Hi All, [Piotr, Arnout, please correct me and clarify or refine what's below.]
Apache Commons publishes SBOMs using the Maven plugins for SPDX and CycloneDX. We currently publish hashes and versions for dependencies in these SBOMs which will not be the case in the future as it is not the role of SBOMs for libraries (as opposed to applications). The SBOM should declare the relationship and that's it, not the exact version. The current plugins do not support this type of configuration but work is in progress, for example, https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/589 Plus, there are issues, especially when dealing with multi-module builds, as we currently encountered with the Commons VFS release for 2.10.0. Therefore, when validating a release or using a Commons SBOM, you should ignore dependency versions and their hashes. Thank you all, Gary --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
