Integrate Native Image SBOM with GitHub's Dependency Submission API

.github/workflows/test.yml

@@ -420,3 +420,40 @@ jobs:
       #     popd > /dev/null
       - name: Remove components
         run: gu remove espresso llvm-toolchain nodejs python ruby wasm
+  test-sbom:
+    name: test 'native-image-enable-sbom' option
+    runs-on: ${{ matrix.os }}
+    permissions:
+      contents: write
+    strategy:
+      matrix:
+        java-version: ['24-ea', 'latest-ea']
+        distribution: ['graalvm']
+        os: [macos-latest, windows-latest, ubuntu-latest]
+        set-gds-token: [false]
+        components: ['']
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run setup-graalvm action
+        uses: ./
+        with:
+          java-version: ${{ matrix.java-version }}
+          distribution: ${{ matrix.distribution }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          components: ${{ matrix.components }}
+          gds-token: ${{ matrix.set-gds-token && secrets.GDS_TOKEN || '' }}
+          native-image-enable-sbom: 'true'
+      - name: Build Maven project and verify that SBOM was generated and its contents
+        run: |
+          cd __tests__/sbom/main-test-app
+          mvn --no-transfer-progress -Pnative package
+          bash verify-sbom.sh
+        shell: bash
+        if: runner.os != 'Windows'
+      - name: Build Maven project and verify that SBOM was generated and its contents (Windows)
+        run: |
+          cd __tests__\sbom\main-test-app
+          mvn --no-transfer-progress -Pnative package
+          cmd /c verify-sbom.cmd
+        shell: cmd
+        if: runner.os == 'Windows'

.gitignore

@@ -97,3 +97,6 @@ Thumbs.db
 # Ignore built ts files
 __tests__/runner/*
 lib/**/*
+
+# Ignore target directory in __tests__
+__tests__/**/target

README.md

@@ -205,6 +205,7 @@ This actions can be configured with the following options:
 | `native-image-job-reports` *) | `'false'` | If set to `'true'`, post a job summary containing a Native Image build report. |
 | `native-image-pr-reports`  *) | `'false'` | If set to `'true'`, post a comment containing a Native Image build report on pull requests. Requires `write` permissions for the [`pull-requests` scope][gha-permissions]. |
 | `native-image-pr-reports-update-existing` *) | `'false'` | Instead of posting another comment, update an existing PR comment with the latest Native Image build report. Requires `native-image-pr-reports` to be `true`. |
+| `native-image-enable-sbom` | `'false'` | If set to `'true'`, generate a minimal SBOM based on the Native Image static analysis and submit it to GitHub's dependency submission API. This enables the [dependency graph feature](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) for dependency tracking and vulnerability analysis. Requires `write` permissions for the [`contents` scope][gha-permissions] and the dependency graph to be actived (on by default for public repositories - see [how to activate](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository)). Only available in Oracle GraalVM for JDK 24 or later. |
 | `components`    | `''`     | Comma-separated list of GraalVM components (e.g., `native-image` or `ruby,nodejs`) that will be installed by the [GraalVM Updater][gu]. |
 | `version` | `''` | `X.Y.Z` (e.g., `22.3.0`) for a specific [GraalVM release][releases] up to `22.3.2`<br>`mandrel-X.Y.Z.W` or `X.Y.Z.W-Final` (e.g., `mandrel-21.3.0.0-Final` or `21.3.0.0-Final`) for a specific [Mandrel release][mandrel-releases],<br>`mandrel-latest` or `latest` for the latest Mandrel stable release. |
 | `gds-token`     | `''`     Download token for the GraalVM Download Service. If a non-empty token is provided, the action will set up Oracle GraalVM (see [Oracle GraalVM via GDS template](#template-for-oracle-graalvm-via-graalvm-download-service)) or GraalVM Enterprise Edition (see [GraalVM EE template](#template-for-graalvm-enterprise-edition)) via GDS. |

__tests__/cleanup.test.ts

@@ -49,7 +49,7 @@ describe('cleanup', () => {
     resetState()
   })
 
-  it('does not fail nor warn even when the save provess throws a ReserveCacheError', async () => {
+  it('does not fail nor warn even when the save process throws a ReserveCacheError', async () => {
     spyCacheSave.mockImplementation((paths: string[], key: string) =>
       Promise.reject(
         new cache.ReserveCacheError(

