On Sun, 16 Nov 2025 at 19:38, Stefan Bodewig <[email protected]> wrote:
> On 2025-11-15, Gintautas Grigelionis wrote: > > > On Sat, 15 Nov 2025 at 19:53, Stefan Bodewig <[email protected]> wrote: > > >> On 2025-11-15, Gintautas Grigelionis wrote: > > >>> So the whole idea is to produce SBOM manually based on Maven artifacts? > > >> This is one of the option that I came up with. Not the only option and I > >> don't expect to have echausted the solution space :-) > > > Would you be willing to revisit the publishing by Ivy now that Ivy has > the > > capability to produce the necessary SHA hashes? > > I'm not sure how to answer that. > > We do publish Ant's "maven artifacts" via > Ivy. https://github.com/apache/ant/blob/master/ReleaseInstructions#L186 > - but that's not the point. > > AFAIK Ivy can not create an SBOM, so writing code that can do just that > based on an Ivy model has been one of the options I came up with. If we > wanted to do that we'd also need to use quite a bit more of Ivy than we > do right now in Ant's release process. In particular the Ivy file would > need to become aware of the dependencies as you can't create an SBOM > without knowing the dependencies. > > Stefan Sorry for being unclear. I mean going back to PR 54 and taking another look at it. Then, Ivy needs a task that uses cyclonedx-core-java and/or spdx-java-library. If that's too much of a hassle, Maven can easily provide another cop-out. But I'd argue that dependency management ought to be done properly in order to produce a proper SBOM. Gintas
