Merge pull request 'OZG-4833 dependency track' (#32) from OZG-4833-use-dependency-track into master

Reviewed-on: https://git.ozg-sh.de/ozgcloud-app/formcycle-plugin/pulls/32

Jenkinsfile

@@ -109,22 +109,22 @@ pipeline {
             }
         }
 
-// TODO aktuell dauert es viel zu lange und wird am Ende einfach abgebrochen
-//         stage ('OWASP Dependency-Check Vulnerabilities') {
-//             steps {
-//                     dependencyCheck additionalArguments: '''
-//                         -o "./"
-//                         -s "./"
-//                         -f "ALL"
-//                         -d /dependency-check-data
-//                         --suppression dependency-check-supressions.xml
-//                         --disableKnownExploited
-//                         --disableArchive
-//                         --prettyPrint''', odcInstallation: 'dependency-check-owasp'
-//
-//                     dependencyCheckPublisher pattern: 'dependency-check-report.xml'
-//             }
-//         }
+        stage ('Deploy SBOM to DependencyTrack') {
+            steps {
+                script {
+                    IMAGE_TAG = "${env.BRANCH_NAME}-${getPomVersion('pom.xml')}"
+
+                    configFileProvider([configFile(fileId: 'maven-settings', variable: 'MAVEN_SETTINGS')]) {
+                        withCredentials([string(credentialsId: 'dependency-track-api-key', variable: 'API_KEY')]) {
+
+                            catchError(buildResult: 'UNSTABLE', stageResult: 'FAILURE') {
+                                sh "mvn  --no-transfer-progress -s $MAVEN_SETTINGS io.github.pmckeown:dependency-track-maven-plugin:upload-bom -Ddependency-track.apiKey=$API_KEY -Ddependency-track.projectVersion=${IMAGE_TAG} -Ddependency-track.dependencyTrackBaseUrl=https://dependency-track.ozg-sh.de"
+                            }
+                        }
+                    }
+                }
+            }
+        }
 
         stage('Deploy to Nexus'){
             steps {

pom.xml

@@ -31,6 +31,10 @@
 		<maven-assembly-plugin.version>3.2.0</maven-assembly-plugin.version>
 		<maven-clean-plugin.version>3.1.0</maven-clean-plugin.version>
 		<maven-compiler-plugin.version>3.8.1</maven-compiler-plugin.version>
+
+		<!-- dependency track -->
+		<dependency-track-maven-plugin.version>1.7.0</dependency-track-maven-plugin.version>
+		<cyclonedx-maven-plugin.version>2.7.11</cyclonedx-maven-plugin.version>
 	</properties>
 
 	<dependencyManagement>
@@ -113,6 +117,21 @@
 	</dependencies>
 
 	<build>
+		<pluginManagement>
+			<plugins>
+				<plugin>
+					<groupId>io.github.pmckeown</groupId>
+					<artifactId>dependency-track-maven-plugin</artifactId>
+					<version>${dependency-track-maven-plugin.version}</version>
+					<configuration>
+						<dependencyTrackBaseUrl>https://dependency-track.ozg-sh.de</dependencyTrackBaseUrl>
+						<failOnError>true</failOnError>
+						<createProject>true</createProject>
+					</configuration>
+				</plugin>
+			</plugins>
+		</pluginManagement>
+
 		<plugins>
 			<!-- Configure the compilation process. At least Java 11 is required. -->
 			<plugin>
@@ -208,6 +227,20 @@
 				<artifactId>maven-surefire-plugin</artifactId>
 				<version>${maven-surefire-plugin.version}</version>
 			</plugin>
+
+			<plugin>
+				<groupId>org.cyclonedx</groupId>
+				<artifactId>cyclonedx-maven-plugin</artifactId>
+				<version>${cyclonedx-maven-plugin.version}</version>
+				<executions>
+					<execution>
+						<phase>package</phase>
+						<goals>
+							<goal>makeAggregateBom</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
 		</plugins>
 	</build>
 	<repositories>