__tests__/sbom.test.ts

@@ -0,0 +1,306 @@
+import * as c from '../src/constants'
+import {setUpSBOMSupport, processSBOM} from '../src/features/sbom'
+import * as core from '@actions/core'
+import * as github from '@actions/github'
+import * as glob from '@actions/glob'
+import {join} from 'path'
+import {tmpdir} from 'os'
+import {mkdtempSync, writeFileSync, rmSync} from 'fs'
+
+jest.mock('@actions/glob')
+jest.mock('@actions/github', () => ({
+  getOctokit: jest.fn(() => ({
+    request: jest.fn().mockResolvedValue(undefined)
+  })),
+  context: {
+    repo: {
+      owner: 'test-owner',
+      repo: 'test-repo'
+    },
+    sha: 'test-sha',
+    ref: 'test-ref',
+    workflow: 'test-workflow',
+    job: 'test-job',
+    runId: '12345'
+  }
+}))
+
+function mockFindSBOM(files: string[]) {
+  const mockCreate = jest.fn().mockResolvedValue({
+    glob: jest.fn().mockResolvedValue(files)
+  })
+  ;(glob.create as jest.Mock).mockImplementation(mockCreate)
+}
+
+// Mocks the GitHub dependency submission API return value
+// 'undefined' is treated as a successful request
+function mockGithubAPIReturnValue(returnValue: Error | undefined = undefined) {
+  const mockOctokit = {
+    request:
+      returnValue === undefined
+        ? jest.fn().mockResolvedValue(returnValue)
+        : jest.fn().mockRejectedValue(returnValue)
+  }
+  ;(github.getOctokit as jest.Mock).mockReturnValue(mockOctokit)
+  return mockOctokit
+}
+
+describe('sbom feature', () => {
+  let spyInfo: jest.SpyInstance<void, Parameters<typeof core.info>>
+  let spyWarning: jest.SpyInstance<void, Parameters<typeof core.warning>>
+  let spyExportVariable: jest.SpyInstance<
+    void,
+    Parameters<typeof core.exportVariable>
+  >
+  let workspace: string
+  let originalEnv: NodeJS.ProcessEnv
+  const javaVersion = '24.0.0'
+  const distribution = c.DISTRIBUTION_GRAALVM
+
+  beforeEach(() => {
+    originalEnv = process.env
+
+    process.env = {
+      ...process.env,
+      GITHUB_REPOSITORY: 'test-owner/test-repo',
+      GITHUB_TOKEN: 'fake-token'
+    }
+
+    workspace = mkdtempSync(join(tmpdir(), 'setup-graalvm-sbom-'))
+    mockGithubAPIReturnValue()
+
+    spyInfo = jest.spyOn(core, 'info').mockImplementation(() => null)
+    spyWarning = jest.spyOn(core, 'warning').mockImplementation(() => null)
+    spyExportVariable = jest
+      .spyOn(core, 'exportVariable')
+      .mockImplementation(() => null)
+    jest.spyOn(core, 'getInput').mockImplementation((name: string) => {
+      if (name === 'native-image-enable-sbom') {
+        return 'true'
+      }
+      if (name === 'github-token') {
+        return 'fake-token'
+      }
+      return ''
+    })
+  })
+
+  afterEach(() => {
+    process.env = originalEnv
+    jest.clearAllMocks()
+    spyInfo.mockRestore()
+    spyWarning.mockRestore()
+    spyExportVariable.mockRestore()
+    rmSync(workspace, {recursive: true, force: true})
+  })
+
+  describe('setup', () => {
+    it('should throw an error when the distribution is not Oracle GraalVM', () => {
+      const not_supported_distributions = [
+        c.DISTRIBUTION_GRAALVM_COMMUNITY,
+        c.DISTRIBUTION_MANDREL,
+        c.DISTRIBUTION_LIBERICA,
+        ''
+      ]
+      for (const distribution of not_supported_distributions) {
+        expect(() => setUpSBOMSupport(javaVersion, distribution)).toThrow()
+      }
+    })
+
+    it('should throw an error when the java-version is not supported', () => {
+      const not_supported_versions = ['23', '23-ea', '21.0.3', 'dev', '17', '']
+      for (const version of not_supported_versions) {
+        expect(() => setUpSBOMSupport(version, distribution)).toThrow()
+      }
+    })
+
+    it('should not throw an error when the java-version is supported', () => {
+      const supported_versions = ['24', '24-ea', '24.0.2', 'latest-ea']
+      for (const version of supported_versions) {
+        expect(() => setUpSBOMSupport(version, distribution)).not.toThrow()
+      }
+    })
+
+    it('should set the SBOM option when activated', () => {
+      setUpSBOMSupport(javaVersion, distribution)
+
+      expect(spyExportVariable).toHaveBeenCalledWith(
+        c.NATIVE_IMAGE_OPTIONS_ENV,
+        expect.stringContaining('--enable-sbom=export')
+      )
+      expect(spyInfo).toHaveBeenCalledWith(
+        'Enabled SBOM generation for Native Image build'
+      )
+      expect(spyWarning).not.toHaveBeenCalled()
+    })
+
+    it('should not set the SBOM option when not activated', () => {
+      jest.spyOn(core, 'getInput').mockReturnValue('false')
+      setUpSBOMSupport(javaVersion, distribution)
+
+      expect(spyExportVariable).not.toHaveBeenCalled()
+      expect(spyInfo).not.toHaveBeenCalled()
+      expect(spyWarning).not.toHaveBeenCalled()
+    })
+  })
+
+  describe('process', () => {
+    async function setUpAndProcessSBOM(sbom: object): Promise<void> {
+      setUpSBOMSupport(javaVersion, distribution)
+      spyInfo.mockClear()
+
+      // Mock 'native-image' invocation by creating the SBOM file
