Those are all good points Piotr. Thanks for raising them. Some of the settings you shared can be fixed for all projects, hence in `logging-parent` configuration. This will necessitate either a `10.2.0` RC2 or `10.2.1`.
The others need to be addressed per project, which I will implement once we have a `logging-parent` release with `cyclonedx-maven-plugin`. In conclusion, I am on it. On Thu, Oct 19, 2023 at 10:18 AM Piotr P. Karwasz <piotr.karw...@gmail.com> wrote: > > Hi Volkan, > > On Wed, 18 Oct 2023 at 21:55, Volkan Yazıcı <vol...@yazi.ci> wrote: > > * Added support for auto-generating CycloneDX Software Bill of Materials > > (SBOM) > > Looking at the generated `bom.json`, it gives a strange URL for the > distribution: > > { > "type" : "distribution", > "url" : > "https://repository.apache.org/service/local/staging/deploy/maven2" > }, > > This is a private URL for staging a release. I would expect this key to > contain: > > https://repository.apache.org/content/repositories/releases/ > > We probably also need to fill in other keys in the SBOM: > > https://cyclonedx.org/docs/1.5/json/#externalReferences_items_type > > (I use the version 1.5 schema, since it is commented, while 1.4 isn't). > > The keys that would be useful to fill IMHO are: > > * `advisories`, pointing to a common page with all the CVE we > published against all our products, > * `release-notes`, `documentation` and `support`, > * `license` (for completeness, it is already defined elsewhere), > * `security-contact`, `vulnerability-assertion` and > `exploitability-statement`. The latter could use the exploitability > assessments we provide in Github (twice, for Dependabot and OSV > scanner): > https://github.com/apache/logging-log4j2/blob/2.x/log4j-parent/osv-scanner.toml > * `static-analisys-report`: both CodeQL and Scorecard can produce a > SARIF file. The latter even uploads it somewhere. > > Piotr