diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 47e21b384..91b29b562 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -88,6 +88,21 @@ jobs:
!product/target/openfasttrace-*-sources.jar
if-no-files-found: error
+ - name: Generate SPDX SBOM
+ if: ${{ env.DEFAULT_OS == matrix.os && env.DEFAULT_JAVA == matrix.java }}
+ run: |
+ mvn --batch-mode -pl product spdx:createSPDX \
+ -Dossindex.skip=true \
+ -Djava.version=${{ matrix.java }}
+
+ - name: Upload SPDX SBOM
+ uses: actions/upload-artifact@v7
+ if: ${{ env.DEFAULT_OS == matrix.os && env.DEFAULT_JAVA == matrix.java }}
+ with:
+ name: openfasttrace-spdx
+ path: product/target/site/*.spdx.json
+ if-no-files-found: error
+
- name: Run self-trace
run: ./oft-self-trace.sh
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..efffbf0cb
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,13 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+We are very grateful for any security reports and see them as a valuable way to improve the quality and reliability of our codebase. As a non-profit open-source project, we appreciate the time and effort the community puts into helping us keep OpenFastTrace secure.
+
+Please note that we do not offer bug bounties.
+
+To report a vulnerability, please use the [GitHub Security Advisory reporting feature](https://github.com/itsallcode/openfasttrace/security/advisories/new) or contact the maintainers directly. We strive to address all security concerns in a timely and professional manner.
+
+## Software Bill of Materials (SBOM)
+
+To enhance transparency and security, SPDX SBOMs (Software Bill of Materials) are included with the GitHub releases starting from version 4.6.0. These files provide a comprehensive list of all components and dependencies used in the project.
diff --git a/api/pom.xml b/api/pom.xml
index e0ee86158..9d7d0c135 100644
--- a/api/pom.xml
+++ b/api/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-api
OpenFastTrace API
+ Public API of OpenFastTrace
../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/core/pom.xml b/core/pom.xml
index 4f8b3a5ba..265d929f1 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-core
OpenFastTrace Core
+ OpenFastTrace core logic (specification items, linking and base modules for importers, exporters and reporters)
../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/doc/changes/changes_4.6.0.md b/doc/changes/changes_4.6.0.md
index 4368a932a..e573dd6ab 100644
--- a/doc/changes/changes_4.6.0.md
+++ b/doc/changes/changes_4.6.0.md
@@ -4,8 +4,15 @@ Code name: ??
## Summary
-We moved some GitHub action permissions from workflow-level to job-level.
+We moved some GitHub action permissions from workflow-level to job-level and fixed a number of Sonar findings that we accumulated with Sonar introducing new rules.
+
+And, we now create an SPDX SBOM. You can find the SBOM of the product JAR attached to all new GitHub releases.
## Security
-* #
\ No newline at end of file
+* #
+
+## Refactoring
+
+* #527: Introduced SPDX SBOM
+* #536: Fixed a large number of Sonar findings that came with new sonar rules.
\ No newline at end of file
diff --git a/doc/developer_guide.md b/doc/developer_guide.md
index ea69b416e..a7e6f734b 100644
--- a/doc/developer_guide.md
+++ b/doc/developer_guide.md
@@ -237,6 +237,23 @@ This project is configured to produce exactly the same artifacts each time when
The build will use the last Git commit timestamp as timestamp for files in `.jar` archives.
+## SBOM
+
+The Project generates and [SPDX](https://spdx.dev/) SBOM using the [SPDX Maven Plugin](https://github.com/spdx/spdx-maven-plugin).
+
+The build order is very important when creating the SBOM. Since the plugin tries to extract the metadata of the submodules from POM files of installed Maven packages, those POM files need to be in the local Maven repository first. We don't want to download them during the build, since the latest ones are on the local machine. That means, we build the modules, install them in the local Maven cache and then create the SBOM.
+
+
+You can create the SBOM with the following sequence of Maven commands module:
+
+```shell
+mvn install
+mvn -pl product spdx:createSPDX
+```
+
+> [!IMPORTANT]
+> OFT does not include 3rd-party packages in the production JAR. The JRE we depend on is a runtime dependency on the machine OFT is executed. Therefore our SBOM only contains the OFT modules. We also did not include the test packages because they are not relevant for OFT users.
