build: add CycloneDX SBOM generation support by NelsonMeleth · Pull Request #440 · docling-project/docling-java

NelsonMeleth · 2026-04-02T17:32:19Z

Add docling-sbom.gradle.kts plugin for SBOM generation
Integrate SBOM artifacts into Maven publications
Add CycloneDX Gradle plugin dependency
Configure cyclonedxDirectBom task in build group

github-actions · 2026-04-02T17:38:49Z

:java_duke: JaCoCo coverage report

Overall Project	47.29%	🔴

There is no coverage information present for the Files changed

github-actions · 2026-04-02T17:38:51Z

	Tests	Passed ✅	Skipped	Failed
Gradle Test Results (all modules & JDKs)	1002 ran	1002 passed	0 skipped	0 failed

Test	Result
No test annotations available

View Gradle Test Results (all modules & JDKs)

github-actions · 2026-04-02T17:38:52Z

HTML test reports are available as workflow artifacts (zipped HTML).

• Download: Artifacts for this run

buildSrc/src/main/kotlin/docling-release.gradle.kts

edeandrea · 2026-04-02T17:43:09Z

gradle/libs.versions.toml

 quarkus-github-api = "1.330.0"
 quarkus-wiremock = "1.6.1"
 wiremock = "3.13.2"
+cyclonedx = "3.2.2"


I think 3.2.3 is the latest version.

Upgrading to 3.2.3 is giving me error

Could not determine the dependencies of task ':docling-testcontainers:cyclonedxBom'. > Could not create task ':docling-testcontainers:cyclonedxDirectBom'. > Cannot mutate the artifacts of configuration ':docling-testcontainers:cyclonedxDirectBom' after the configuration was consumed as a variant. After a configuration has been observed, it should not be modified.

We should try and figure out what the issue is. Is it an incompatibility between the cycloneDx gradle plugin & the overall Gradle and/or jvm version? Is the cyclonedx plugin not being applied properly? Does it not support Gradle's configuration cache?

edeandrea

Thanks for this @NelsonMeleth ! I've added a few inline comments.

github-actions · 2026-04-02T23:59:28Z

HTML test reports are available as workflow artifacts (zipped HTML).

• Download: Artifacts for this run

github-actions · 2026-04-03T00:04:05Z

HTML test reports are available as workflow artifacts (zipped HTML).

• Download: Artifacts for this run

github-actions · 2026-04-03T00:08:39Z

HTML test reports are available as workflow artifacts (zipped HTML).

• Download: Artifacts for this run

github-actions · 2026-04-03T00:35:16Z

HTML test reports are available as workflow artifacts (zipped HTML).

• Download: Artifacts for this run

github-actions · 2026-04-03T21:06:45Z

HTML test reports are available as workflow artifacts (zipped HTML).

• Download: Artifacts for this run

- Add docling-sbom.gradle.kts plugin for SBOM generation - Integrate SBOM artifacts into Maven publications - Add CycloneDX Gradle plugin dependency - Configure cyclonedxDirectBom task in build group Signed-off-by: Nelson Baby <nelson.b@ibm.com>

edeandrea · 2026-04-06T14:10:25Z

@copilot Does there need to be any additional configuration for jreleaser to do anything with the sboms that get generated?

Copilot

Pull request overview

Adds CycloneDX SBOM generation into the Gradle build (via a new convention plugin) and attempts to publish the generated SBOM alongside existing Maven artifacts, so released modules can ship a per-project SBOM.