+      const sbomPath = join(workspace, 'test.sbom.json')
+      writeFileSync(sbomPath, JSON.stringify(sbom, null, 2))
+
+      mockFindSBOM([sbomPath])
+
+      await processSBOM()
+    }
+
+    const sampleSBOM = {
+      bomFormat: 'CycloneDX',
+      specVersion: '1.5',
+      version: 1,
+      serialNumber: 'urn:uuid:52c977f8-6d04-3c07-8826-597a036d61a6',
+      components: [
+        {
+          type: 'library',
+          group: 'org.json',
+          name: 'json',
+          version: '20241224',
+          purl: 'pkg:maven/org.json/json@20241224',
+          'bom-ref': 'pkg:maven/org.json/json@20241224',
+          properties: [
+            {
+              name: 'syft:cpe23',
+              value: 'cpe:2.3:a:json:json:20241224:*:*:*:*:*:*:*'
+            }
+          ]
+        },
+        {
+          type: 'library',
+          group: 'com.oracle',
+          name: 'main-test-app',
+          version: '1.0-SNAPSHOT',
+          purl: 'pkg:maven/com.oracle/main-test-app@1.0-SNAPSHOT',
+          'bom-ref': 'pkg:maven/com.oracle/main-test-app@1.0-SNAPSHOT'
+        }
+      ],
+      dependencies: [
+        {
+          ref: 'pkg:maven/com.oracle/main-test-app@1.0-SNAPSHOT',
+          dependsOn: ['pkg:maven/org.json/json@20241224']
+        },
+        {
+          ref: 'pkg:maven/org.json/json@20241224',
+          dependsOn: []
+        }
+      ]
+    }
+
+    it('should process SBOM and display components', async () => {
+      await setUpAndProcessSBOM(sampleSBOM)
+
+      expect(spyInfo).toHaveBeenCalledWith(
+        'Found SBOM: ' + join(workspace, 'test.sbom.json')
+      )
+      expect(spyInfo).toHaveBeenCalledWith('=== SBOM Content ===')
+      expect(spyInfo).toHaveBeenCalledWith('- pkg:maven/org.json/json@20241224')
+      expect(spyInfo).toHaveBeenCalledWith(
+        '- pkg:maven/com.oracle/main-test-app@1.0-SNAPSHOT'
+      )
+      expect(spyInfo).toHaveBeenCalledWith(
+        '   depends on: pkg:maven/org.json/json@20241224'
+      )
+      expect(spyWarning).not.toHaveBeenCalled()
+    })
+
+    it('should handle components without purl', async () => {
+      const sbomWithoutPurl = {
+        ...sampleSBOM,
+        components: [
+          {
+            type: 'library',
+            name: 'no-purl-package',
+            version: '1.0.0',
+            'bom-ref': 'no-purl-package@1.0.0'
+          }
+        ]
+      }
+      await setUpAndProcessSBOM(sbomWithoutPurl)
+
+      expect(spyInfo).toHaveBeenCalledWith('=== SBOM Content ===')
+      expect(spyInfo).toHaveBeenCalledWith('- no-purl-package@1.0.0')
+      expect(spyWarning).not.toHaveBeenCalled()
+    })
+
+    it('should handle missing SBOM file', async () => {
+      setUpSBOMSupport(javaVersion, distribution)
+      spyInfo.mockClear()
+
+      mockFindSBOM([])
+
+      await expect(processSBOM()).rejects.toBeInstanceOf(Error)
+    })
+
+    it('should throw when JSON contains an invalid SBOM', async () => {
+      const invalidSBOM = {
+        'out-of-spec-field': {}
+      }
+      try {
+        await setUpAndProcessSBOM(invalidSBOM)
+        fail('Expected an error since invalid JSON was passed')
+      } catch (error) {
+        expect(error).toBeInstanceOf(Error)
+      }
+    })
+
+    it('should submit dependencies when processing valid SBOM', async () => {
+      const mockOctokit = mockGithubAPIReturnValue(undefined)
+      await setUpAndProcessSBOM(sampleSBOM)
+
+      expect(mockOctokit.request).toHaveBeenCalledWith(
+        'POST /repos/{owner}/{repo}/dependency-graph/snapshots',
+        expect.objectContaining({
+          owner: 'test-owner',
+          repo: 'test-repo',
+          version: expect.any(Number),
+          sha: 'test-sha',
+          ref: 'test-ref',
+          job: expect.objectContaining({
+            correlator: 'test-workflow_test-job',
+            id: '12345'
+          }),
+          manifests: expect.objectContaining({
+            'test.sbom.json': expect.objectContaining({
+              name: 'test.sbom.json',
+              resolved: expect.objectContaining({
+                json: expect.objectContaining({
+                  package_url: 'pkg:maven/org.json/json@20241224',
+                  dependencies: []
+                }),
+                'main-test-app': expect.objectContaining({
+                  package_url:
+                    'pkg:maven/com.oracle/main-test-app@1.0-SNAPSHOT',
+                  dependencies: ['pkg:maven/org.json/json@20241224']
+                })
+              })
+            })
+          })
+        })
+      )
+      expect(spyInfo).toHaveBeenCalledWith(
+        'Dependency snapshot submitted successfully.'
+      )
+    })
+
+    it('should handle GitHub API submission errors gracefully', async () => {
+      mockGithubAPIReturnValue(new Error('API submission failed'))
+
+      await expect(setUpAndProcessSBOM(sampleSBOM)).rejects.toBeInstanceOf(
+        Error
+      )
+    })
+  })
+})

