Add sbom_generation.yaml file at top level.

Author: jdduncan

.gitignore

@@ -1,7 +1,10 @@
+.DS_Store
+artifactSBOM.json
+package-lock.json
 jones-ndb/build/
 jones-ndb/config.gypi
 jones-ndb/impl/test/build/
 jones-ndb/config.waf
-**/.DS_Store
 node_modules/nan
+*/node_modules
 

database-jones/package-lock.json

@@ -24,10 +24,11 @@
           },
           "dependencies": {
                     "jones-promises": "*",
-                    "mysql": "^2.17.1",
+                    "mysql": ">=2.18.1",
                     "unified_debug": "*"
           },
           "devDependencies": {
+                    "@cyclonedx/cyclonedx-npm": "^1.19.3",
                     "jones-test": "*"
           }
 }

database-jones/package.json

@@ -1,38 +1,35 @@
-
 {
-  "name"            : "jones-mysql"
-  ,
-  "version"         : "1.0.6"
-  ,  
-  "description"     : "MySQL Service Provider for Database Jones"
-  ,
-  "keywords"        : ["mysql", "orm", "mapping"]
-  ,
-  "license"         : "GPL-2.0"
-  ,
-  "homepage"        : "http://github.com/mysql/mysql-js/"
-  ,
-  "main"            : "impl/mysql_service_provider"
-  ,
-  "bugs"            : { "url" : "http://github.com/mysql/mysql-js/issues"}
-  ,
-  "contributors"    : [ "Craig Russell <papajdo@gmail.com>" ,
-                        "John David Duncan <john.duncan@oracle.com>"
-                      ]
-  ,
-  "dependencies"    : { "mysql" : ">=2.0.0",
-                        "unified_debug" : "*"
-                      }
-  ,
-  "devDependencies" : { "jones-test" : "*"
-                      }
-  ,
-  "peerDependencies": { "database-jones" : "1.x"
-                      }
-  ,
-  "repository"      : { "type" : "git",
-                         "url": "https://github.com/mysql/mysql-js.git"
-                      }
+  "name": "jones-mysql",
+  "version": "1.0.6",
+  "description": "MySQL Service Provider for Database Jones",
+  "keywords": [
+    "mysql",
+    "orm",
+    "mapping"
+  ],
+  "license": "GPL-2.0",
+  "homepage": "http://github.com/mysql/mysql-js/",
+  "main": "impl/mysql_service_provider",
+  "bugs": {
+    "url": "http://github.com/mysql/mysql-js/issues"
+  },
+  "contributors": [
+    "Craig Russell <papajdo@gmail.com>",
+    "John David Duncan <john.duncan@oracle.com>"
+  ],
+  "dependencies": {
+    "mysql": ">=2.18.1",
+    "unified_debug": "*"
+  },
+  "devDependencies": {
+    "@cyclonedx/cyclonedx-npm": "^1.19.3",
+    "jones-test": "*"
+  },
+  "peerDependencies": {
+    "database-jones": "1.x"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mysql/mysql-js.git"
+  }
 }
-
-

jones-mysql/package.json

@@ -1,35 +1,32 @@
-
 {
-  "name"        : "jones-promises"
-  ,
-  "version"     : "1.1.1"
-  ,  
-  "description" : "Promises Library"
-  ,
-  "keywords"    : ["promise" , "promises" , "promises/a+" ]
-  ,
-  "homepage"    : "http://github.com/mysql/mysql-js/"
-  ,
-  "bugs"        : { "url" : "http://github.com/mysql/mysql-js/issues" }
-  ,
-  "license"     : "GPL-2.0"
-  ,
-  "contributors": ["Craig Russell <craig.russell@oracle.com>" ,
-                   "John David Duncan <john.duncan@oracle.com>"
-                  ]
-  ,
-  "main"        : "lib/Promise.js"
-  ,
-  "repository"  : {  "type" : "git",
-                     "url": "https://github.com/mysql/mysql-js.git"
-                  }
-  ,
-  "readmeFilename": "README.md"
-  ,
-  "dependencies" : {  "unified_debug" : ""
-                   }
-  ,
-  "devDependencies" : { "promises-aplus-tests" : "" }
+  "name": "jones-promises",
+  "version": "1.1.1",
+  "description": "Promises Library",
+  "keywords": [
+    "promise",
+    "promises",
+    "promises/a+"
+  ],
+  "homepage": "http://github.com/mysql/mysql-js/",
+  "bugs": {
+    "url": "http://github.com/mysql/mysql-js/issues"
+  },
+  "license": "GPL-2.0",
+  "contributors": [
+    "Craig Russell <craig.russell@oracle.com>",
+    "John David Duncan <john.duncan@oracle.com>"
+  ],
+  "main": "lib/Promise.js",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mysql/mysql-js.git"
+  },
+  "readmeFilename": "README.md",
+  "dependencies": {
+    "unified_debug": ""
+  },
+  "devDependencies": {
+    "@cyclonedx/cyclonedx-npm": "^1.19.3",
+    "promises-aplus-tests": ""
+  }
 }
-
-

