Add sbom generation tooling (#2232)

.bazelrc

@@ -1,2 +1,7 @@
 common --registry=https://raw.githubusercontent.com/eclipse-score/bazel_registry/main/
 common --registry=https://bcr.bazel.build
+
+build --java_language_version=17
+build --tool_java_language_version=17
+build --java_runtime_version=remotejdk_17
+build --tool_java_runtime_version=remotejdk_17

.github/workflows/sbom_dependency_submission.yml

@@ -0,0 +1,111 @@
+name: SBOM Dependency Submission
+# Submit SBOM-derived dependency snapshot to GitHub Dependency Graph,
+# enabling Dependabot vulnerability alerts for SBOM-declared packages.
+#
+# Requirements (configured by org/repo admin):
+#   - Dependency Graph must be enabled in repo Settings → Code security
+#   - Write permission on contents (for dependency-graph/snapshots)
+#
+# GitHub Dependency Submission API:
+#   https://docs.github.com/en/rest/dependency-graph/dependency-submission
+
+on:
+  workflow_call:
+    inputs:
+      sbom_target:
+        description: 'Bazel SBOM target to build (e.g. //:sbom_all)'
+        required: false
+        type: string
+        default: '//:sbom_all'
+      release_tag:
+        description: 'Version tag for the SBOM component_version'
+        required: false
+        type: string
+        default: 'dev'
+
+jobs:
+  sbom-dependency-submission:
+    name: Build SBOM and submit to Dependency Graph
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write  # Required for dependency-graph/snapshots API
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.2.2
+
+      - name: Setup Bazel
+        uses: bazel-contrib/setup-bazel@0.15.0
+        with:
+          disk-cache: true
+          repository-cache: true
+          bazelisk-cache: true
+
+      - name: Build SBOM
+        run: |
+          bazel build ${{ inputs.sbom_target }} \
+            --define=component_version=${{ inputs.release_tag }}
+
+      - name: Collect SPDX outputs
+        run: |
+          mkdir -p sbom_output
+          find bazel-bin -name "*.spdx.json" -exec cp {} sbom_output/ \;
+          echo "SBOM files collected:"
+          ls -lh sbom_output/ || echo "(none)"
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Convert SPDX → GitHub Dependency Snapshot
+        run: |
+          mkdir -p snapshots
+          for spdx_file in sbom_output/*.spdx.json; do
+            [ -f "$spdx_file" ] || continue
+            base=$(basename "$spdx_file" .spdx.json)
+            correlator="${{ github.workflow }}_${base}"
+            echo "Converting $spdx_file (correlator: $correlator)"
+            python3 sbom/scripts/spdx_to_github_snapshot.py \
+              --input "$spdx_file" \
+              --output "snapshots/${base}_snapshot.json" \
+              --sha "${{ github.sha }}" \
+              --ref "${{ github.ref }}" \
+              --job-correlator "$correlator" \
+              --job-id "${{ github.run_id }}"
+          done
+
+      - name: Submit snapshots to GitHub Dependency Graph
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          repo="${{ github.repository }}"
+          submitted=0
+          failed=0
+          for snapshot_file in snapshots/*_snapshot.json; do
+            [ -f "$snapshot_file" ] || continue
+            echo "Submitting $snapshot_file to $repo ..."
+            http_code=$(gh api \
+              "repos/${repo}/dependency-graph/snapshots" \
+              --method POST \
+              --input "$snapshot_file" \
+              --jq '.message // "submitted"' \
+              2>&1) && {
+              echo "  OK: $http_code"
+              submitted=$((submitted + 1))
+            } || {
+              echo "  FAILED: $http_code"
+              failed=$((failed + 1))
+            }
+          done
+          echo "---"
+          echo "Submitted: $submitted, Failed: $failed"
+          [ "$failed" -eq 0 ] || exit 1
+
+      - name: Upload snapshot artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: dependency-snapshots-${{ inputs.release_tag }}
+          path: snapshots/
+          retention-days: 30

.github/workflows/tests.yml

@@ -23,3 +23,6 @@ jobs:
       - name: Run coverage module tests
         run: |
           bazel test //coverage/tests:all
+      - name: Run rules_score tests
+        run: |
+          bazel test //bazel/rules/rules_score/...

