darkma773r commented on PR #122: URL: https://github.com/apache/commons-parent/pull/122#issuecomment-1183879567
Adding an sbom to our maven artifacts would be quite beneficial. They provide insight into software supply chains and can be used, among other things, to help locate vulnerabilities in downstream applications (see https://cyclonedx.org/use-cases/). We are going to begin using them in my day job as part of our cybersecurity requirements and having commons projects produce these as well would be great. As far as the example with commons-vfs goes, it seems like something might be wonky with the plugin on that project. For example, the plugin keeps generating and then replacing the generated sbom: ``` [INFO] CycloneDX: Writing BOM (JSON): /home/matt/projects/commons-vfs/commons-vfs2-distribution/target/commons-vfs2-jackrabbit1-2.10.0-SNAPSHOT-bom.json [INFO] CycloneDX: Validating BOM (JSON): /home/matt/projects/commons-vfs/commons-vfs2-distribution/target/commons-vfs2-jackrabbit1-2.10.0-SNAPSHOT-bom.json [WARNING] artifact org.apache.commons:commons-vfs2-distribution:json:cyclonedx:2.10.0-SNAPSHOT already attached, replace previous instance ``` If you run it with commons-text, you'll see the `commons-text-1.10.0-SNAPSHOT-bom.json` and `commons-text-1.10.0-SNAPSHOT-bom.xml` files produced as expected. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@commons.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