+
## Creating a Release
**NOTE**: This currently only works for release version numbers, not SNAPSHOT versions.
diff --git a/exporter/common/pom.xml b/exporter/common/pom.xml
index 52b9e58ab..5ad9570be 100644
--- a/exporter/common/pom.xml
+++ b/exporter/common/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-exporter-common
OpenFastTrace Exporters Utils
+ Common logic for OpenFastTrace exporters
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/exporter/specobject/pom.xml b/exporter/specobject/pom.xml
index 39b207620..55ae0d012 100644
--- a/exporter/specobject/pom.xml
+++ b/exporter/specobject/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-exporter-specobject
OpenFastTrace Specobject Exporter
+ Specobject (ReqM2 exchange format) exporter
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/importer/lightweightmarkup/pom.xml b/importer/lightweightmarkup/pom.xml
index 37fe269b7..d8357d2a1 100644
--- a/importer/lightweightmarkup/pom.xml
+++ b/importer/lightweightmarkup/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-importer-lightweightmarkup
OpenFastTrace Lightweight Markup Importer Base
+ Base module for OpenFastTrace importers based on lightweight markup languages (e.g., Markdown and RST)
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/importer/markdown/pom.xml b/importer/markdown/pom.xml
index 42c96065c..3fb410fdf 100644
--- a/importer/markdown/pom.xml
+++ b/importer/markdown/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-importer-markdown
OpenFastTrace Markdown Importer
+ Importer for OpenFastTrace specification items embedded into Markdown text
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/importer/restructuredtext/pom.xml b/importer/restructuredtext/pom.xml
index 4f66ed9de..db3c182d1 100644
--- a/importer/restructuredtext/pom.xml
+++ b/importer/restructuredtext/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-importer-restructuredtext
OpenFastTrace reStructuredText Importer
+ Importer for OpenFastTrace specification items embedded into reStructuredText (RST)
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/importer/specobject/pom.xml b/importer/specobject/pom.xml
index 91dbab265..fe079d7a9 100644
--- a/importer/specobject/pom.xml
+++ b/importer/specobject/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-importer-specobject
OpenFastTrace Specobject Importer
+ Importer for OpenFastTrace specification items from Specobject (ReqM2 format)
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/importer/tag/pom.xml b/importer/tag/pom.xml
index 165ed1187..3649d98da 100644
--- a/importer/tag/pom.xml
+++ b/importer/tag/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-importer-tag
OpenFastTrace Tag Importer
+ Importer for OpenFastTrace specification items embedded source code marker tags
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/importer/xmlparser/pom.xml b/importer/xmlparser/pom.xml
index b87231910..9a2ac7860 100644
--- a/importer/xmlparser/pom.xml
+++ b/importer/xmlparser/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-importer-xmlparser
OpenFastTrace Common XML Parser
+ Importer for OpenFastTrace specification items embedded into XML
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/importer/zip/pom.xml b/importer/zip/pom.xml
index c82ff9295..95055477d 100644
--- a/importer/zip/pom.xml
+++ b/importer/zip/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-importer-zip
OpenFastTrace Zip Importer
+ Recursive importer for OpenFastTrace specification items in ZIP archives
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/openfasttrace-mc-deployable-parent/pom.xml b/openfasttrace-mc-deployable-parent/pom.xml
index 4de7d681f..0d12e0dfe 100644
--- a/openfasttrace-mc-deployable-parent/pom.xml
+++ b/openfasttrace-mc-deployable-parent/pom.xml
@@ -16,6 +16,7 @@ It is maintained separately from the main parent POM for the following reasons:
openfasttrace-mc-deployable-parent
${revision}
OpenFastTrace Parent for modules deployed to Maven Central
+ Maven-central-specific deployment module for OpenFastTrace
pom
../parent/pom.xml
@@ -23,7 +24,6 @@ It is maintained separately from the main parent POM for the following reasons:
openfasttrace-parent
${revision}
- Free requirement tracking suite
https://github.com/itsallcode/openfasttrace
false
