Change CycloneDx dependency jar download to use Maven Central download

Signed-off-by: Andrew Leonard <[email protected]>

README.md

@@ -185,6 +185,9 @@ the one you are trying to build.
 -k, --keep
 if using docker, keep the container after the build.
 
+--local-dependency-cache-dir <Local dependency cache directory>
+specify the location of a local cache of required build dependency jars
+
 --make-exploded-image
 creates an exploded image (useful for codesigning jmods). Use --assemble-exploded-image once you have signed the jmods to complete the packaging steps.
 

cyclonedx-lib/build.xml

@@ -20,6 +20,10 @@
 // jscpd:ignore-start
 -->
 
+        <condition property="local.deps.cache.dir.set" else="false">
+            <isset property="local.deps.cache.dir"/>
+        </condition>
+
         <!-- Branch of cyberphone/openkeystore to clone -->
         <property name="openkeystore-version" value="1.0.0"/>
 
@@ -44,12 +48,10 @@
         </target>
 
         <target name="download-cyclonedx" unless="cyclonedx_available">
-                <echo message="Downloading cyclonedx-core-java"/>
                 <download-component component="cyclonedx-core-java"/>
-	    </target>
+        </target>
 
         <target name="download-jackson-core" unless="jackson-core_available">
-                <echo message="Downloading jackson-core"/>
                 <download-component component="jackson-core"/>
         </target>
 
@@ -86,42 +88,34 @@
         </target>
 
         <target name="download-jackson-dataformat-xml" unless="jackson-dataformat_available">
-                <echo message="Downloading jackson-dataformat-xml"/>
                 <download-component component="jackson-dataformat-xml"/>
         </target>
 
         <target name="download-jackson-databind" unless="jackson-databind_available">
-                <echo message="Downloading jackson-databind"/>
                 <download-component component="jackson-databind"/>
         </target>
 
         <target name="download-jackson-annotations" unless="jackson-annotations_available">
-                <echo message="Downloading jackson-annotations"/>
                 <download-component component="jackson-annotations"/>
         </target>
 
         <target name="download-json-schema-validator" unless="json-schema-validator_available">
-                <echo message="Downloading json-schema-validator"/>
                 <download-component component="json-schema-validator"/>
         </target>
 
         <target name="download-commons-codec" unless="commons-codec_available">
-                <echo message="Downloading commons-codec"/>
                 <download-component component="commons-codec"/>
         </target>
 
         <target name="download-commons-io" unless="commons-io_available">
-                <echo message="Downloading commons-io"/>
                 <download-component component="commons-io"/>
         </target>
 
         <target name="download-commons-collections4" unless="commons-collections4_available">
-                <echo message="Downloading commons-collections4"/>
                 <download-component component="commons-collections4"/>
         </target>
 
         <target name="download-github-package-url" unless="github-package-url_available">
-                <echo message="Downloading github-package-url"/>
                 <download-component component="github-package-url"/>
         </target>
 
@@ -490,10 +484,35 @@
 		<sequential>
 			<echo message="Executing macro download-component for: @{component}"/>
 			<echo message="Expected checksum: ${@{component}.sha256}"/>
-			<download-file
+
+                        <!-- Check if local cache file is available? -->
+                        <if>
+                          <equals arg1="${local.deps.cache.dir.set}" arg2="true"/>
+                          <then>
+                            <available file="${local.deps.cache.dir}/${@{component}.jar}" property="@{component}_cache_available"/>
+                          </then>
+                          <else>
+                            <property name="@{component}_cache_available" value="false"/>
+                          </else>
+                        </if>
+
+                        <!-- Use local cache if available, otherwise download -->
+                        <if>
+                          <equals arg1="${@{component}_cache_available}" arg2="true"/>
+                          <then>
+                            <!-- Use local cache -->
+                            <echo message="Copying @{component}.jar from local cache location ${local.deps.cache.dir}/${@{component}.jar}"/>
+                            <copy file="${local.deps.cache.dir}/${@{component}.jar}" tofile="build/jar/@{component}.jar"/>
+                          </then>
+                          <else>
+                            <!-- Download if no local cache -->
+                            <download-file
 				checksum="${@{component}.sha256}"
+                                destdir="build/jar"
 				destfile="@{component}.jar"
 				srcurl="${@{component}.url}"/>
+                          </else>
+                        </if>
 		</sequential>
 	</macrodef>
 

cyclonedx-lib/dependency_data/dependency_data.properties

@@ -14,37 +14,47 @@
 # Repositories
 maven.central.repo=https://repo1.maven.org/maven2
 