__tests__/sbom/main-test-app/pom.xml

@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.oracle</groupId>
+    <artifactId>main-test-app</artifactId>
+    <version>1.0.0</version>
+
+    <properties>
+        <maven.compiler.source>17</maven.compiler.source>
+        <maven.compiler.target>17</maven.compiler.target>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.json</groupId>
+            <artifactId>json</artifactId>
+            <version>20241224</version>
+        </dependency>
+    </dependencies>
+
+    <profiles>
+        <profile>
+            <id>native</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.graalvm.buildtools</groupId>
+                        <artifactId>native-maven-plugin</artifactId>
+                        <version>0.10.3</version>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>compile-no-fork</goal>
+                                </goals>
+                                <phase>package</phase>
+                            </execution>
+                        </executions>
+                        <configuration>
+                            <mainClass>com.oracle.sbom.SBOMTestApplication</mainClass>
+                            <buildArgs>
+                                <buildArg>-Ob</buildArg>
+                                <buildArg>--no-fallback</buildArg>
+                                <buildArg>-H:+ReportExceptionStackTraces</buildArg>
+                            </buildArgs>
+                        </configuration>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
+</project>

__tests__/sbom/main-test-app/src/main/java/com/oracle/sbom/SBOMTestApplication.java

@@ -0,0 +1,12 @@
+package com.oracle.sbom;
+
+import org.json.JSONObject;
+
+public class SBOMTestApplication {
+    public static void main(String argv[]) {
+        JSONObject jo = new JSONObject();
+        jo.put("lorem", "ipsum");
+        jo.put("dolor", "sit amet");
+        System.out.println(jo);
+    }
+}

__tests__/sbom/main-test-app/verify-sbom.cmd

@@ -0,0 +1,14 @@
+@echo off
+set "SCRIPT_DIR=%~dp0"
+
+for %%p in (
+    "\"pkg:maven/org.json/json@20241224\""
+    "\"main-test-app\""
+    "\"svm\""
+    "\"nativeimage\""
+) do (
+    echo Checking for %%p
+    findstr /c:%%p "%SCRIPT_DIR%target\main-test-app.sbom.json" || exit /b 1
+)
+
+echo SBOM was successfully generated and contained the expected components

__tests__/sbom/main-test-app/verify-sbom.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+script_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+required_patterns=(
+    '"pkg:maven/org.json/json@20241224"'
+    '"main-test-app"'
+    '"svm"'
+    '"nativeimage"'
+)
+
+for pattern in "${required_patterns[@]}"; do
+    echo "Checking for $pattern"
+    if ! grep -q "$pattern" "$script_dir/target/main-test-app.sbom.json"; then
+        echo "Pattern not found: $pattern"
+        exit 1
+    fi
+done
+
+echo "SBOM was successfully generated and contained the expected components"

action.yml

@@ -51,6 +51,10 @@ inputs:
     required: false
     description: 'Instead of posting another comment, update an existing PR comment with the latest Native Image build report.'
     default: 'false'
+  native-image-enable-sbom:
+    required: false
+    description: 'Automatically generate an SBOM and submit it to the GitHub dependency submission API for vulnerability and dependency tracking.'
+    default: 'false'
   version:
     required: false
     description: 'GraalVM version (release, latest, dev).'