diff --git a/parent/pom.xml b/parent/pom.xml
index 86dfe2a23..e66514f15 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -7,10 +7,9 @@
${revision}
OpenFastTrace Parent
pom
- Free requirement tracking suite
https://github.com/itsallcode/openfasttrace
- 4.5.0
+ 4.6.0
17
6.1.0-M1
6.1.0
@@ -21,11 +20,13 @@
${reproducible.build.timestamp}
-Duser.language=en
false
+ GPL-3.0-only
+ Copyright (c) itsallcode.org
- GNU General Public License v3.0
- https://www.gnu.org/licenses/gpl-3.0.html
+ GPL-3.0-only
+ https://spdx.org/licenses/GPL-3.0-only.html
repo
@@ -528,7 +529,7 @@
2.21.0
-
+
org.apache.maven.plugins
maven-deploy-plugin
3.1.4
@@ -536,6 +537,36 @@
true
+
+ org.spdx
+ spdx-maven-plugin
+ 1.0.3
+
+
+ build-spdx
+
+ createSPDX
+
+
+ none
+
+
+
+
+ build
+ false
+ ${spdx.license}
+ ${spdx.license}
+ ${spdx.copyright}
+ false
+ ${spdx.license}
+ ${spdx.license}
+ ${spdx.copyright}
+ true
+ false
+ true
+
+
diff --git a/pom.xml b/pom.xml
index 813a87ffb..b5c0e563d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -47,6 +47,30 @@
true
+
+ org.spdx
+ spdx-maven-plugin
+ 1.0.3
+
+
+ aggregate-spdx
+
+ aggregateSPDX
+
+
+
+
+ build
+ false
+ GPL-3.0-only
+ GPL-3.0-only
+ Copyright (c) itsallcode.org
+ false
+ GPL-3.0-only
+ GPL-3.0-only
+ Copyright (c) itsallcode.org
+
+
diff --git a/product/pom.xml b/product/pom.xml
index 58214bd1f..e044916ae 100644
--- a/product/pom.xml
+++ b/product/pom.xml
@@ -3,6 +3,7 @@
4.0.0
openfasttrace
OpenFastTrace Product
+ OpenFastTrace aggregated library (includes all official base modules)
../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
@@ -133,6 +134,119 @@
+
+ org.spdx
+ spdx-maven-plugin
+ 1.0.3
+
+
+ aggregate-spdx
+
+ aggregateSPDX
+
+
+
+
+ build
+ false
+ ${spdx.license}
+ ${spdx.license}
+ ${spdx.copyright}
+ false
+ ${spdx.license}
+ ${spdx.license}
+ ${spdx.copyright}
+
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-api
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-core
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-exporter-common
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-exporter-specobject
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-importer-lightweightmarkup
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-importer-markdown
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-importer-restructuredtext
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-importer-specobject
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-importer-tag
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-importer-xmlparser
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-importer-zip
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-reporter-aspec
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-reporter-html
+ GPL-3.0-only
+
+
+ both
+ org.itsallcode.openfasttrace
+ openfasttrace-reporter-plaintext
+ GPL-3.0-only
+
+
+
+
diff --git a/reporter/aspec/pom.xml b/reporter/aspec/pom.xml
index f47a75f32..809640648 100644
--- a/reporter/aspec/pom.xml
+++ b/reporter/aspec/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-reporter-aspec
OpenFastTrace augmented specobject Reporter
+ Report an OpenFastTrace requirement trace as Augmented Specobject (ReqM2 format)
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/reporter/html/pom.xml b/reporter/html/pom.xml
index 288f2a61c..dc4a7711d 100644
--- a/reporter/html/pom.xml
+++ b/reporter/html/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-reporter-html
OpenFastTrace HTML Reporter
+ Generate HTML report from an OpenFastTrace requirement trace
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/reporter/plaintext/pom.xml b/reporter/plaintext/pom.xml
index a0719c1dc..fefd12840 100644
--- a/reporter/plaintext/pom.xml
+++ b/reporter/plaintext/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-reporter-plaintext
OpenFastTrace Plaintext Reporter
+ Generate plain text report from an OpenFastTrace requirement trace
../../openfasttrace-mc-deployable-parent/pom.xml
org.itsallcode.openfasttrace
diff --git a/testutil/pom.xml b/testutil/pom.xml
index 9f5f12f3a..9d1a0536d 100644
--- a/testutil/pom.xml
+++ b/testutil/pom.xml
@@ -4,6 +4,7 @@
4.0.0
openfasttrace-testutil
OpenFastTrace Test utilities
+ Shared test utilities used in multiple OpenFastTrace modules
jar
../parent/pom.xml