SBOM: fallback if augmented SBOM generation fails

Author: rudsberg

native-maven-plugin/src/functionalTest/groovy/org/graalvm/buildtools/maven/SBOMFunctionalTest.groovy

@@ -81,6 +81,7 @@ class SBOMFunctionalTest extends AbstractGraalVMMavenFunctionalTest {
         buildSucceeded
         outputContainsPattern".*CycloneDX SBOM with \\d+ component\\(s\\) is embedded in binary \\(.*?\\) and exported as JSON \\(see build artifacts\\)\\."
         outputDoesNotContain "Use '--enable-sbom' to assemble a Software Bill of Materials (SBOM)"
+        outputDoesNotContain "Could not generate an augmented SBOM"
         validateExportedSBOM sbom
         !file(String.format("target/%s", SBOMGenerator.SBOM_FILENAME)).exists()
         outputContains "Hello, native!"
@@ -101,6 +102,7 @@ class SBOMFunctionalTest extends AbstractGraalVMMavenFunctionalTest {
         buildSucceeded
         outputContainsPattern".*CycloneDX SBOM with \\d+ component\\(s\\) is embedded in binary \\(.*?\\)."
         outputDoesNotContain "Use '--enable-sbom' to assemble a Software Bill of Materials (SBOM)"
+        outputDoesNotContain "Could not generate an augmented SBOM"
         !file(String.format("target/%s", SBOMGenerator.SBOM_FILENAME)).exists()
         outputContains "Hello, native!"
     }

native-maven-plugin/src/main/java/org/graalvm/buildtools/maven/NativeCompileNoForkMojo.java

@@ -177,7 +177,16 @@ private void generateAugmentedSBOMIfNeeded() throws IllegalArgumentException, Mo
         }
 
         var sbomGenerator = new SBOMGenerator(mavenProject, mavenSession, pluginManager, repositorySystem, mainClass, logger);
-        sbomGenerator.generate();
+        try {
+            sbomGenerator.generate();
+        } catch (MojoExecutionException e) {
+            /* Only throw exception for users that explicitly opt-in to using augmented SBOMs. */
+            if (optionWasSet) {
+                throw e;
+            }
+            logger.warn(String.format("Could not generate an augmented SBOM: %s. Fallback to generating a non-augmented SBOM.",
+                    e.getCause().getMessage()));
+        }
     }
 
     private String consumeConfigurationNodeValue(String pluginKey, String... nodeNames) {

native-maven-plugin/src/main/java/org/graalvm/buildtools/maven/sbom/SBOMGenerator.java

@@ -237,17 +237,17 @@ private static void deleteFileIfExists(Path sbomPath) {
     private void augmentSBOM(Path baseSBOMPath, Set<ArtifactAdapter> artifacts) throws IOException {
         JSONObject sbomJson = new JSONObject(Files.readString(baseSBOMPath));
 
+        JSONArray componentsArray = sbomJson.optJSONArray("components");
+        if (componentsArray != null) {
+            componentsArray.forEach(componentNode -> augmentComponentNode((JSONObject) componentNode, artifacts));
+        }
+
         /* Augment the main component in "metadata/component" */
         JSONObject metadataNode = sbomJson.optJSONObject("metadata");
         if (metadataNode != null && metadataNode.has("component")) {
             augmentComponentNode(metadataNode.getJSONObject("component"), artifacts);
         }
 
-        JSONArray componentsArray = sbomJson.optJSONArray("components");
-        if (componentsArray != null) {
-            componentsArray.forEach(componentNode -> augmentComponentNode((JSONObject) componentNode, artifacts));
-        }
-
         /* Save the augmented SBOM back to the file */
         Files.writeString(baseSBOMPath, sbomJson.toString(2));
     }