Hi all I believe the library is functionally complete by now. I've copied the current manual pages to https://ant.apache.org/antlibs/cyclonedx/manual/ - and would love to hear feedback.
The SBOMs in https://github.com/apache/ant-antlibs-cyclonedx/tree/main/examples have been generated by the last two targets in https://github.com/apache/ant-antlibs-cyclonedx/blob/main/src/tests/antunit/componentbom-test.xml#L456 The next steps will be to hook SBOM generation in the library's own release process and to experimentally add it to a branch of Ant. Once that works I'll call for a release vote for a 0.1 release. In the end the SBOM is a collection of components that declare dependencies on each other with one main component - and a bit of SBOM metadata sprinkled on top. When I added support for a component of the SBOM to pull in its data from an SBOM defined elsewhere I believe I added the necessary extension point for and Ivy solution (or a maven resolver soltion if anybody want to provide one) by accident. In Ivy's lingo is published jar-artifact of an Ivy module (from what I understand). Basically the Component class has a resolve method that can be used to pull data from a different place and return more components to add to the SBOM. This could as well be used by an Ivy specific subclass that resolved an ivy file, populates the component from the module's metadata and the artifcat and returns components for the artificat's dependencies. The current Component explicitly restricts the Components returned by resolve to direct dependencies, but a subclass should be free to return the transitive hull of all dependencies. This means an Ivy CycloneDX antlib could reuse all the stuff of the current Antlib and would "only" need to provide a subclass of Component as type. At least that would be a goal for me. I'll probably need to make a few things in Component protected to enable this but that shouldn't be too difficult. Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
