SQL-2091: Add SBOM Lite for JDBC

[EthanHardyMongo]

Successful run: https://spruce.mongodb.com/task/mongo_jdbc_driver_code_quality_and_correctness_sbom_patch_65d75db0c5e89aab2d87ef90e67a3e0d12571c74_666375a3d3b2b1000758d666_24_06_07_21_03_39/logs?execution=0

SBOM created: https://evg-bucket-mongo-jdbc-driver.s3.amazonaws.com/artifacts/666375a3d3b2b1000758d666/code-quality-and-correctness/ssdlc/mongo-jdbc-driver.cdx.json

[nbagnard]

It's looking good.
I have only a few comments to help make our lives easier in the long run

[nbagnard]

[nit] Let's call this SBOM_LITE from now on to match DEVPROD naming convention.

[nbagnard]

I think you can merge this func with the previous one. It doesn't have to be so granular.
I also don't know how I feel with using func versus having a list of commands being part of a function.
It makes the func longer, but at the same time, having all piece be under the same function means that there it is clear that they have to happen in that order and that what the previous function produces is expected to exist for the next function.

[EthanHardyMongo]

Originally, it was one function; however, it would stop executing after ./gradlew cyclonedxBom for some reason, so I made two separate functions. However, I can combine the two and just have two - command: shell.exec in one function.

[nbagnard]

Defining this variable isn't very useful since the Gradle script doesn't use this value.
Variables are great if you want to guarantee that names are the same everywhere and to make maintenance easier.

You can however using it with Gradle and that would be the perfect use of a variable. Although I think the name of the temp file doesn't have to be shared with all task and can simply be defined as part of the func.

I pushed an example on my local branch. I had it ready but never pushed it on my remote branch. Look at both the Evergreen script (line 466) and the gradle.properties file
master...nbagnard:mongo-jdbc-driver:ssdlc-poc#diff-73e7b844e5fa69d8104ed91b7c281ea7262bc60bd7be03d515048aff04478fe6R435

[EthanHardyMongo]

I defined the output name and destination in the build.gradle file:

cyclonedxBom {
    // Boms destination directory. Defaults to 'build/reports'
    destination = file("artifacts/sboms")
    // The file name for the generated BOMs (before the file format suffix). Defaults to 'bom'
    outputName = "sbom_without_team_name"
}

These environmental variables were made to make the evergreen functions easier to read.

[nbagnard]

ah, I didn't realize that the variables were case insensitive 👍
I think destination is not using the SBOM_DIR variable, could you add it and then think would be perfect!

[nbagnard]

LGTM!
Pending the last little destination variable to sync up between the evergreen script and gradle.properties

[nbagnard]

ah, I didn't realize that the variables were case insensitive 👍
I think destination is not using the SBOM_DIR variable, could you add it and then think would be perfect!