It took me a while to do the research.
But I have some answers!
[See my comments below.]
> {
> "type" : "distribution",
> "url" : "
https://repository.apache.org/service/local/staging/deploy/maven2";
> },
>
> This is a private URL for staging a release.
Below is the relevant excerpt from `cyclonedx-maven-plugin`:
if (project.getDistributionManagement() != null) {
addExternalReference(ExternalReference.Type.DISTRIBUTION,
project.getDistributionManagement().getDownloadUrl(), component);
if (project.getDistributionManagement().getRepository() != null) {
addExternalReference(ExternalReference.Type.DISTRIBUTION,
project.getDistributionManagement().getRepository().getUrl(), component);
}
}
Guess what we inherit from `org.apache:apache` POM in the
`distributionManagement` element?
<distributionManagement>
<repository>
...
<url>${distMgmtReleasesUrl}</url>
</repository>
<snapshotRepository>...</snapshotRepository>
</distributionManagement>
<properties>
...
<distMgmtReleasesUrl>
https://repository.apache.org/service/local/staging/deploy/maven2
</distMgmtReleasesUrl>
We can override
`distributionManagement.repository[id="apache.releases.https"].url` at
use-site, i.e., the root `pom.xml` of `logging-log4j2`,
`logging-log4j-tools`, etc. It'd indeed be nice to fix this for
`logging-parent` version `10.2.0`, though I don't find it a show stopper.
The question is which URL shall this point to?
1. Nexus? Though it is not an official ASF distribution channel.
2. ASF Distribution directory (e.g., `
https://downloads.apache.org/logging/logging-parent`)
3. The distribution page (e.g., `
https://logging.apache.org/logging-parent/latest/#distribution`)
I am in favor of the last one. Since this elaborates on all distribution
channels in detail.
> We probably also need to fill in other keys in the SBOM:
As far as I can read from sources, custom "keys" (i.e., "external
references") are not supported by `cyclonedx-maven-plugin`. I am
double-checking this with Hervé Boutemy (`cyclonedx-maven-plugin`
maintainer) as we speak. I might create a ticket (maybe even along with a
PR) depending on the outcome.
On Thu, Oct 19, 2023 at 11:39 AM Volkan Yazıcı <vol...@yazi.ci> wrote:
> Those are all good points Piotr. Thanks for raising them.
>
> Some of the settings you shared can be fixed for all projects, hence
> in `logging-parent` configuration. This will necessitate either a
> `10.2.0` RC2 or `10.2.1`.
>
> The others need to be addressed per project, which I will implement
> once we have a `logging-parent` release with `cyclonedx-maven-plugin`.
>
> In conclusion, I am on it.
>
> On Thu, Oct 19, 2023 at 10:18 AM Piotr P. Karwasz
> <piotr.karw...@gmail.com> wrote:
> >
> > Hi Volkan,
> >
> > On Wed, 18 Oct 2023 at 21:55, Volkan Yazıcı <vol...@yazi.ci> wrote:
> > > * Added support for auto-generating CycloneDX Software Bill of
> Materials (SBOM)
> >
> > Looking at the generated `bom.json`, it gives a strange URL for the
> > distribution:
> >
> > {
> > "type" : "distribution",
> > "url" :
> > "https://repository.apache.org/service/local/staging/deploy/maven2";
> > },
> >
> > This is a private URL for staging a release. I would expect this key to
> contain:
> >
> > https://repository.apache.org/content/repositories/releases/
> >
> > We probably also need to fill in other keys in the SBOM:
> >
> > https://cyclonedx.org/docs/1.5/json/#externalReferences_items_type
> >
> > (I use the version 1.5 schema, since it is commented, while 1.4 isn't).
> >
> > The keys that would be useful to fill IMHO are:
> >
> > * `advisories`, pointing to a common page with all the CVE we
> > published against all our products,
> > * `release-notes`, `documentation` and `support`,
> > * `license` (for completeness, it is already defined elsewhere),
> > * `security-contact`, `vulnerability-assertion` and
> > `exploitability-statement`. The latter could use the exploitability
> > assessments we provide in Github (twice, for Dependabot and OSV
> > scanner):
> >
> https://github.com/apache/logging-log4j2/blob/2.x/log4j-parent/osv-scanner.toml
> > * `static-analisys-report`: both CodeQL and Scorecard can produce a
> > SARIF file. The latter even uploads it somewhere.
> >
> > Piotr
>