package-lock.json

@@ -19,6 +19,7 @@
         "@actions/tool-cache": "^2.0.2",
         "@octokit/core": "^5.2.0",
         "@octokit/types": "^12.6.0",
+        "@github/dependency-submission-toolkit": "^2.0.4",
         "semver": "^7.6.3",
         "uuid": "^11.0.5"
       },
@@ -1111,6 +1112,22 @@
       "integrity": "sha512-gIhjdJp/c2beaIWWIlsXdqXVRUz3r2BxBCpfz/F3JXHvSAQ1paMYjLH+maEATtENg+k5eLV7gA+9yPp762ieuw==",
       "dev": true
     },
+    "node_modules/@github/dependency-submission-toolkit": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/@github/dependency-submission-toolkit/-/dependency-submission-toolkit-2.0.4.tgz",
+      "integrity": "sha512-uQia1YSLTrVmy+f6XpAzy/MEFDvjMg/VOm9pdROxVKQA5SvLXDvXeGgxLwy9fH+sXHqtDWRnVOI1+UAcQ4pi/w==",
+      "license": "MIT",
+      "workspaces": [
+        "example"
+      ],
+      "dependencies": {
+        "@actions/core": "^1.10.1",
+        "@actions/github": "^6.0.0",
+        "@octokit/request-error": "^5.0.1",
+        "@octokit/webhooks-types": "^7.3.1",
+        "packageurl-js": "^1.2.1"
+      }
+    },
     "node_modules/@humanwhocodes/config-array": {
       "version": "0.11.14",
       "resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.14.tgz",
@@ -1796,6 +1813,12 @@
         "@octokit/openapi-types": "^20.0.0"
       }
     },
+    "node_modules/@octokit/webhooks-types": {
+      "version": "7.6.1",
+      "resolved": "https://registry.npmjs.org/@octokit/webhooks-types/-/webhooks-types-7.6.1.tgz",
+      "integrity": "sha512-S8u2cJzklBC0FgTwWVLaM8tMrDuDMVE4xiTK4EYXM9GntyvrdbSoxqDQa+Fh57CCNApyIpyeqPhhFEmHPfrXgw==",
+      "license": "MIT"
+    },
     "node_modules/@opentelemetry/api": {
       "version": "1.8.0",
       "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.8.0.tgz",
@@ -6648,6 +6671,12 @@
         "node": ">=6"
       }
     },
+    "node_modules/packageurl-js": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/packageurl-js/-/packageurl-js-1.2.1.tgz",
+      "integrity": "sha512-cZ6/MzuXaoFd16/k0WnwtI298UCaDHe/XlSh85SeOKbGZ1hq0xvNbx3ILyCMyk7uFQxl6scF3Aucj6/EO9NwcA==",
+      "license": "MIT"
+    },
     "node_modules/parent-module": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/parent-module/-/parent-module-1.0.1.tgz",
@@ -7998,10 +8027,11 @@
       }
     },
     "node_modules/typescript": {
-      "version": "5.4.2",
-      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.4.2.tgz",
-      "integrity": "sha512-+2/g0Fds1ERlP6JsakQQDXjZdZMM+rqpamFZJEKh4kwTIn3iDkgKtby0CeNd5ATNZ4Ry1ax15TMx0W2V+miizQ==",
+      "version": "5.7.2",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.7.2.tgz",
+      "integrity": "sha512-i5t66RHxDvVN40HfDd1PsEThGNnlMCMT3jMUuoh9/0TaqWevNontacunWyN02LA9/fIbEWlcHZcgTKb9QoaLfg==",
       "dev": true,
+      "license": "Apache-2.0",
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"

package.json

@@ -37,6 +37,7 @@
     "@actions/tool-cache": "^2.0.2",
     "@octokit/core": "^5.2.0",
     "@octokit/types": "^12.6.0",
+    "@github/dependency-submission-toolkit": "^2.0.4",
     "semver": "^7.6.3",
     "uuid": "^11.0.5"
   },

src/cleanup.ts

@@ -28,6 +28,7 @@ import * as core from '@actions/core'
 import * as constants from './constants'
 import {save} from './features/cache'
 import {generateReports} from './features/reports'
+import {processSBOM} from './features/sbom'
 
 /**
  * Check given input and run a save process for the specified package manager
@@ -58,6 +59,7 @@ async function ignoreErrors(promise: Promise<void>): Promise<unknown> {
 
 export async function run(): Promise<void> {
   await ignoreErrors(generateReports())
+  await ignoreErrors(processSBOM())
   await ignoreErrors(saveCache())
 }
 

src/constants.ts

@@ -14,6 +14,8 @@ export const INPUT_CACHE = 'cache'
 export const INPUT_CHECK_FOR_UPDATES = 'check-for-updates'
 export const INPUT_NI_MUSL = 'native-image-musl'
 
+export const NATIVE_IMAGE_OPTIONS_ENV = 'NATIVE_IMAGE_OPTIONS'
+
 export const IS_LINUX = process.platform === 'linux'
 export const IS_MACOS = process.platform === 'darwin'
 export const IS_WINDOWS = process.platform === 'win32'

src/features/reports.ts

@@ -3,17 +3,17 @@ import * as core from '@actions/core'
 import * as fs from 'fs'
 import * as github from '@actions/github'
 import * as semver from 'semver'
-import {join} from 'path'
-import {tmpdir} from 'os'
 import {
   createPRComment,
   findExistingPRCommentId,
   isPREvent,
   toSemVer,
-  updatePRComment
+  updatePRComment,
+  tmpfile,
+  setNativeImageOption
 } from '../utils'
 
-const BUILD_OUTPUT_JSON_PATH = join(tmpdir(), 'native-image-build-output.json')
+const BUILD_OUTPUT_JSON_PATH = tmpfile('native-image-build-output.json')
 const BYTES_TO_KiB = 1024
 const BYTES_TO_MiB = 1024 * 1024
 const BYTES_TO_GiB = 1024 * 1024 * 1024
@@ -22,12 +22,6 @@ const DOCS_BASE =
 const INPUT_NI_JOB_REPORTS = 'native-image-job-reports'
 const INPUT_NI_PR_REPORTS = 'native-image-pr-reports'
 const INPUT_NI_PR_REPORTS_UPDATE = 'native-image-pr-reports-update-existing'
-const NATIVE_IMAGE_CONFIG_FILE = join(
-  tmpdir(),
-  'native-image-options.properties'
-)
-const NATIVE_IMAGE_OPTIONS_ENV = 'NATIVE_IMAGE_OPTIONS'
-const NATIVE_IMAGE_CONFIG_FILE_ENV = 'NATIVE_IMAGE_CONFIG_FILE'
 const PR_COMMENT_TITLE = '## GraalVM Native Image Build Report'
 
 interface AnalysisResult {
@@ -169,43 +163,6 @@ function arePRReportsUpdateEnabled(): boolean {
   return isPREvent() && core.getInput(INPUT_NI_PR_REPORTS_UPDATE) === 'true'
 }
 
