Using the SWID Maven Plugin

This project supports generating a SWID tag as part of the Apache Maven build system.

Two generation capabilities are provided:

  • Assembly SWID Generator: A container descriptor handler that supports generation of a SWID tag as a manifest of a Maven Assembly. Maven assemblies are binary distributions of Java code archived using a number of popular archive formats.
  • SWD Generation Mojo: An experimental Maven mojo for building a SWID tag for use within a Java JAR file.

The source for these capabilities can be found in the project’s Github repo.

The Assembly SWID Generator

To generate a SWID tag as part of the execution of the Maven Assembly plugin, a couple configurations need to be made.

The following example is the configuration used by the swidval project.

First, the assembly descriptor needs to be configured to use the swid-generator. In the following example, the assembly descriptor located in src/assembly/bin.xml has the needed <containerDescriptorHandler> configured as follows:

<assembly
	xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2 http://maven.apache.org/xsd/assembly-1.1.2.xsd">
	<id>swidval</id>
	<formats>
		<format>dir</format>
		<format>zip</format>
		<format>tar.bz2</format>
	</formats>
	<includeBaseDirectory>false</includeBaseDirectory>
	<dependencySets>
		<dependencySet>
			<outputDirectory>/</outputDirectory>
			<unpack>false</unpack>
			<includes>
				<include>${artifact}</include>
			</includes>
		</dependencySet>
		<dependencySet>
			<outputDirectory>/lib</outputDirectory>
			<unpack>false</unpack>
			<excludes>
				<exclude>${artifact}</exclude>
			</excludes>
		</dependencySet>
	</dependencySets>
	<fileSets>
		<fileSet>
			<directory>/home/circleci/project/swid-maven-plugin/target/generated-distro</directory>
			<outputDirectory></outputDirectory>
			<includes>
				<include>**/*</include>
			</includes>
		</fileSet>
	</fileSets>
	<containerDescriptorHandlers>
    <!-- Generates a SWID tag -->
		<containerDescriptorHandler>
			<handlerName>swid-generator</handlerName>
			<configuration>
				<excludes>
          <!-- don't include the assembly in the generated payload -->
					<exclude>${artifact}</exclude>
				</excludes>
        <!-- use the following entities in the SWID tag -->
				<entities>
					<entity>
						<name>National Institute of Standards and Technology</name>
						<regid>nist.gov</regid>
						<roles>
							<role>tagCreator</role>
							<role>softwareCreator</role>
						</roles>
					</entity>
				</entities>
			</configuration>
		</containerDescriptorHandler>
	</containerDescriptorHandlers>
</assembly>

Second, the maven-assembly-plugin needs to be configured in your project’s POM as follows:

<plugin>
				<groupId>org.apache.maven.plugins</groupId>
				<artifactId>maven-assembly-plugin</artifactId>
				<dependencies>
					<dependency> <!-- the dependency for the SWID generator -->
            <groupId>gov.nist.secauto.swid</groupId>
            <artifactId>swid-maven-plugin</artifactId>
            <version>0.6.1</version>
					</dependency>
				</dependencies>
				<executions>
					<execution>
						<id>make-assembly-bin</id> <!-- this is used for inheritance merges -->
						<phase>package</phase> <!-- bind to the packaging phase -->
						<goals>
							<goal>single</goal>
						</goals>
						<configuration>
							<descriptors>
								<descriptor>src/assembly/bin.xml</descriptor> <!-- the location of the configured assembly descriptor -->
							</descriptors>
						</configuration>
					</execution>
				</executions>
			</plugin>

SWID Generator Mojo

See the mojo documentation.