refactor!: remove the automatic sbom generation feature for Java #1145

behnazh-w · 2025-08-08T04:02:34Z

Summary

This PR removes the automatic SBOM generation feature for Java projects in Macaron.

Description of changes

The automatic SBOM generation functionality for Java (via Maven and Gradle) has been removed from Macaron. This decision was made for the following reasons:

Avoid executing build tools: Running Maven or Gradle executables within Macaron can pose security and consistency risks.
Build environment separation: Generating SBOMs outside of the actual build environment may produce incomplete or inaccurate results.
Performance concerns: SBOM generation can be time-consuming, which negatively impacts the analysis time when done automatically within Macaron.

As part of this refactor:

The SBOM generation logic for Java has been fully removed.
Corresponding unit tests have been deleted or updated to reflect the removal of this feature.
Documentation has been updated to no longer reference automatic SBOM generation for Java.
cyclonedx-bom and cyclonedx-python-lib[validation] dependencies have been updated.
The $HOME/.m2 directory in the container is empty and no longer mounted or used by the Python package.
Update the base Dcoker image to the latest.

Related issues

Closes #56
Closes #60

tromai · 2025-08-12T00:49:18Z

For mvnw and gradlew used in SBOM generation, we mount $HOME/.m2 and $HOME/.gradle within the container to output/.m2 and output/.gradle in the host filesystem AND mount any ~/.m2/settings/xml and ~/.gradle/gradle.property from the host machine to ~/.m2/settings/xml and ~/.gradle/gradle.property within the container. It happens in run_macaron.sh

# Determine that ~/.gradle/gradle.properties exists to be mounted into ${MACARON_WORKSPACE}/gradle.properties
# Determine that ~/.m2/settings.xml exists to be mounted into ${MACARON_WORKSPACE}/settings.xml
# Mount the necessary .m2 and .gradle directories.

We probably don't need to mount them anymore. Removing these location also requires us to update

Some other locations:

pyproject.toml

src/macaron/slsa_analyzer/build_tool/base_build_tool.py

...gration/cases/apache_maven_local_path_with_branch_name_digest_deps_cyclonedx_maven/test.yaml

behnazh-w · 2025-08-12T03:32:08Z

we mount $HOME/.m2

Thanks for spotting the leftover references in run_macaron.sh. I think the .m2 directory should still be mounted for the GitHub attestation feature or analyzing JAR files.

behnazh-w · 2025-08-12T04:13:25Z

we mount $HOME/.m2

Thanks for spotting the leftover references in run_macaron.sh. I think the .m2 directory should still be mounted for the GitHub attestation feature or analyzing JAR files.

See commit 5d13ecc.

scripts/release_scripts/run_macaron.sh

docker/user.sh

src/macaron/dependency_analyzer/cyclonedx.py

tests/integration/cases/example_maven_app_sbom_tutorial/dependencies.json

tests/integration/cases/timyarkov_multibuild_test_gradle/init.gradle

tromai

I have finished my first round of review.

scripts/release_scripts/run_macaron.sh

tromai

LGTM. Thanks for the changes!

Signed-off-by: behnazh-w <[email protected]>

…al-maven-repo Signed-off-by: behnazh-w <[email protected]>

…tructions Signed-off-by: behnazh-w <[email protected]>

oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Aug 8, 2025

behnazh-w force-pushed the behnazh/remove-mvnw-gradlew branch 4 times, most recently from 5eb92e9 to e930b66 Compare August 11, 2025 00:44

behnazh-w marked this pull request as ready for review August 11, 2025 01:53

behnazh-w requested a review from tromai as a code owner August 11, 2025 01:53