-function setNativeImageOption(
-  javaVersionOrDev: string,
-  optionValue: string
-): void {
-  const coercedJavaVersionOrDev = semver.coerce(javaVersionOrDev)
-  if (
-    (coercedJavaVersionOrDev &&
-      semver.gte(coercedJavaVersionOrDev, '22.0.0')) ||
-    javaVersionOrDev === c.VERSION_DEV ||
-    javaVersionOrDev.endsWith('-ea')
-  ) {
-    /* NATIVE_IMAGE_OPTIONS was introduced in GraalVM for JDK 22 (so were EA builds). */
-    let newOptionValue = optionValue
-    const existingOptions = process.env[NATIVE_IMAGE_OPTIONS_ENV]
-    if (existingOptions) {
-      newOptionValue = `${existingOptions} ${newOptionValue}`
-    }
-    core.exportVariable(NATIVE_IMAGE_OPTIONS_ENV, newOptionValue)
-  } else {
-    const optionsFile = getNativeImageOptionsFile()
-    if (fs.existsSync(optionsFile)) {
-      fs.appendFileSync(optionsFile, ` ${optionValue}`)
-    } else {
-      fs.writeFileSync(optionsFile, `NativeImageArgs = ${optionValue}`)
-    }
-  }
-}
-
-function getNativeImageOptionsFile(): string {
-  let optionsFile = process.env[NATIVE_IMAGE_CONFIG_FILE_ENV]
-  if (optionsFile === undefined) {
-    optionsFile = NATIVE_IMAGE_CONFIG_FILE
-    core.exportVariable(NATIVE_IMAGE_CONFIG_FILE_ENV, optionsFile)
-  }
-  return optionsFile
-}
-
 function createReport(data: BuildOutput): string {
   const context = github.context
   const info = data.general_info