-# Component versions and SHAs
+# Component versions, SHAs and jar names
 commons-codec.version=1.17.1
 commons-codec.sha256=f9f6cb103f2ddc3c99a9d80ada2ae7bf0685111fd6bffccb72033d1da4e6ff23
+commons-codec.jar=commons-codec-${commons-codec.version}.jar
 commons-collections4.version=4.4
 commons-collections4.sha256=1df8b9430b5c8ed143d7815e403e33ef5371b2400aadbe9bda0883762e0846d1
+commons-collections4.jar=commons-collections4-${commons-collections4.version}.jar
 commons-io.version=2.16.1
 commons-io.sha256=f41f7baacd716896447ace9758621f62c1c6b0a91d89acee488da26fc477c84f
+commons-io.jar=commons-io-${commons-io.version}.jar
 cyclonedx-core-java.version=9.0.5
 cyclonedx-core-java.sha256=9474c73a81d9be6206367d357a3449e03e70c69bc672d82be04f15806ef170fa
+cyclonedx-core-java.jar=cyclonedx-core-java-${cyclonedx-core-java.version}.jar
 github-package-url.version=1.5.0
 github-package-url.sha256=e45551727707acc0c56ac62d56964332ea0f138d6cc3656d988b9369150f5247
+github-package-url.jar=packageurl-java-${github-package-url.version}.jar
 jackson-annotations.version=2.17.2
 jackson-annotations.sha256=873a606e23507969f9bbbea939d5e19274a88775ea5a169ba7e2d795aa5156e1
+jackson-annotations.jar=jackson-annotations-${jackson-annotations.version}.jar
 jackson-core.version=2.17.2
 jackson-core.sha256=721a189241dab0525d9e858e5cb604d3ecc0ede081e2de77d6f34fa5779a5b46
+jackson-core.jar=jackson-core-${jackson-core.version}.jar
 jackson-databind.version=2.17.2
 jackson-databind.sha256=c04993f33c0f845342653784f14f38373d005280e6359db5f808701cfae73c0c
+jackson-databind.jar=jackson-databind-${jackson-databind.version}.jar
 jackson-dataformat-xml.version=2.17.2
 jackson-dataformat-xml.sha256=517add5f3848517894b319a93a7ebfc1c21737b2c17c9acccd38fea97d6adc6f
+jackson-dataformat-xml.jar=jackson-dataformat-xml-${jackson-dataformat-xml.version}.jar
 json-schema-validator.version=1.5.1
 json-schema-validator.sha256=de015f79d4a63d22c002bad76bb30c039cafa205465eef8770e2c6b85880ded7
+json-schema-validator.jar=json-schema-validator-${json-schema-validator.version}.jar
 
 # Download URLs
-commons-codec.url=${maven.central.repo}/commons-codec/commons-codec/${commons-codec.version}/commons-codec-${commons-codec.version}.jar
-commons-collections4.url=${maven.central.repo}/org/apache/commons/commons-collections4/${commons-collections4.version}/commons-collections4-${commons-collections4.version}.jar
-commons-io.url=${maven.central.repo}/commons-io/commons-io/${commons-io.version}/commons-io-${commons-io.version}.jar
-cyclonedx-core-java.url=${maven.central.repo}/org/cyclonedx/cyclonedx-core-java/${cyclonedx-core-java.version}/cyclonedx-core-java-${cyclonedx-core-java.version}.jar
-github-package-url.url=${maven.central.repo}/com/github/package-url/packageurl-java/${github-package-url.version}/packageurl-java-${github-package-url.version}.jar
-jackson-annotations.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-annotations/${jackson-annotations.version}/jackson-annotations-${jackson-annotations.version}.jar
-jackson-core.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-core/${jackson-core.version}/jackson-core-${jackson-core.version}.jar
-jackson-databind.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-databind/${jackson-databind.version}/jackson-databind-${jackson-databind.version}.jar
-jackson-dataformat-xml.url=${maven.central.repo}/com/fasterxml/jackson/dataformat/jackson-dataformat-xml/${jackson-dataformat-xml.version}/jackson-dataformat-xml-${jackson-dataformat-xml.version}.jar
-json-schema-validator.url=${maven.central.repo}/com/networknt/json-schema-validator/${json-schema-validator.version}/json-schema-validator-${json-schema-validator.version}.jar
+commons-codec.url=${maven.central.repo}/commons-codec/commons-codec/${commons-codec.version}/${commons-codec.jar}
+commons-collections4.url=${maven.central.repo}/org/apache/commons/commons-collections4/${commons-collections4.version}/${commons-collections4.jar}
+commons-io.url=${maven.central.repo}/commons-io/commons-io/${commons-io.version}/${commons-io.jar}
+cyclonedx-core-java.url=${maven.central.repo}/org/cyclonedx/cyclonedx-core-java/${cyclonedx-core-java.version}/${cyclonedx-core-java.jar}
+github-package-url.url=${maven.central.repo}/com/github/package-url/packageurl-java/${github-package-url.version}/${github-package-url.jar}
+jackson-annotations.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-annotations/${jackson-annotations.version}/${jackson-annotations.jar}
+jackson-core.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-core/${jackson-core.version}/${jackson-core.jar}
+jackson-databind.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-databind/${jackson-databind.version}/${jackson-databind.jar}
+jackson-dataformat-xml.url=${maven.central.repo}/com/fasterxml/jackson/dataformat/jackson-dataformat-xml/${jackson-dataformat-xml.version}/${jackson-dataformat-xml.jar}
+json-schema-validator.url=${maven.central.repo}/com/networknt/json-schema-validator/${json-schema-validator.version}/${json-schema-validator.jar}
 