jones-promises/package.json

@@ -1,33 +1,32 @@
-
 {
-  "name"        : "jones-test"
-  ,
-  "version"     : "1.4.1"
-  ,  
-  "description" : "Asynchronous Test Harness"
-  ,
-  "keywords"    : ["test" , "harness" ]
-  ,
-  "homepage"    : "http://github.com/mysql/mysql-js/"
-  ,
-  "bugs"        : { "url" : "http://github.com/mysql/mysql-js/issues"}
-  ,
-  "license"     : "GPL-2.0"
-  ,
-  "contributors": [ "John David Duncan <john.duncan@oracle.com>" ,
-                    "Craig Russell <craig.russell@oracle.com>" ]
-  ,
-  "main"        : "jones-test"
-  ,
-  "repository"  : {  "type" : "git",
-                     "url": "https://github.com/mysql/mysql-js.git"
-                  }
-  ,
-  "scripts"     : { "test" : "node selftest/driver"
-                  }
-  ,
-  "dependencies" : { "unified_debug" : ""
-                   }
+  "name": "jones-test",
+  "version": "1.4.1",
+  "description": "Asynchronous Test Harness",
+  "keywords": [
+    "test",
+    "harness"
+  ],
+  "homepage": "http://github.com/mysql/mysql-js/",
+  "bugs": {
+    "url": "http://github.com/mysql/mysql-js/issues"
+  },
+  "license": "GPL-2.0",
+  "contributors": [
+    "John David Duncan <john.duncan@oracle.com>",
+    "Craig Russell <craig.russell@oracle.com>"
+  ],
+  "main": "jones-test",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mysql/mysql-js.git"
+  },
+  "scripts": {
+    "test": "node selftest/driver"
+  },
+  "dependencies": {
+    "unified_debug": ""
+  },
+  "devDependencies": {
+    "@cyclonedx/cyclonedx-npm": "^1.19.3"
+  }
 }
-
-

jones-test/package.json

@@ -0,0 +1,76 @@
+# Copyright (c) 2023-2025, Oracle and/or its affiliates. All rights reserved.
+
+# This OCI DevOps build specification file [1] generates a Software Bill of Materials (SBOM) of the repository.
+# The file is needed to run checks for third-party vulnerabilities and business approval according to Oracle’s GitHub policies.
+# [1] https://docs.oracle.com/en-us/iaas/Content/devops/using/build_specs.htm
+
+version: 0.1
+component: build
+timeoutInSeconds: 1000
+shell: bash
+
+steps:
+  - type: Command
+    name: "Download CycloneDx-cli executable and install dependencies"
+    command: |
+      wget https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.24.2/cyclonedx-linux-x64
+      yum install -y libicu
+  - type: Command
+    name: "Generate SBOM for unified_debug"
+    command: |
+        pushd unified_debug
+        npm install && npm install --save-dev @cyclonedx/cyclonedx-npm@1.19.3
+        npx @cyclonedx/cyclonedx-npm --omit dev --output-format JSON --output-file artifactSBOM.json --spec-version 1.4 --flatten-components
+        popd
+
+  - type: Command
+    name: "Generate SBOM for jones-test"
+    command: |
+        pushd jones-test
+        npm install && npm install --save-dev @cyclonedx/cyclonedx-npm@1.19.3
+        npx @cyclonedx/cyclonedx-npm --omit dev --output-format JSON --output-file artifactSBOM.json --spec-version 1.4 --flatten-components
+        popd
+
+  - type: Command
+    name: "Generate SBOM for jones-promises"
+    command: |
+        pushd jones-promises
+        npm install && npm install --save-dev @cyclonedx/cyclonedx-npm@1.19.3
+        npx @cyclonedx/cyclonedx-npm --omit dev --output-format JSON --output-file artifactSBOM.json --spec-version 1.4 --flatten-components
+        popd
+
+  - type: Command
+    name: "Generate SBOM for jones-ndb"
+    command: |
+        pushd jones-ndb
+        npm install && npm install --save-dev @cyclonedx/cyclonedx-npm@1.19.3
+        npx @cyclonedx/cyclonedx-npm --omit dev --output-format JSON --output-file artifactSBOM.json --spec-version 1.4 --flatten-components
+        popd
+
+  - type: Command
+    name: "Generate SBOM for jones-mysql"
+    command: |
+        pushd jones-mysql
+        npm install && npm install --save-dev @cyclonedx/cyclonedx-npm@1.19.3
+        npx @cyclonedx/cyclonedx-npm --omit dev --output-format JSON --output-file artifactSBOM.json --spec-version 1.4 --flatten-components
+        popd
+
+  - type: Command
+    name: "Generate SBOM for database-jones"
+    command: |
+        pushd database-jones
+        npm install && npm install --save-dev @cyclonedx/cyclonedx-npm@1.19.3
+        npx @cyclonedx/cyclonedx-npm --omit dev --output-format JSON --output-file artifactSBOM.json --spec-version 1.4 --flatten-components
+        popd
+
+  - type: Command
+    name: "Merge multiple SBOMs using CycloneDX-cli"
+    command: |
+      # For more details, visit https://github.com/CycloneDX/cyclonedx-cli/blob/main/README.md
+      chmod +x cyclonedx-linux-x64
+      ./cyclonedx-linux-x64 merge --input-files database-jones/artifactSBOM.json jones-mysql/artifactSBOM.json jones-ndb/artifactSBOM.json jones-promises/artifactSBOM.json jones-test/artifactSBOM.json unified_debug/artifactSBOM.json --output-file  artifactSBOM.json --output-version v1_4
+
+outputArtifacts:
+  - name: artifactSBOM
+    type: BINARY
+    location: ${OCI_PRIMARY_SOURCE_DIR}/artifactSBOM.json