src/features/sbom.ts

@@ -0,0 +1,300 @@
+import * as c from '../constants'
+import * as core from '@actions/core'
+import * as fs from 'fs'
+import * as github from '@actions/github'
+import * as glob from '@actions/glob'
+import {basename} from 'path'
+import * as semver from 'semver'
+import {setNativeImageOption} from '../utils'
+
+const INPUT_NI_SBOM = 'native-image-enable-sbom'
+const SBOM_FILE_SUFFIX = '.sbom.json'
+const MIN_JAVA_VERSION = '24.0.0'
+
+let javaVersionOrLatestEA: string | null = null
+
+interface SBOM {
+  components: Component[]
+  dependencies: Dependency[]
+}
+
+interface Component {
+  name: string
+  version?: string
+  purl?: string
+  dependencies?: string[]
+  'bom-ref': string
+}
+
+interface Dependency {
+  ref: string
+  dependsOn: string[]
+}
+
+interface DependencySnapshot {
+  version: number
+  sha: string
+  ref: string
+  job: {
+    correlator: string
+    id: string
+    html_url?: string
+  }
+  detector: {
+    name: string
+    version: string
+    url: string
+  }
+  scanned: string
+  manifests: Record<
+    string,
+    {
+      name: string
+      metadata?: Record<string, string>
+      // Not including the 'file' property because we cannot specify any reasonable value for 'source_location'
+      // since the SBOM will not necessarily be saved in the repository of the user.
+      // GitHub docs: https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28#create-a-snapshot-of-dependencies-for-a-repository
+      resolved: Record<
+        string,
+        {
+          package_url: string
+          relationship?: 'direct'
+          scope?: 'runtime'
+          dependencies?: string[]
+        }
+      >
+    }
+  >
+}
+
+export function setUpSBOMSupport(
+  javaVersionOrDev: string,
+  distribution: string
+): void {
+  if (!isFeatureEnabled()) {
+    return
+  }
+
+  validateJavaVersionAndDistribution(javaVersionOrDev, distribution)
+  javaVersionOrLatestEA = javaVersionOrDev
+  setNativeImageOption(javaVersionOrLatestEA, '--enable-sbom=export')
+  core.info('Enabled SBOM generation for Native Image build')
+}
+
+function validateJavaVersionAndDistribution(
+  javaVersionOrDev: string,
+  distribution: string
+): void {
+  if (distribution !== c.DISTRIBUTION_GRAALVM) {
+    throw new Error(
+      `The '${INPUT_NI_SBOM}' option is only supported for Oracle GraalVM (distribution '${c.DISTRIBUTION_GRAALVM}'), but found distribution '${distribution}'.`
+    )
+  }
+
+  if (javaVersionOrDev === 'dev') {
+    throw new Error(
+      `The '${INPUT_NI_SBOM}' option is not supported for java-version 'dev'.`
+    )
+  }
+
+  if (javaVersionOrDev === 'latest-ea') {
+    return
+  }
+
+  const coercedJavaVersion = semver.coerce(javaVersionOrDev)
+  if (!coercedJavaVersion || semver.gt(MIN_JAVA_VERSION, coercedJavaVersion)) {
+    throw new Error(
+      `The '${INPUT_NI_SBOM}' option is only supported for GraalVM for JDK ${MIN_JAVA_VERSION} or later, but found java-version '${javaVersionOrDev}'.`
+    )
+  }
+}
+
+export async function processSBOM(): Promise<void> {
+  if (!isFeatureEnabled()) {
+    return
+  }
+
+  if (javaVersionOrLatestEA === null) {
+    throw new Error('setUpSBOMSupport must be called before processSBOM')
+  }
+
+  const sbomPath = await findSBOMFilePath()
+  try {
+    const sbomContent = fs.readFileSync(sbomPath, 'utf8')
+    const sbomData = parseSBOM(sbomContent)
+    const components = mapToComponentsWithDependencies(sbomData)
+    printSBOMContent(components)
+    const snapshot = convertSBOMToSnapshot(sbomPath, components)
+    await submitDependencySnapshot(snapshot)
+  } catch (error) {
+    throw new Error(
+      `Failed to process and submit SBOM to the GitHub dependency submission API: ${error instanceof Error ? error.message : String(error)}`
+    )
+  }
+}
+
+function isFeatureEnabled(): boolean {
+  return core.getInput(INPUT_NI_SBOM) === 'true'
+}
+
+async function findSBOMFilePath(): Promise<string> {
+  const globber = await glob.create(`**/*${SBOM_FILE_SUFFIX}`)
+  const sbomFiles = await globber.glob()
+
+  if (sbomFiles.length === 0) {
+    throw new Error(
+      'No SBOM found. Make sure native-image build completed successfully.'
+    )
+  }
+
+  if (sbomFiles.length > 1) {
+    throw new Error(
+      `Expected one SBOM but found multiple: ${sbomFiles.join(', ')}.`
+    )
+  }
+
+  core.info(`Found SBOM: ${sbomFiles[0]}`)
+  return sbomFiles[0]
+}
+
+function parseSBOM(jsonString: string): SBOM {
+  try {
+    const sbomData: SBOM = JSON.parse(jsonString)
+    return sbomData
+  } catch (error) {
+    throw new Error(
+      `Failed to parse SBOM JSON: ${error instanceof Error ? error.message : String(error)}`
+    )
+  }
+}
+
+// Maps the SBOM to a list of components with their dependencies
+function mapToComponentsWithDependencies(sbom: SBOM): Component[] {
+  if (!sbom || sbom.components.length === 0) {
+    throw new Error('Invalid SBOM data or no components found.')
+  }
+
+  return sbom.components.map((component: Component) => {
+    const dependencies =
+      sbom.dependencies?.find(
+        (dep: Dependency) => dep.ref === component['bom-ref']
+      )?.dependsOn || []
+
+    return {
+      name: component.name,
+      version: component.version,
+      purl: component.purl,
+      dependencies,
+      'bom-ref': component['bom-ref']
+    }
+  })
+}
+
+function printSBOMContent(components: Component[]): void {
+  core.info('=== SBOM Content ===')
+  for (const component of components) {
+    core.info(`- ${component['bom-ref']}`)
+    if (component.dependencies && component.dependencies.length > 0) {
+      core.info(`   depends on: ${component.dependencies.join(', ')}`)
+    }
+  }
+  core.info('==================')
+}
+
+function convertSBOMToSnapshot(
+  sbomPath: string,
+  components: Component[]
+): DependencySnapshot {
+  const context = github.context
+  const sbomFileName = basename(sbomPath)
+
+  if (!sbomFileName.endsWith(SBOM_FILE_SUFFIX)) {
+    throw new Error(
+      `Invalid SBOM file name: ${sbomFileName}. Expected a file ending with ${SBOM_FILE_SUFFIX}.`
+    )
+  }
+
+  return {
+    version: 0,
+    sha: context.sha,
+    ref: context.ref,
+    job: {
+      correlator: `${context.workflow}_${context.job}`,
+      id: context.runId.toString(),
+      html_url: `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`
+    },
+    detector: {
+      name: 'Oracle GraalVM',
+      version: javaVersionOrLatestEA ?? '',
+      url: 'https://www.graalvm.org/'
+    },
+    scanned: new Date().toISOString(),
+    manifests: {
+      [sbomFileName]: {
+        name: sbomFileName,
+        resolved: mapComponentsToGithubAPIFormat(components),
+        metadata: {
+          generated_by: 'SBOM generated by GraalVM Native Image',
+          action_version: c.ACTION_VERSION
+        }
+      }
+    }
+  }
+}
+
+function mapComponentsToGithubAPIFormat(
+  components: Component[]
+): Record<string, {package_url: string; dependencies?: string[]}> {
+  return Object.fromEntries(
+    components
+      .filter(component => {
+        if (!component.purl) {
+          core.info(
+            `Component ${component.name} does not have a valid package URL (purl). Skipping.`
+          )
+        }
+        return component.purl
+      })
+      .map(component => [
+        component.name,
+        {
+          package_url: component.purl as string,
+          dependencies: component.dependencies || []
+        }
+      ])
+  )
+}
+
+async function submitDependencySnapshot(
+  snapshotData: DependencySnapshot
+): Promise<void> {
+  const token = core.getInput(c.INPUT_GITHUB_TOKEN, {required: true})
+  const octokit = github.getOctokit(token)
+  const context = github.context
+
+  try {
+    await octokit.request(
+      'POST /repos/{owner}/{repo}/dependency-graph/snapshots',
+      {
+        owner: context.repo.owner,
+        repo: context.repo.repo,
+        version: snapshotData.version,
+        sha: snapshotData.sha,
+        ref: snapshotData.ref,
+        job: snapshotData.job,
+        detector: snapshotData.detector,
+        metadata: {},
+        scanned: snapshotData.scanned,
+        manifests: snapshotData.manifests,
+        headers: {
+          'X-GitHub-Api-Version': '2022-11-28'
+        }
+      }
+    )
+    core.info('Dependency snapshot submitted successfully.')
+  } catch (error) {
+    throw new Error(
+      `Failed to submit dependency snapshot for SBOM: ${error instanceof Error ? error.message : String(error)}`
+    )
+  }
+}