sbin/build.sh

@@ -887,8 +887,15 @@ buildCyclonedxLib() {
   else
     ANTBUILDFILE="${CYCLONEDB_DIR}/build.xml"
   fi
+
+  # Do we have a local cache for the dependency jars?
+  local localJarCacheOption=""
+  if [[ -n "${BUILD_CONFIG[LOCAL_DEPENDENCY_CACHE_DIR]}" ]]; then
+    localJarCacheOption="-Dlocal.deps.cache.dir=${BUILD_CONFIG[LOCAL_DEPENDENCY_CACHE_DIR]}"
+  fi
+
   JAVA_HOME=${javaHome} ant -f "${ANTBUILDFILE}" clean
-  JAVA_HOME=${javaHome} ant -f "${ANTBUILDFILE}" build
+  JAVA_HOME=${javaHome} ant -f "${ANTBUILDFILE}" build "${localJarCacheOption}"
 }
 
 # get the classpath to run the CycloneDX java app TemurinGenSBOM
@@ -1211,21 +1218,20 @@ addCycloneDXVersions() {
    else
        # Should we do something special if the sha256sum fails?
        for JAR in "${CYCLONEDB_DIR}/build/jar"/*.jar; do
-         JarName=$(basename "$JAR")
+         JarName=$(basename "$JAR" | cut -d'.' -f1)
          if [ "$(uname)" = "Darwin" ]; then
             JarSha=$(shasum -a 256 "$JAR" | cut -d' ' -f1)
          else
             JarSha=$(sha256sum "$JAR" | cut -d' ' -f1)
          fi
-         addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs" "${JarName}" "${JarSha}"
+         addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs" "${JarName}.jar" "${JarSha}"
          # Now the jar's SHA has been added, we add the version string.
-         JarVersionFile="$(joinPath ${CYCLONEDB_DIR} dependency_data versions ${JarName}.version)"
-         if [ -f "${JarVersionFile}" ]; then
-           JarVersionString=$(cat "${JarVersionFile}")
-           addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar versions" "${JarName}" "${JarVersionString}"
-         elif [ "${JarName}" != "temurin-gen-sbom.jar" ]; then
-           echo "ERROR: Cannot find jar version file for SBOM creation dependency ${JarName}."
-           echo "ERROR: Expected location: ${JarVersionFile}"
+         JarDepsFile="$(joinPath ${CYCLONEDB_DIR} dependency_data/dependency_data.properties)"
+         JarVersionString=$(grep "${JarName}\.version=" "${JarDepsFile}" | cut -d'=' -f2)
+         if [ -n "${JarVersionString}" ]; then
+           addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar versions" "${JarName}.jar" "${JarVersionString}"
+         elif [ "${JarName}" != "temurin-gen-sbom" ]; then
+           echo "ERROR: Cannot determine jar version from ${JarDepsFile} for SBOM creation dependency ${JarName}.jar."
          fi
        done
    fi

sbin/common/config_init.sh

@@ -75,6 +75,7 @@ JRE_PATH
 TEST_IMAGE_PATH
 STATIC_LIBS_IMAGE_PATH
 JVM_VARIANT
+LOCAL_DEPENDENCY_CACHE_DIR
 MACOSX_CODESIGN_IDENTITY
 MAKE_ARGS_FOR_ANY_PLATFORM
 MAKE_EXPLODED
@@ -381,6 +382,9 @@ function parseConfigurationArguments() {
         "--use-adoptium-devkit")
         BUILD_CONFIG[USE_ADOPTIUM_DEVKIT]="$1"; shift;;
 
+        "--local-dependency-cache-dir")
+        BUILD_CONFIG[LOCAL_DEPENDENCY_CACHE_DIR]="$1"; shift;;
+
         "--user-openjdk-build-root-directory" )
         BUILD_CONFIG[USER_OPENJDK_BUILD_ROOT_DIRECTORY]="$1"; shift;;
 
@@ -651,6 +655,9 @@ function configDefaults() {
   BUILD_CONFIG[USE_ADOPTIUM_DEVKIT]=""
   BUILD_CONFIG[ADOPTIUM_DEVKIT_LOCATION]=""
 
+  # Default to no local dependency cache
+  BUILD_CONFIG[LOCAL_DEPENDENCY_CACHE_DIR]=""
+
   # By default dont backport JEP318 certs to < Java 10
   BUILD_CONFIG[USE_JEP319_CERTS]=false