On Sun, 16 Nov 2025 at 22:14, Gintautas Grigelionis <[email protected]> wrote:
> On Sun, 16 Nov 2025 at 19:38, Stefan Bodewig <[email protected]> wrote: > >> On 2025-11-15, Gintautas Grigelionis wrote: >> >> > On Sat, 15 Nov 2025 at 19:53, Stefan Bodewig <[email protected]> >> wrote: >> >> >> On 2025-11-15, Gintautas Grigelionis wrote: >> >> >>> So the whole idea is to produce SBOM manually based on Maven >> artifacts? >> >> >> This is one of the option that I came up with. Not the only option and >> I >> >> don't expect to have echausted the solution space :-) >> >> > Would you be willing to revisit the publishing by Ivy now that Ivy has >> the >> > capability to produce the necessary SHA hashes? >> >> I'm not sure how to answer that. >> >> We do publish Ant's "maven artifacts" via >> Ivy. https://github.com/apache/ant/blob/master/ReleaseInstructions#L186 >> - but that's not the point. >> >> AFAIK Ivy can not create an SBOM, so writing code that can do just that >> based on an Ivy model has been one of the options I came up with. If we >> wanted to do that we'd also need to use quite a bit more of Ivy than we >> do right now in Ant's release process. In particular the Ivy file would >> need to become aware of the dependencies as you can't create an SBOM >> without knowing the dependencies. >> >> Stefan > > > Sorry for being unclear. I mean going back to PR 54 and taking another > look at it. > Then, Ivy needs a task that uses cyclonedx-core-java and/or > spdx-java-library. > If that's too much of a hassle, Maven can easily provide another cop-out. > But I'd argue that dependency management ought to be done properly in > order to produce a proper SBOM. > > Gintas > BTW, has CISA summarized the comments on their 2025 Minimum Elements for a SBOM proposal? I've only seen the write-up at OpenSSF website [1], but could not find anything new after the public comment cutoff date on CISA website. Gintas [1] https://openssf.org/blog/2025/10/22/sboms-in-the-era-of-the-cra-toward-a-unified-and-actionable-framework/
