This is an automated email from the ASF dual-hosted git repository.
asf-gitbox-commits pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/ant-antlibs-cyclonedx.git
The following commit(s) were added to refs/heads/main by this push:
new 2bdd91e allow other tools to be added to metadata.tools.components
2bdd91e is described below
commit 2bdd91e604da5c6f79e61ff9decd59cc3cd68da0
Author: Stefan Bodewig <[email protected]>
AuthorDate: Sun May 17 14:39:15 2026 +0200
allow other tools to be added to metadata.tools.components
---
docs/componentbom.html | 8 ++++++++
.../org/apache/ant/cyclonedx/ComponentBomTask.java | 20 ++++++++++++++++++++
src/tests/antunit/componentbom-test.xml | 13 +++++++++++++
3 files changed, 41 insertions(+)
diff --git a/docs/componentbom.html b/docs/componentbom.html
index 7974010..df80141 100644
--- a/docs/componentbom.html
+++ b/docs/componentbom.html
@@ -152,6 +152,14 @@ <h4>pureFileComponents</h4>
<p>This is useful when describing the contents of a tarball for
example.</p>
+ <h4>toolComponent</h4>
+
+ <p><code>toolComponent</code> child elements
+ specify <a href="component.html">component</a>s that are added
+ to the <code>metadata.tools</code> section of the SBOM. This is
+ meant to be used to add other tools that also participated in
+ the formation of this SBOM (for example by providing component
+ instances).</p>
<h3>Examples</h3>
diff --git a/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java
b/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java
index 5cc27c1..622fda0 100644
--- a/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java
+++ b/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java
@@ -43,6 +43,7 @@ public class ComponentBomTask extends Task {
private SpecVersion specVersion = SpecVersion.DEFAULT;
private OutputFormat format = OutputFormat.JSON;
private Component component;
+ private List<Component> toolComponents = new ArrayList<>();
private List<Component> additionalComponents = new ArrayList<>();
private Organization manufacturer = null;
private Organization supplier = null;
@@ -141,6 +142,17 @@ public class ComponentBomTask extends Task {
additionalComponents.add(c);
}
+ /**
+ * Adds component to be added to the metadata.tools section of the
+ * SBOM.
+ *
+ * <p>This is meant to be used by tools that have also taken part
+ * in the generation of thsi SBOM.</p>
+ */
+ public void addToolComponent(Component c) {
+ toolComponents.add(c);
+ }
+
/**
* Accepts arbitrary file-system only resources that will be added
* as components of type file.
@@ -230,6 +242,14 @@ public class ComponentBomTask extends Task {
Metadata meta = new Metadata();
meta.setTimestamp(new Date());
meta.setToolChoice(ToolData.getToolInformation(specVersion.getVersion()));
+ if (!toolComponents.isEmpty()) {
+ List<org.cyclonedx.model.Component> tools =
+ new ArrayList(meta.getToolChoice().getComponents());
+ for (Component c : toolComponents) {
+ tools
.add(c.toAdditionalCycloneDxComponent(specVersion.getVersion()));
+ }
+ meta.getToolChoice().setComponents(tools);
+ }
if (!licenses.isEmpty()) {
LicenseChoice lc = new LicenseChoice();
lc.setLicenses(licenses);
diff --git a/src/tests/antunit/componentbom-test.xml
b/src/tests/antunit/componentbom-test.xml
index 0939f59..7c9d688 100644
--- a/src/tests/antunit/componentbom-test.xml
+++ b/src/tests/antunit/componentbom-test.xml
@@ -168,6 +168,19 @@
value="The Apache Software Foundation"/>
</target>
+ <target name="testMulipleTools">
+ <cdx:componentbom outputdirectory="${output}" format="xml"
+ xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+ <component name="test"/>
+ <toolComponent name="extra-tool"/>
+ </cdx:componentbom>
+ <xmlproperty file="${output}/bom.xml"/>
+ <au:assertPropertyEquals
+ xmlns:au="antlib:org.apache.ant.antunit"
+ name="bom.metadata.tools.components.component.name"
+ value="ant-cyclonedx,extra-tool"/>
+ </target>
+
<target name="testSupplierAndManufacturerInMeta">
<cdx:organization name="Example" id="example"
xmlns:cdx="antlib:org.apache.ant.cyclonedx">
