Generate SBOM then use trivy to check vulnerabilities

[sbernard31]

This is still about

• 🛡 Find a better alternative to dependabot ! #1566

As :

• Use dependency-check-maven plugin to check dependencies vulnerabilities.  #1567
• Add Weekly Jenkins Build to check dependencies vulnerabilites with trivy #1569

was not huge success 😅 .

We finally try to first generate CycloneDX SBOM with :

• cyclonedx-maven-plugin to generate SBOM about maven
• and we use trivy for frontend because we didn't find dedicated tools for yarn : see Yarn community need a good CycloneDx SBOM generator. yarnpkg/berry#6063 (maybe we should consider to move to npm ? see : Migration from yarn-classic to npm #1550 (comment))

So we have full control about what we put in SBOM.

Then we use trivy to scan vulnerabilities from this SBOMs. (with small issue about it : aquasecurity/trivy#5883)

Then one day we could also reuse that SBOM to check licenses with : eclipse-dash/dash-licenses#191

Jenkins build used to test are available at : https://ci.eclipse.org/leshan/job/leshan-weekly/, output looks like :

• https://ci.eclipse.org/leshan/job/leshan-weekly/job/master/1/consoleText
• https://ci.eclipse.org/leshan/job/leshan-weekly/job/1.x/1/consoleText

[sbernard31]

(@jvermillard I will probably go with that way, let me know if you see blocking issue about that)

[sbernard31]

@jvermillard , this is now integrated in master but feedback are still welcome. Nothing is set in stone. 🙂