Change Temurin SBOM generation to XML

[andrew-m-leonard]

Currently Temurin produces SBOM's in json format, however this has its limitations and cost:

• json "signing" uses JSF format and very few tooling provides JSF signing and verification. Currently Temurin uses and open source component https://github.com/cyberphone/openkeystore which does not have a huge following, and we have to build and compile this source, which is not provided as an open source binary release.
• Similarly to verify these signatures we need to use the same open source tool, which means "Users" are not easily able to verify and SBOM themselves, without going through a procedure to clone temurin-build and build the TemurinSignSBOM java class that uses openkeystore
• The Cyclonedx-cli tool does not provide support for signing and verifying JSON SBOMs:

% cyclonedx-cli sign bom test.json --key-file test.pem
Loading private key...
Only XML BOMs are currently supported for signing.

As opposed to using an XML format SBOM:

• Provides full feature support for XML, including "signing" and "signature verification", and "validation":

% cyclonedx sign bom testCDXA.xml --key-file cdsa_test.pem
Loading private key...
Loading XML BOM...
Generating signature...
Saving signature...
% cyclonedx verify all testCDXA.xml --key-file cdsa_test_pub.pem
Loading public key...
Loading XML BOM...
Reading signatures...
Found 1 signatures...
Verifying signature 1... verified

All signatures verified
% cyclonedx validate --input-file testCDXA.xml            
BOM validated successfully.

• The Cyclonedx-cli tool can then easily be used by 3rd party users to both sign and verify SBOMs, CDXAs, ...

Other arguments for using XML format:

• XML has a far longer background, and thus many stable tooling support, it is extensively used by the AQAvit and TKG test suites
• XML has a strong Schema based support
• XML can be easily parsed and processed from bash using Perl xpath utility, eg:

% xpath -q -e '/bom/metadata/authors/author/name/text()' testSBOM.xml
Adoptium Temurin

[andrew-m-leonard]

@netomi hi Thomas, I was wondering what your opinion might be to using XML documents as opposed to JSON, especially when it comes to Eclipse Signing with sigstore potentially?

[netomi]

so if xml files have better tool support, I see no reason why the project should not use them.
Also conversion between xml and json format should be possible if needed.

[andrew-m-leonard]

The support for XML SBOM generated using the cyclonedx-core-java is currently blocked due to issue: CycloneDX/cyclonedx-core-java#562

For the moment we will stick with json SBOM until this is fixed, or we have a python-library route...