FYI to Logging and Brian,
> >
> > Over at Apache Commons, I added generating of CycloneDX and SPDX SBOMs
> > that we publish along with our artifacts. So I'd be curious if "we're
> > doing it wrong" ;-)
> >
> > My take is that it is still early in the
gt; My take is that it is still early in the SBOM game and that we're
> getting ahead of the game but just producing these files.
>
This ^^.
Hardly anyone is producing SBOMs yet... this is something we've been
trying to change by have Herve work on the plugin and get it
integrated
FYI to Logging and Brian,
Over at Apache Commons, I added generating of CycloneDX and SPDX SBOMs
that we publish along with our artifacts. So I'd be curious if "we're
doing it wrong" ;-)
My take is that it is still early in the SBOM game and that we're
getting a
Hi all,
On Thu, 19 Oct 2023 at 15:08, Volkan Yazıcı wrote:
> > We probably also need to fill in other keys in the SBOM:
>
> As far as I can read from sources, custom "keys" (i.e., "external
> references") are not supported by `cyclonedx-maven-plugin`. I a
istribution directory (e.g., `
https://downloads.apache.org/logging/logging-parent`)
3. The distribution page (e.g., `
https://logging.apache.org/logging-parent/latest/#distribution`)
I am in favor of the last one. Since this elaborates on all distribution
channels in detail.
> We probabl
find out all
or most things that we are missing in SBOM and release
`logging-parent` again.
Piotr
Bill of Materials
> > (SBOM)
>
> Looking at the generated `bom.json`, it gives a strange URL for the
> distribution:
>
> {
> "type" : "distribution",
> "url" :
> "https://repository.apache.org/service/local/s
Hi Volkan,
On Wed, 18 Oct 2023 at 21:55, Volkan Yazıcı wrote:
> * Added support for auto-generating CycloneDX Software Bill of Materials
> (SBOM)
Looking at the generated `bom.json`, it gives a strange URL for the
distribution:
{
"type" : "distribu
