ozg-7492 upload sbom

Jenkinsfile

@@ -28,7 +28,6 @@ pipeline {
         }
     }
 
-tools { go 'go-1.22.0' }
     environment {
         RELEASE_REGEX = /v\d+.\d+.\d+/
         BETA_REGEX = /v\d+.\d+.\d+-beta.\d/
@@ -82,9 +81,6 @@ tools { go 'go-1.22.0' }
                     FAILED_STAGE=env.STAGE_NAME
                         
                     sh '''
-                        #export GOPATH so that installed dependencies could be found
-                        export GOPATH=$GOROOT
-                        
                         go mod download
                         go install \
                         github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-grpc-gateway \
@@ -184,8 +180,31 @@ tools { go 'go-1.22.0' }
                 }
             }
         }
-    }
-    
+
+        stage ('Deploy SBOM to DependencyTrack') {
+            when {
+                anyOf {
+                    branch 'main'
+                    branch 'release'
+                }
+            }
+            steps {
+                script {
+                    catchError(buildResult: 'UNSTABLE', stageResult: 'FAILURE') {
+                        sh '''
+                            go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest
+                            go env -w GOFLAGS=-buildvcs=false
+                            
+                            cyclonedx-gomod version
+                            cyclonedx-gomod app -main cmd/antragsraum-proxy/ -output sbom.xml
+                            '''
+
+                        dependencyTrackPublisher artifact: 'sbom.xml', projectName: 'antragraum-proxy', projectVersion: env.BRANCH_NAME, synchronous: true
+                    }
+                }
+            }
+        }
+    }    
 }
 
 

[Martin Küster]

Wollen wir das vllt in ein Script auslagern?