• Closes: [Java] Publish SBOM artifacts #15265

⚠️ GitHub issue #15265 has been automatically assigned in GitHub to PR creator.

Should the sbom be published with the nightlies?

Could you also update ci/scripts/java_full_build.sh, dev/tasks/java-jars/github.yml and dev/tasks/tasks.yml (the following diff is incomplete for this file) like the following to publish them?

diff --git a/ci/scripts/java_full_build.sh b/ci/scripts/java_full_build.sh
index 1c07971bcc..2734f3e9db 100755
--- a/ci/scripts/java_full_build.sh
+++ b/ci/scripts/java_full_build.sh
@@ -65,7 +65,13 @@ find . \
      -exec echo {} ";" \
      -exec cp {} $dist_dir ";"
 find ~/.m2/repository/org/apache/arrow \
-     "(" -name "*.jar" -o -name "*.zip" -o -name "*.pom" ")" \
+     "(" \
+     -name "*.jar" -o \
+     -name "*.json" -o \
+     -name "*.pom" -o \
+     -name "*.xml" -o \
+     -name "*.zip" \
+     ")" \
      -exec echo {} ";" \
      -exec cp {} $dist_dir ";"
 
diff --git a/dev/tasks/java-jars/github.yml b/dev/tasks/java-jars/github.yml
index cfa1dbed49..c42c9e6f4d 100644
--- a/dev/tasks/java-jars/github.yml
+++ b/dev/tasks/java-jars/github.yml
@@ -204,5 +204,7 @@ jobs:
             $GITHUB_WORKSPACE/arrow \
             $GITHUB_WORKSPACE/arrow/java-dist
       {{ macros.github_upload_releases(["arrow/java-dist/*.jar",
+                                        "arrow/java-dist/*.pson",
                                         "arrow/java-dist/*.pom",
+                                        "arrow/java-dist/*.xml",
                                         "arrow/java-dist/*.zip"])|indent }}
diff --git a/dev/tasks/tasks.yml b/dev/tasks/tasks.yml
index 66df61e215..8437ad0778 100644
--- a/dev/tasks/tasks.yml
+++ b/dev/tasks/tasks.yml
@@ -801,6 +801,9 @@ tasks:
     ci: github
     template: java-jars/github.yml
     artifacts:
+      - arrow-algorithm-{no_rc_snapshot_version}-cyclonedx.json
+      - arrow-algorithm-{no_rc_snapshot_version}-cyclonedx.xml
+      - arrow-algorithm-{no_rc_snapshot_version}-javadoc.jar
       - arrow-algorithm-{no_rc_snapshot_version}-javadoc.jar
       - arrow-algorithm-{no_rc_snapshot_version}-sources.jar
       - arrow-algorithm-{no_rc_snapshot_version}-tests.jar
# NOTE!!! We need to add more entries for *-cyclonedx.{json,xml}

Thank you so much, @assignUser and @kou . I addressed your comments.

@github-actions crossbow submit java-jars

To have them uploaded to nightlies.apache.org the nightly java job needs to be updated to: https://github.com/apache/arrow/blob/master/.github/workflows/java_nightly.yml#L110

Revision: de44a621698683f1891e0e1886a23569d2998eb3

Submitted crossbow builds: ursacomputing/crossbow @ actions-588eb7d929

Task	Status
java-jars

Thank you, @assignUser . .json and .xml patterns are added.

The python failure looks irrelevant to this Java plugin PR. Please let me know if there is some thing I need to do more, @assignUser , @kou , @viirya . Thank you in advance.

Yeah the failure of the crossbow job is due to C++ stuff but it also means that the changed logic won't be tested. As this won't succeed and the changes from this PR wont be used (unless built locally ofc) until that is fixed I would prefer to wait for #25633 to be closed so we can properly test this.

For the SBOM files to be uploaded with the official releases we will also need to update https://github.com/apache/arrow/blob/-/dev/release/06-java-upload.sh which could be done as a follow up if the creation of the sbom artifacts for local builds is important for you.

For the SBOM files to be uploaded with the official releases we will also need to update https://github.com/apache/arrow/blob/-/dev/release/06-java-upload.sh

It seems that we don't need it. https://github.com/apache/arrow/blob/master/dev/release/06-java-upload.sh#L123 will collect new files.

According to the above comment about 06-java-upload.sh#L123, we don't need additional change. *-cyclone* will be considered.

Please let me know if there is something I can help, @assignUser .

@dongjoon-hyun please rebase, the fix for the c++ issue was merged. Afterwards please trigger the crossbow with @github-actions crossbow submit java-jars as a comment

Once the job complets succesfully you can take a look at the artifacts if they correctly contian the sbom. I will merge then and it will be part of 11.0.0
cc @raulcd

Got it, @assignUser !

@github-actions crossbow submit java-jars

Revision: 97af0c9

Submitted crossbow builds: ursacomputing/crossbow @ actions-18dd62a120

Task	Status
java-jars

Benchmark runs are scheduled for baseline = 641d1da and contender = 5580f27. 5580f27 is a master commit associated with this PR. Results will be available as each benchmark for each run completes.
Conbench compare runs links:
[Finished ⬇️0.0% ⬆️0.0%] ec2-t3-xlarge-us-east-2
[Failed ⬇️0.54% ⬆️0.03%] test-mac-arm
[Finished ⬇️0.0% ⬆️1.53%] ursa-i9-9960x
[Finished ⬇️0.44% ⬆️0.34%] ursa-thinkcentre-m75q
Buildkite builds:
[Finished] 5580f27f ec2-t3-xlarge-us-east-2
[Failed] 5580f27f test-mac-arm
[Finished] 5580f27f ursa-i9-9960x
[Finished] 5580f27f ursa-thinkcentre-m75q
[Finished] 641d1da6 ec2-t3-xlarge-us-east-2
[Finished] 641d1da6 test-mac-arm
[Finished] 641d1da6 ursa-i9-9960x
[Finished] 641d1da6 ursa-thinkcentre-m75q
Supported benchmarks:
ec2-t3-xlarge-us-east-2: Supported benchmark langs: Python, R. Runs only benchmarks with cloud = True
test-mac-arm: Supported benchmark langs: C++, Python, R
ursa-i9-9960x: Supported benchmark langs: Python, R, JavaScript
ursa-thinkcentre-m75q: Supported benchmark langs: C++, Java