It took me a while to do the research. But I have some answers! [See my comments below.]
> { > "type" : "distribution", > "url" : " https://repository.apache.org/service/local/staging/deploy/maven2" > }, > > This is a private URL for staging a release. Below is the relevant excerpt from `cyclonedx-maven-plugin`: if (project.getDistributionManagement() != null) { addExternalReference(ExternalReference.Type.DISTRIBUTION, project.getDistributionManagement().getDownloadUrl(), component); if (project.getDistributionManagement().getRepository() != null) { addExternalReference(ExternalReference.Type.DISTRIBUTION, project.getDistributionManagement().getRepository().getUrl(), component); } } Guess what we inherit from `org.apache:apache` POM in the `distributionManagement` element? <distributionManagement> <repository> ... <url>${distMgmtReleasesUrl}</url> </repository> <snapshotRepository>...</snapshotRepository> </distributionManagement> <properties> ... <distMgmtReleasesUrl> https://repository.apache.org/service/local/staging/deploy/maven2 </distMgmtReleasesUrl> We can override `distributionManagement.repository[id="apache.releases.https"].url` at use-site, i.e., the root `pom.xml` of `logging-log4j2`, `logging-log4j-tools`, etc. It'd indeed be nice to fix this for `logging-parent` version `10.2.0`, though I don't find it a show stopper. The question is which URL shall this point to? 1. Nexus? Though it is not an official ASF distribution channel. 2. ASF Distribution directory (e.g., ` https://downloads.apache.org/logging/logging-parent`) 3. The distribution page (e.g., ` https://logging.apache.org/logging-parent/latest/#distribution`) I am in favor of the last one. Since this elaborates on all distribution channels in detail. > We probably also need to fill in other keys in the SBOM: As far as I can read from sources, custom "keys" (i.e., "external references") are not supported by `cyclonedx-maven-plugin`. I am double-checking this with Hervé Boutemy (`cyclonedx-maven-plugin` maintainer) as we speak. I might create a ticket (maybe even along with a PR) depending on the outcome. On Thu, Oct 19, 2023 at 11:39 AM Volkan Yazıcı <vol...@yazi.ci> wrote: > Those are all good points Piotr. Thanks for raising them. > > Some of the settings you shared can be fixed for all projects, hence > in `logging-parent` configuration. This will necessitate either a > `10.2.0` RC2 or `10.2.1`. > > The others need to be addressed per project, which I will implement > once we have a `logging-parent` release with `cyclonedx-maven-plugin`. > > In conclusion, I am on it. > > On Thu, Oct 19, 2023 at 10:18 AM Piotr P. Karwasz > <piotr.karw...@gmail.com> wrote: > > > > Hi Volkan, > > > > On Wed, 18 Oct 2023 at 21:55, Volkan Yazıcı <vol...@yazi.ci> wrote: > > > * Added support for auto-generating CycloneDX Software Bill of > Materials (SBOM) > > > > Looking at the generated `bom.json`, it gives a strange URL for the > > distribution: > > > > { > > "type" : "distribution", > > "url" : > > "https://repository.apache.org/service/local/staging/deploy/maven2" > > }, > > > > This is a private URL for staging a release. I would expect this key to > contain: > > > > https://repository.apache.org/content/repositories/releases/ > > > > We probably also need to fill in other keys in the SBOM: > > > > https://cyclonedx.org/docs/1.5/json/#externalReferences_items_type > > > > (I use the version 1.5 schema, since it is commented, while 1.4 isn't). > > > > The keys that would be useful to fill IMHO are: > > > > * `advisories`, pointing to a common page with all the CVE we > > published against all our products, > > * `release-notes`, `documentation` and `support`, > > * `license` (for completeness, it is already defined elsewhere), > > * `security-contact`, `vulnerability-assertion` and > > `exploitability-statement`. The latter could use the exploitability > > assessments we provide in Github (twice, for Dependabot and OSV > > scanner): > > > https://github.com/apache/logging-log4j2/blob/2.x/log4j-parent/osv-scanner.toml > > * `static-analisys-report`: both CodeQL and Scorecard can produce a > > SARIF file. The latter even uploads it somewhere. > > > > Piotr >