Generation Software Bill of Materials (SBOM)

[gamlerhart]

Motivation: In some companies, the development
team has to produce Software Bill of Materials (SBOM) for their project for compliance reasons:
To track dependencies and licenses across their organisation. Provide a Module that produces SBOMs
in JSON format.

Changes in the core: Extended the .getArtifact
to return the coursier.Resolution as well.
This is then used to get the license information.

Outside the core: Add a SBOM contrib module

• Generate the most basic CycloneDX SBOM files Supporting Java modules for a start
• Provide a basic upload to the Dependency Track server

Please open all PRs as drafts and ensure that your fork of Mill has
settings/actions / Allow all actions and reusable workflows enabled to run CI on
your own fork of the Mill repo. Only once CI passes mark the PR as Ready for review
and CI will run on the main Mill repo before we merge it.

[gamlerhart]

I've these high level questions

• I implemented the SBOM json from scratch, so that we can use the UPickle etc and do not add libraries:
  The alternative is to use the CycloneDX 'model' library, that mostly implements the JSON and some hashing.
  But that then adds this extra library etc: More stuff to download, more stuff in the classpath etc.
  So, the question is: What is preferred in general: Avoiding external libraries when possible? Or go for maximum comparability and include more external libraries?

• I adding this to the 'contrib' section the right place? The alternative seems to have it as a complete external library. However, that adds extra maintenance burdens: Pushing it to Maven repos, compiling it, versioning it. So, having it in-sync seems better.

• I've extended the returned data from the Coursier .getArtifacts method. I think that is ok, because that method wasn't yet published in 0.12.9?

Then I've a test failure question. The Android tests fail to get the output:

[3506-0] /home/roman/dev/mill/out/example/android/javalib/1-hello-world/local/server/test.dest/worker-0/sandbox/run-1> cat out/app/test/testForked.dest/out.json
[3506-0] --- Expected output ----------
[3506-0] ["",[{"fullyQualifiedName":"com.helloworld.ExampleUnitTest.textSize_isCorrect","selector":"com.helloworld.ExampleUnitTest.textSize_isCorrect","duration":...,"status":"Success"}]]
[3506-0] ------------------------------
[3506-0] /home/roman/dev/mill/out/example/android/javalib/1-hello-world/local/server/test.dest/worker-0/sandbox/run-1> ./mill  --disable-ticker shutdown
[3506-0] --- Expected output ----------
[3506-0] 
[3506-0] ------------------------------
[3506-0] X mill.testkit.UtestExampleTestSuite.exampleTest 17054ms 
[3506-0]   utest.AssertionError: evalResult.isSuccess
[3506-0]   evalResult: mill.testkit.IntegrationTester.EvalResult = EvalResult(false,cat: out/app/test/testForked.dest/out.json: No such file or directory
[3506-0]   ,)
[3506-0]     utest.asserts.Asserts$.assertImpl(Asserts.scala:30)
[3506-0]     mill.testkit.ExampleTester.validateEval(ExampleTester.scala:156)

When I inspect my output locally, that out/app/test/testForked.dest/out.json seems to be in out/app/test/testForked.dest/worker-0/out.json now.

Did I something wrong here, or something changed? Not sure why it seems to pass on the GitHub runner main branches, but not locally.