-vector-{no_rc_snapshot_version}-cyclonedx.xml
       - arrow-vector-{no_rc_snapshot_version}-javadoc.jar
       - arrow-vector-{no_rc_snapshot_version}-shade-format-flatbuffers.jar
       - arrow-vector-{no_rc_snapshot_version}-sources.jar
       - arrow-vector-{no_rc_snapshot_version}-tests.jar
       - arrow-vector-{no_rc_snapshot_version}.jar
       - arrow-vector-{no_rc_snapshot_version}.pom
+      - flight-core-{no_rc_snapshot_version}-cyclonedx.json
+      - flight-core-{no_rc_snapshot_version}-cyclonedx.xml
       - flight-core-{no_rc_snapshot_version}-jar-with-dependencies.jar
       - flight-core-{no_rc_snapshot_version}-javadoc.jar
       - flight-core-{no_rc_snapshot_version}-shaded-ext.jar
@@ -896,22 +934,30 @@ tasks:
       - flight-core-{no_rc_snapshot_version}-tests.jar
       - flight-core-{no_rc_snapshot_version}.jar
       - flight-core-{no_rc_snapshot_version}.pom
+      - flight-grpc-{no_rc_snapshot_version}-cyclonedx.json
+      - flight-grpc-{no_rc_snapshot_version}-cyclonedx.xml
       - flight-grpc-{no_rc_snapshot_version}-javadoc.jar
       - flight-grpc-{no_rc_snapshot_version}-sources.jar
       - flight-grpc-{no_rc_snapshot_version}-tests.jar
       - flight-grpc-{no_rc_snapshot_version}.jar
       - flight-grpc-{no_rc_snapshot_version}.pom
+      - flight-integration-tests-{no_rc_snapshot_version}-cyclonedx.json
+      - flight-integration-tests-{no_rc_snapshot_version}-cyclonedx.xml
       - flight-integration-tests-{no_rc_snapshot_version}-jar-with-dependencies.jar
       - flight-integration-tests-{no_rc_snapshot_version}-javadoc.jar
       - flight-integration-tests-{no_rc_snapshot_version}-sources.jar
       - flight-integration-tests-{no_rc_snapshot_version}-tests.jar
       - flight-integration-tests-{no_rc_snapshot_version}.jar
       - flight-integration-tests-{no_rc_snapshot_version}.pom
+      - flight-sql-{no_rc_snapshot_version}-cyclonedx.json
+      - flight-sql-{no_rc_snapshot_version}-cyclonedx.xml
       - flight-sql-{no_rc_snapshot_version}-javadoc.jar
       - flight-sql-{no_rc_snapshot_version}-sources.jar
       - flight-sql-{no_rc_snapshot_version}-tests.jar
       - flight-sql-{no_rc_snapshot_version}.jar
       - flight-sql-{no_rc_snapshot_version}.pom
+      - flight-sql-jdbc-driver-{no_rc_snapshot_version}-cyclonedx.json
+      - flight-sql-jdbc-driver-{no_rc_snapshot_version}-cyclonedx.xml
       - flight-sql-jdbc-driver-{no_rc_snapshot_version}-javadoc.jar
       - flight-sql-jdbc-driver-{no_rc_snapshot_version}-sources.jar
       - flight-sql-jdbc-driver-{no_rc_snapshot_version}-tests.jar

From 97af0c9f1df0f4e01ec0669edbcf6ced0eff7c1c Mon Sep 17 00:00:00 2001
From: Dongjoon Hyun <dongjoon@apache.org>
Date: Mon, 9 Jan 2023 16:31:42 -0800
Subject: [PATCH 5/5] Add .json and .xml

---
 .github/workflows/java_nightly.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/java_nightly.yml b/.github/workflows/java_nightly.yml
index d4f2ca9517a56..24d8c7c54eefc 100644
--- a/.github/workflows/java_nightly.yml
+++ b/.github/workflows/java_nightly.yml
@@ -107,7 +107,7 @@ jobs:
           fi
           PATTERN_TO_GET_LIB_AND_VERSION='([a-z].+)-([0-9]+.[0-9]+.[0-9]+-SNAPSHOT)'
           mkdir -p repo/org/apache/arrow/
-          for LIBRARY in $(ls binaries/$PREFIX/java-jars | grep -E '.jar|.pom' | grep SNAPSHOT); do
+          for LIBRARY in $(ls binaries/$PREFIX/java-jars | grep -E '.jar|.json|.pom|.xml' | grep SNAPSHOT); do
             [[ $LIBRARY =~ $PATTERN_TO_GET_LIB_AND_VERSION ]]
             mkdir -p repo/org/apache/arrow/${BASH_REMATCH[1]}/${BASH_REMATCH[2]}
             mkdir -p repo/org/apache/arrow/${BASH_REMATCH[1]}/${DATE}