Those are all good points Piotr. Thanks for raising them.
Some of the settings you shared can be fixed for all projects, hence
in `logging-parent` configuration. This will necessitate either a
`10.2.0` RC2 or `10.2.1`.
The others need to be addressed per project, which I will implement
once we have a `logging-parent` release with `cyclonedx-maven-plugin`.
In conclusion, I am on it.
On Thu, Oct 19, 2023 at 10:18 AM Piotr P. Karwasz
<piotr.karw...@gmail.com> wrote:
>
> Hi Volkan,
>
> On Wed, 18 Oct 2023 at 21:55, Volkan Yazıcı <vol...@yazi.ci> wrote:
> > * Added support for auto-generating CycloneDX Software Bill of Materials
> > (SBOM)
>
> Looking at the generated `bom.json`, it gives a strange URL for the
> distribution:
>
> {
> "type" : "distribution",
> "url" :
> "https://repository.apache.org/service/local/staging/deploy/maven2";
> },
>
> This is a private URL for staging a release. I would expect this key to
> contain:
>
> https://repository.apache.org/content/repositories/releases/
>
> We probably also need to fill in other keys in the SBOM:
>
> https://cyclonedx.org/docs/1.5/json/#externalReferences_items_type
>
> (I use the version 1.5 schema, since it is commented, while 1.4 isn't).
>
> The keys that would be useful to fill IMHO are:
>
> * `advisories`, pointing to a common page with all the CVE we
> published against all our products,
> * `release-notes`, `documentation` and `support`,
> * `license` (for completeness, it is already defined elsewhere),
> * `security-contact`, `vulnerability-assertion` and
> `exploitability-statement`. The latter could use the exploitability
> assessments we provide in Github (twice, for Dependabot and OSV
> scanner):
> https://github.com/apache/logging-log4j2/blob/2.x/log4j-parent/osv-scanner.toml
> * `static-analisys-report`: both CodeQL and Scorecard can produce a
> SARIF file. The latter even uploads it somewhere.
>
> Piotr