src/main.ts

@@ -14,6 +14,7 @@ import {setUpNativeImageMusl} from './features/musl'
 import {setUpWindowsEnvironment} from './msvc'
 import {setUpNativeImageBuildReports} from './features/reports'
 import {exec} from '@actions/exec'
+import {setUpSBOMSupport} from './features/sbom'
 
 async function run(): Promise<void> {
   try {
@@ -148,7 +149,6 @@ async function run(): Promise<void> {
     if (setJavaHome) {
       core.exportVariable('JAVA_HOME', graalVMHome)
     }
-
     await setUpGUComponents(
       javaVersion,
       graalVMVersion,
@@ -165,6 +165,7 @@ async function run(): Promise<void> {
       javaVersion,
       graalVMVersion
     )
+    setUpSBOMSupport(javaVersion, distribution)
 
     core.startGroup(`Successfully set up '${basename(graalVMHome)}'`)
     await exec(join(graalVMHome, 'bin', `java${c.EXECUTABLE_SUFFIX}`), [

src/utils.ts

@@ -4,11 +4,13 @@ import * as github from '@actions/github'
 import * as httpClient from '@actions/http-client'
 import * as semver from 'semver'
 import * as tc from '@actions/tool-cache'
+import * as fs from 'fs'
 import {ExecOptions, exec as e} from '@actions/exec'
 import {readFileSync, readdirSync} from 'fs'
 import {Octokit} from '@octokit/core'
 import {createHash} from 'crypto'
 import {join} from 'path'
+import {tmpdir} from 'os'
 
 // Set up Octokit for github.com only and in the same way as @actions/github (see https://git.io/Jy9YP)
 const baseUrl = 'https://api.github.com'
@@ -247,3 +249,47 @@ export async function createPRComment(content: string): Promise<void> {
     )
   }
 }
+
+export function tmpfile(fileName: string) {
+  return join(tmpdir(), fileName)
+}
+
+export function setNativeImageOption(
+  javaVersionOrDev: string,
+  optionValue: string
+): void {
+  const coercedJavaVersionOrDev = semver.coerce(javaVersionOrDev)
+  if (
+    (coercedJavaVersionOrDev &&
+      semver.gte(coercedJavaVersionOrDev, '22.0.0')) ||
+    javaVersionOrDev === c.VERSION_DEV ||
+    javaVersionOrDev.endsWith('-ea')
+  ) {
+    /* NATIVE_IMAGE_OPTIONS was introduced in GraalVM for JDK 22 (so were EA builds). */
+    let newOptionValue = optionValue
+    const existingOptions = process.env[c.NATIVE_IMAGE_OPTIONS_ENV]
+    if (existingOptions) {
+      newOptionValue = `${existingOptions} ${newOptionValue}`
+    }
+    core.exportVariable(c.NATIVE_IMAGE_OPTIONS_ENV, newOptionValue)
+  } else {
+    const optionsFile = getNativeImageOptionsFile()
+    if (fs.existsSync(optionsFile)) {
+      fs.appendFileSync(optionsFile, ` ${optionValue}`)
+    } else {
+      fs.writeFileSync(optionsFile, `NativeImageArgs = ${optionValue}`)
+    }
+  }
+}
+
+const NATIVE_IMAGE_CONFIG_FILE = tmpfile('native-image-options.properties')
+const NATIVE_IMAGE_CONFIG_FILE_ENV = 'NATIVE_IMAGE_CONFIG_FILE'
+
+function getNativeImageOptionsFile(): string {
+  let optionsFile = process.env[NATIVE_IMAGE_CONFIG_FILE_ENV]
+  if (optionsFile === undefined) {
+    optionsFile = NATIVE_IMAGE_CONFIG_FILE
+    core.exportVariable(NATIVE_IMAGE_CONFIG_FILE_ENV, optionsFile)
+  }
+  return optionsFile
+}