Changes:

Add CycloneDX Gradle plugin/version-catalog entries and make it available to buildSrc.
Introduce a docling-sbom convention plugin that applies CycloneDX and exposes cyclonedxDirectBom under the build task group.
Attach CycloneDX task outputs as additional artifacts in the docling-release Maven publication.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
`gradle/libs.versions.toml`	Adds CycloneDX version + library/plugin entries to the version catalog.
`buildSrc/src/main/kotlin/docling-sbom.gradle.kts`	New convention plugin applying `org.cyclonedx.bom` and grouping the BOM task under `build`.
`buildSrc/src/main/kotlin/docling-release.gradle.kts`	Wires SBOM generation outputs into Maven publication artifacts.
`buildSrc/build.gradle.kts`	Adds CycloneDX Gradle plugin dependency to `buildSrc` so the convention plugin can apply it.

buildSrc/src/main/kotlin/docling-release.gradle.kts

github-actions · 2026-04-06T14:15:27Z

HTML test reports are available as workflow artifacts (zipped HTML).

• Download: Artifacts for this run

buildSrc/src/main/kotlin/docling-sbom.gradle.kts

Signed-off-by: Nelson Baby <nelson.b@ibm.com>

github-actions · 2026-04-06T15:17:18Z

HTML test reports are available as workflow artifacts (zipped HTML).

• Download: Artifacts for this run

edeandrea

Thanks @NelsonMeleth !

edeandrea reviewed Apr 2, 2026

View reviewed changes

buildSrc/src/main/kotlin/docling-release.gradle.kts Outdated Show resolved Hide resolved

edeandrea reviewed Apr 2, 2026

View reviewed changes

NelsonMeleth force-pushed the main branch 2 times, most recently from b0f1fcd to b18748c Compare April 3, 2026 00:01

NelsonMeleth force-pushed the main branch from b18748c to 95332d1 Compare April 3, 2026 00:27

NelsonMeleth force-pushed the main branch from 95332d1 to 5b32584 Compare April 3, 2026 21:00

NelsonMeleth changed the title ~~feat: add SBOM generation to release artifacts~~ build: add CycloneDX SBOM generation support Apr 3, 2026

NelsonMeleth requested a review from edeandrea April 6, 2026 03:27

edeandrea force-pushed the main branch from 5b32584 to 0d9f97d Compare April 6, 2026 14:06

edeandrea requested a review from Copilot April 6, 2026 14:09

Copilot started reviewing on behalf of edeandrea April 6, 2026 14:10 View session

Copilot AI reviewed Apr 6, 2026

View reviewed changes

buildSrc/src/main/kotlin/docling-release.gradle.kts Outdated Show resolved Hide resolved

edeandrea reviewed Apr 6, 2026

View reviewed changes

buildSrc/src/main/kotlin/docling-sbom.gradle.kts Show resolved Hide resolved

build: use CycloneDX plugin version 3.2.2

8ff0f65

Signed-off-by: Nelson Baby <nelson.b@ibm.com>

edeandrea approved these changes Apr 6, 2026

View reviewed changes

edeandrea linked an issue Apr 6, 2026 that may be closed by this pull request

Need SBOMs #411

Closed

edeandrea merged commit 77179d2 into docling-project:main Apr 6, 2026
22 checks passed

Conversation

NelsonMeleth commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Apr 2, 2026

:java_duke: JaCoCo coverage report

Uh oh!

github-actions bot commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Apr 2, 2026

Uh oh!

Uh oh!

edeandrea Apr 2, 2026

Choose a reason for hiding this comment

Uh oh!

NelsonMeleth Apr 2, 2026

Choose a reason for hiding this comment

Uh oh!

edeandrea Apr 3, 2026

Choose a reason for hiding this comment

Uh oh!

edeandrea left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Apr 2, 2026

Uh oh!

github-actions bot commented Apr 3, 2026

Uh oh!

github-actions bot commented Apr 3, 2026

Uh oh!

github-actions bot commented Apr 3, 2026

Uh oh!

github-actions bot commented Apr 3, 2026

Uh oh!

edeandrea commented Apr 6, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

github-actions bot commented Apr 6, 2026

Uh oh!

Uh oh!

github-actions bot commented Apr 6, 2026

Uh oh!

edeandrea left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

NelsonMeleth commented Apr 2, 2026 •

edited

Loading

github-actions bot commented Apr 2, 2026 •

edited

Loading