[demo-ui] call cyclonedx-npm from frontend-maven-plugin

.jenkins/weekly.jenkins

@@ -37,14 +37,9 @@ pipeline {
           sh ''' mvn -B clean install javadoc:javadoc -PeclipseJenkins -DskipTests'''
         }
 
-        // Generate SBOM for maven 
+        // Generate SBOM for maven (SBOM for frontend are automatically created during default build) 
         sh ''' mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom '''
 
-        // Generate SBOM for npm with trivy
-        // We should generate sbom with cyclonedx-npm see : https://github.com/eclipse-leshan/leshan/issues/1550#issuecomment-1878802371
-        sh ''' trivy fs leshan-demo-server/webapp --format cyclonedx --output leshan-demo-server/target/bom-frontend.json  --include-dev-deps '''
-        sh ''' trivy fs leshan-demo-bsserver/webapp --format cyclonedx --output leshan-demo-bsserver/target/bom-frontend.json  --include-dev-deps '''
-
         // check for vulnerabilities
         // "find" to search file
         // xargs to get correct exit code (find always return 0) 

.trivyignore

@@ -6,9 +6,13 @@
 # ------------
 # No affected by this vulnerability : we don't use parseHTML and close tag correctly. 
 # See : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9506
-# could be remove after : 
+# could be remove after : https://github.com/eclipse-leshan/leshan/issues/1665
 CVE-2024-9506
 
+# We need to wait for : https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1079
+CVE-2024-34394
+CVE-2024-34393
+
 # =========================
 # About Leshan Libraries
 # =========================

build-config/demo-build-config/pom.xml

@@ -99,6 +99,22 @@ Contributors:
                 <arguments>run build</arguments>
               </configuration>
             </execution>
+            <execution>
+              <?m2e ignore?>
+              <id>npm sbom</id>
+              <goals>
+                <goal>npm</goal>
+              </goals>
+              <configuration>
+                <environmentVariables>
+                  <!-- this variable will be used by package.json -->
+                  <OUTPUT_FORMAT>json</OUTPUT_FORMAT>
+                  <OUTPUT_BOM_NAME>bom-frontend</OUTPUT_BOM_NAME>
+                  <OUTPUT_BOM_DIRECTORY>${project.build.directory}</OUTPUT_BOM_DIRECTORY>
+                </environmentVariables>
+                <arguments>run sbom_maven</arguments>
+              </configuration>
+            </execution>
           </executions>
         </plugin>
       </plugins>

leshan-demo-bsserver/webapp/package.json

@@ -9,7 +9,8 @@
     "preview": "vite preview",
     "lint": "eslint --ext .js,.vue --ignore-path .gitignore --fix src",
     "report": "REPORT=true vite build --emptyOutDir",
-    "sbom": "cyclonedx-npm --output-format json --output-file ../target/sbom-frontend.json"
+    "sbom": "cyclonedx-npm --output-format json --output-file ../target/sbom-frontend.json",
+    "sbom_maven": "cyclonedx-npm --output-format ${OUTPUT_FORMAT} --output-file ${OUTPUT_BOM_DIRECTORY}/${OUTPUT_BOM_NAME}.${OUTPUT_FORMAT}"
   },
   "dependencies": {
     "@fontsource/roboto": "^4.5.0",

leshan-demo-server/webapp/package.json

@@ -9,7 +9,8 @@
     "preview": "vite preview",
     "lint": "eslint --ext .js,.vue --ignore-path .gitignore --fix src",
     "report": "REPORT=true vite build --emptyOutDir",
-    "sbom": "cyclonedx-npm --output-format json --output-file ../target/sbom-frontend.json"
+    "sbom": "cyclonedx-npm --output-format json --output-file ../target/sbom-frontend.json",
+    "sbom_maven": "cyclonedx-npm --output-format ${OUTPUT_FORMAT} --output-file ${OUTPUT_BOM_DIRECTORY}/${OUTPUT_BOM_NAME}.${OUTPUT_FORMAT}"
   },
   "dependencies": {
     "@fontsource/roboto": "^4.5.0",