Skip to content

build: add CycloneDX SBOM and OWASP CVE gate (I-17, I-01)#164

Open
anandmnair wants to merge 21 commits into
mainfrom
chore/supply-chain-sbom-cve
Open

build: add CycloneDX SBOM and OWASP CVE gate (I-17, I-01)#164
anandmnair wants to merge 21 commits into
mainfrom
chore/supply-chain-sbom-cve

Conversation

@anandmnair

Copy link
Copy Markdown
Contributor

Summary

add CycloneDX SBOM and OWASP CVE gate (I-17, I-01)

Details

I-17 — CycloneDX SBOM:

  • cyclonedx-maven-plugin runs per module at package and attaches the SBOM (classifier cyclonedx, spec 1.6, library type, non-test scopes) so every published JAR ships its dependency manifest. Lets consumers answer CVE-impact questions without decompiling, and meets SBOM obligations (US EO 14028, EU CRA).
  • New docs page (quality/sbom.md) documents what/why/how plus a grouped snapshot of the 64 third-party runtime dependencies; wired into the MkDocs nav.

I-01 — CVE / SCA gate:

  • New dependency-check Maven profile runs OWASP Dependency-Check across the whole reactor and fails the build on any dependency with CVSS >= 7 (HIGH/CRITICAL).
  • New blocking CI job mirrors the mutation job; caches the NVD database and reads the NVD API key from the NVD_API_KEY secret.
  • Audited-suppression file (dependency-check-suppressions.xml) for false positives.

Follow-up (manual): add the NVD_API_KEY repo secret and mark the dependency-check job a required PR check so the gate is enforced.

Checklist:

  • I've added tests for my code.
  • Documentation has been updated accordingly to this PR
  • I have verified all the modules and confirmed no impacts

Related issue :

anandmnair and others added 21 commits June 17, 2026 07:31
Supply-chain hardening from the code audit.

I-17 — CycloneDX SBOM:
- cyclonedx-maven-plugin runs per module at `package` and attaches the SBOM
  (classifier `cyclonedx`, spec 1.6, library type, non-test scopes) so every
  published JAR ships its dependency manifest. Lets consumers answer CVE-impact
  questions without decompiling, and meets SBOM obligations (US EO 14028, EU CRA).
- New docs page (quality/sbom.md) documents what/why/how plus a grouped snapshot
  of the 64 third-party runtime dependencies; wired into the MkDocs nav.

I-01 — CVE / SCA gate:
- New `dependency-check` Maven profile runs OWASP Dependency-Check across the whole
  reactor and fails the build on any dependency with CVSS >= 7 (HIGH/CRITICAL).
- New blocking CI job mirrors the mutation job; caches the NVD database and reads
  the NVD API key from the NVD_API_KEY secret.
- Audited-suppression file (dependency-check-suppressions.xml) for false positives.

Follow-up (manual): add the NVD_API_KEY repo secret and mark the dependency-check
job a required PR check so the gate is enforced.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant