[Java] Publish SBOM artifacts #15265
Description
Describe the enhancement requested
This issue aims to publish SBOM artifacts along with the other Apache projects.
Here is an article to give some context.
- https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/
Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: CycloneDX, Software Identification (SWID) tag, Software Package Data Exchange® (SPDX).
We can use one of the Maven plugin, CycloneDX maven plugin, a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
https://maven.apache.org/plugins/index.html#misc
The expected results
$ mvn install -DskipTests
...
$ ls -al /Users/dongjoon/.m2/repository/org/apache/arrow/arrow-memory-core/11.0.0-SNAPSHOT
total 352
drwxr-xr-x 9 dongjoon staff 288 Jan 9 01:10 .
drwxr-xr-x 7 dongjoon staff 224 Jan 9 01:10 ..
-rw-r--r-- 1 dongjoon staff 367 Jan 9 01:10 _remote.repositories
-rw-r--r-- 1 dongjoon staff 8025 Jan 9 01:10 arrow-memory-core-11.0.0-SNAPSHOT-cyclonedx.json
-rw-r--r-- 1 dongjoon staff 6993 Jan 9 01:10 arrow-memory-core-11.0.0-SNAPSHOT-cyclonedx.xml
-rw-r--r-- 1 dongjoon staff 34886 Jan 9 01:10 arrow-memory-core-11.0.0-SNAPSHOT-tests.jar
-rw-r--r-- 1 dongjoon staff 110813 Jan 9 01:10 arrow-memory-core-11.0.0-SNAPSHOT.jar
-rw-r--r-- 1 dongjoon staff 3407 Jan 9 01:08 arrow-memory-core-11.0.0-SNAPSHOT.pom
-rw-r--r-- 1 dongjoon staff 1343 Jan 9 01:10 maven-metadata-local.xml
Component(s)
Java