From 0d9f97d5ed1596bd8d72502ea64127882ff8fed8 Mon Sep 17 00:00:00 2001
From: Nelson Baby <nelson.b@ibm.com>
Date: Fri, 3 Apr 2026 16:58:28 -0400
Subject: [PATCH 1/2] build: add CycloneDX SBOM generation support

- Add docling-sbom.gradle.kts plugin for SBOM generation
- Integrate SBOM artifacts into Maven publications
- Add CycloneDX Gradle plugin dependency
- Configure cyclonedxDirectBom task in build group

Signed-off-by: Nelson Baby <nelson.b@ibm.com>
---
 buildSrc/build.gradle.kts                           |  1 +
 buildSrc/src/main/kotlin/docling-release.gradle.kts | 13 +++++++++++++
 buildSrc/src/main/kotlin/docling-sbom.gradle.kts    |  8 ++++++++
 gradle/libs.versions.toml                           |  3 +++
 4 files changed, 25 insertions(+)
 create mode 100644 buildSrc/src/main/kotlin/docling-sbom.gradle.kts

diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts
index a27aed8e..294fe0b7 100644
--- a/buildSrc/build.gradle.kts
+++ b/buildSrc/build.gradle.kts
@@ -9,6 +9,7 @@ repositories {
 
 dependencies {
   implementation("org.yaml:snakeyaml:2.6")
+  implementation(libs.cyclonedx.gradle)
   implementation(libs.lombok.gradle)
   implementation(libs.spotless.gradle)
 }
diff --git a/buildSrc/src/main/kotlin/docling-release.gradle.kts b/buildSrc/src/main/kotlin/docling-release.gradle.kts
index df75b350..cd3a2174 100644
--- a/buildSrc/src/main/kotlin/docling-release.gradle.kts
+++ b/buildSrc/src/main/kotlin/docling-release.gradle.kts
@@ -1,4 +1,5 @@
 plugins {
+  id("docling-sbom")
   `maven-publish`
 }
 
@@ -13,6 +14,18 @@ publishing {
     create<MavenPublication>("maven") {
       from(components["java"])
 
+      // Attach SBOM artifacts to publication
+      val cyclonedxTask = tasks.named("cyclonedxDirectBom")
+      afterEvaluate {
+        cyclonedxTask.get().outputs.files.forEach { file ->
+          artifact(file) {
+            classifier = "cyclonedx"
+            extension = file.extension
+            builtBy(cyclonedxTask)
+          }
+        }
+      }
+
       pom {
         url = "https://docling-project.github.io/docling-java"
         name = project.name
diff --git a/buildSrc/src/main/kotlin/docling-sbom.gradle.kts b/buildSrc/src/main/kotlin/docling-sbom.gradle.kts
new file mode 100644
index 00000000..2f218765
--- /dev/null
+++ b/buildSrc/src/main/kotlin/docling-sbom.gradle.kts
@@ -0,0 +1,8 @@
+plugins {
+  id("org.cyclonedx.bom")
+}
+
+tasks.named("cyclonedxDirectBom") {
+  group = "build"
+  description = "Generates a per-project CycloneDX Software Bill of Materials (SBOM)"
+}
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 0573756c..c52a27c3 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -17,6 +17,7 @@ quarkus = "3.34.2"
 quarkus-github-api = "1.330.0"
 quarkus-wiremock = "1.6.1"
 wiremock = "3.13.2"
+cyclonedx = "3.2.3"
 
 [libraries]
 # assertj
@@ -26,6 +27,7 @@ assertj-core = { group = "org.assertj", name = "assertj-core", version.ref = "as
 awaitility = { group = "org.awaitility", name = "awaitility", version.ref = "awaitility" }
 
 # lombok-gradle
+cyclonedx-gradle = { group = "org.cyclonedx", name = "cyclonedx-gradle-plugin", version.ref = "cyclonedx" }
 lombok-gradle = { group = "io.freefair.lombok", name = "io.freefair.lombok.gradle.plugin", version.ref = "lombok-gradle" }
 spotless-gradle = { group = "com.diffplug.spotless", name = "spotless-plugin-gradle", version.ref = "spotless" }
 
@@ -63,6 +65,7 @@ quarkus-wiremock-test = { group = "io.quarkiverse.wiremock", name = "quarkus-wir
 wiremock = { group = "org.wiremock", name = "wiremock", version.ref = "wiremock" }
 
 [plugins]
+cyclonedx = { id = "org.cyclonedx.bom", version.ref = "cyclonedx" }
 lombok = { id = "io.freefair.lombok", version.ref = "lombok-gradle" }
 quarkus = { id = "io.quarkus", version.ref = "quarkus" }
 module-info = { id = "org.gradlex.extra-java-module-info", version.ref = "module-info" }

From 8ff0f6574e829a81ea92978dce76080fb7709bba Mon Sep 17 00:00:00 2001
From: Nelson Baby <nelson.b@ibm.com>
Date: Mon, 6 Apr 2026 11:06:59 -0400
Subject: [PATCH 2/2] build: use CycloneDX plugin version 3.2.2

Signed-off-by: Nelson Baby <nelson.b@ibm.com>
---
 .../src/main/kotlin/docling-release.gradle.kts | 18 +++++++++---------
 gradle/libs.versions.toml                      |  2 +-
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/buildSrc/src/main/kotlin/docling-release.gradle.kts b/buildSrc/src/main/kotlin/docling-release.gradle.kts
index cd3a2174..682a3d60 100644
--- a/buildSrc/src/main/kotlin/docling-release.gradle.kts
+++ b/buildSrc/src/main/kotlin/docling-release.gradle.kts
@@ -15,15 +15,15 @@ publishing {
       from(components["java"])
 
       // Attach SBOM artifacts to publication
-      val cyclonedxTask = tasks.named("cyclonedxDirectBom")
-      afterEvaluate {
-        cyclonedxTask.get().outputs.files.forEach { file ->
-          artifact(file) {
-            classifier = "cyclonedx"
-            extension = file.extension
-            builtBy(cyclonedxTask)
-          }
-        }
+      val cyclonedxTask = tasks.named<org.cyclonedx.gradle.CyclonedxDirectTask>("cyclonedxDirectBom")
+      artifact(cyclonedxTask.flatMap { it.jsonOutput }) {
+        classifier = "cyclonedx"
+        extension = "json"
+      }
+
+      artifact(cyclonedxTask.flatMap { it.xmlOutput }) {
+        classifier = "cyclonedx"
+        extension = "xml"
       }
 
       pom {
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index c52a27c3..f4c09f71 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -17,7 +17,7 @@ quarkus = "3.34.2"
 quarkus-github-api = "1.330.0"
 quarkus-wiremock = "1.6.1"
 wiremock = "3.13.2"
-cyclonedx = "3.2.3"
+cyclonedx = "3.2.2"
 
 [libraries]
 # assertj