Today I have published the CycloneDX Vulnerability Disclosure Report (VDR) <https://cyclonedx.org/capabilities/vdr> Piotr and I have been working on. This VDR is expected to contain all CVEs filed by Logging Services. All our SBOMs will point to this one-and-only VDR file with the most recent `logging-parent` release.
*Public URL:* https://logging.apache.org/cyclonedx/vdr.xml *Canonical URL:* https://logging.apache.org/cyclonedx/urn:uuid:dfa35519-9734-4259-bba1-3e825cf4be06 *Source:* https://github.com/apache/logging-site/blob/cyclonedx/urn%3Acdx%3Adfa35519-9734-4259-bba1-3e825cf4be06/1.xml I already filled in all CVEs published against Log4j. I will appreciate it if the rest of you can help us to do the same for Chainsaw, Log4cxx, etc. Please do create a PR for your changes (I will be more than happy to review them!) and follow a chronological order (newer CVE comes first) in `vulnerability` entries.