MODULE.bazel

@@ -13,7 +13,7 @@
 
 module(
     name = "score_tooling",
-    version = "1.1.0",
+    version = "0.0.0",
     compatibility_level = 1,
 )
 
@@ -28,9 +28,7 @@ bazel_dep(name = "rules_java", version = "8.15.1")
 bazel_dep(name = "rules_rust", version = "0.61.0")
 bazel_dep(name = "rules_multitool", version = "1.9.0")
 bazel_dep(name = "score_rust_policies", version = "0.0.2")
-
-bazel_dep(name = "bazel_skylib", version = "1.7.1", dev_dependency = True)
-
+bazel_dep(name = "bazel_skylib", version = "1.7.1")
 bazel_dep(name = "buildifier_prebuilt", version = "8.2.0.2")
 
 ###############################################################################
@@ -95,3 +93,8 @@ multitool.hub(
     lockfile = "tools/yamlfmt.lock.json",
 )
 use_repo(multitool, "yamlfmt_hub")
+
+bazel_dep(name = "score_docs_as_code", version = "3.0.1", dev_dependency = True)
+
+# bazel_dep(name = "score_platform", version = "0.5.0")
+bazel_dep(name = "score_process", version = "1.3.2")

README.md

@@ -58,14 +58,15 @@ bazel run //:rust_coverage -- --min-line-coverage 80
 
 ## Upgrading from separate MODULES
 
-If you are still using separate module imports and want to upgrade to the new version. 
+If you are still using separate module imports and want to upgrade to the new version.
 Here are two examples to showcase how to do this.
 
 ```
 load("@score_python_basics//:defs.bzl", "score_py_pytest") => load("@score_tooling//:defs.bzl", "score_py_pytest")
 load("@score_cr_checker//:cr_checker.bzl", "copyright_checker") => load("@score_tooling//:defs.bzl", "copyright_checker")
 ```
-All things inside of 'tooling' can now be imported from `@score_tooling//:defs.bzl`. 
+
+All things inside of 'tooling' can now be imported from `@score_tooling//:defs.bzl`.
 The available import targets are:
 
 - score_virtualenv
@@ -78,6 +79,7 @@ The available import targets are:
 - rust_coverage_report
 
 ## Format the tooling repository
-```bash 
+
+```bash
 bazel run //:format.fix
 ```

bazel/rules/rules_score/BUILD

@@ -0,0 +1,53 @@
+load(
+    "//bazel/rules/rules_score:rules_score.bzl",
+    "sphinx_module",
+)
+
+exports_files([
+    "templates/conf.template.py",
+    "templates/seooc_index.template.rst",
+    "templates/unit.template.rst",
+    "templates/component.template.rst",
+])
+
+# HTML merge tool
+py_binary(
+    name = "sphinx_html_merge",
+    srcs = ["src/sphinx_html_merge.py"],
+    main = "src/sphinx_html_merge.py",
+    visibility = ["//visibility:public"],
+)
+
+# Sphinx build binary with all required dependencies
+py_binary(
+    name = "score_build",
+    srcs = ["src/sphinx_wrapper.py"],
+    data = [],
+    env = {
+        "SOURCE_DIRECTORY": "",
+        "DATA": "",
+        "ACTION": "check",
+    },
+    main = "src/sphinx_wrapper.py",
+    visibility = ["//visibility:public"],
+    deps = [
+        "@score_docs_as_code//src:plantuml_for_python",
+        "@score_docs_as_code//src/extensions/score_sphinx_bundle",
+    ],
+)
+
+sphinx_module(
+    name = "rules_score_doc",
+    srcs = glob(
+        [
+            "docs/**/*.rst",
+            "docs/**/*.puml",
+        ],
+        allow_empty = True,
+    ),
+    index = "docs/index.rst",
+    visibility = ["//visibility:public"],
+    deps = [
+        "@score_process//:score_process_module",
+    ],
+)