Hi,attached you find the SBOM files as they are created by the cyclonedx maven plugin running on the current JDO-845 branch.
Regards Michael
bom.json
Description: application/json
<?xml version="1.0" encoding="UTF-8"?> <bom serialNumber="urn:uuid:e7a759e2-9f1b-3781-ac90-bdb375e57a08" version="1" xmlns="http://cyclonedx.org/schema/bom/1.6";> <metadata> <lifecycles> <lifecycle> <phase>build</phase> </lifecycle> </lifecycles> <tools> <components> <component type="library"> <author>OWASP Foundation</author> <group>org.cyclonedx</group> <name>cyclonedx-maven-plugin</name> <version>2.9.0</version> <description>CycloneDX Maven plugin</description> <hashes> <hash alg="MD5">dfaeab7ec837ce07874e2ee66fdc57d3</hash> <hash alg="SHA-1">8bab47bafc8183d0a5f37790ff55ed05ead1ae2d</hash> <hash alg="SHA-256">67117e03eae4a03ca8bab3add044995f4899aa21798a2510b8265ef8101e90ac</hash> <hash alg="SHA-512">ae6b706516bb76da806b7854aef9e348fa593f5159ae9d693ad38942165c0ebc0846d977a477f6029612d43468fd2cd73a5aa253c228a94fb8d184e0acefc3d2</hash> <hash alg="SHA-384">ee872354d8b0dcd6f9835a913b3aaba70d9365a46043be78020183282a1e9fca812e969246cbe31d642541591b46648b</hash> <hash alg="SHA3-384">e5167f9e7ceba3b7b4d1900c404543907868745334bedc69cdf79c271727148413033a3b1426b733b7549e612e44adee</hash> <hash alg="SHA3-256">41fc0bc2275f354e2c7da01041ce73ce677364799cba53920a180aa5d4571c63</hash> <hash alg="SHA3-512">ed7f97900b09b818dbc0b8a23c00a2843e1bc34e2e8eb5b6df52533af0a15b721de6f7d5c2fd9352b8d4fde768e080053b40a16f0f9f04c336fe9b44abe83fc0</hash> </hashes> </component> </components> </tools> <component type="library" bom-ref="pkg:maven/javax.jdo/jdo-api@3.3-SNAPSHOT?type=jar"> <publisher>The Apache Software Foundation</publisher> <group>javax.jdo</group> <name>jdo-api</name> <version>3.3-SNAPSHOT</version> <description>The Java Data Objects (JDO) API is a standard interface-based Java model abstraction of persistence, developed as Java Specification Requests (JSR 12 and 243) under the auspices of the Java Community Process.</description> <licenses> <license> <id>Apache-2.0</id> <url>https://www.apache.org/licenses/LICENSE-2.0</url> </license> </licenses> <purl>pkg:maven/javax.jdo/jdo-api@3.3-SNAPSHOT?type=jar</purl> <externalReferences> <reference type="website"> <url>http://db.apache.org/jdo/jdo-api</url> </reference> <reference type="distribution-intake"> <url>https://repository.apache.org/service/local/staging/deploy/maven2</url> </reference> <reference type="mailing-list"> <url>http://mail-archives.apache.org/mod_mbox/db-jdo-user/</url> </reference> <reference type="vcs"> <url>https://gitbox.apache.org/repos/asf?p=db-jdo.git</url> </reference> </externalReferences> </component> <properties> <property name="maven.goal">makeBom</property> <property name="maven.scopes">compile,provided,runtime,system</property> <property name="cdx:reproducible">enabled</property> </properties> </metadata> <components> <component type="library" bom-ref="pkg:maven/javax.transaction/javax.transaction-api@1.3?type=jar"> <publisher>GlassFish Community</publisher> <group>javax.transaction</group> <name>javax.transaction-api</name> <version>1.3</version> <description>Project GlassFish Java Transaction API</description> <scope>required</scope> <hashes> <hash alg="MD5">6e9cb1684621821248b6823143ae26c0</hash> <hash alg="SHA-1">e006adf5cf3cca2181d16bd640ecb80148ec0fce</hash> <hash alg="SHA-256">603df5e4fc1eeae8f5e5d363a8be6c1fa47d0df1df8739a05cbcb9fafd6df2da</hash> <hash alg="SHA-512">3497cf77352aa1317c70ad1d28e8e7da51337d844c8227a35707209c750ba6f5d644a4ffdbdb10e5fbde204003aa43ff80e9e2ff3164584a7a34d8292266b2bc</hash> <hash alg="SHA-384">7044d8d5829a777d85e1a987c3e346eb535dd321366bdf32a9e8ed4f52facd0610ac2f3f58b4a1b001893f01fddc5eae</hash> <hash alg="SHA3-384">d0c1807001e02ce47320be657be055b4777b8b5673c22a78b0574955f7a6105dacc42b46b86ab967dc382cf332da59d8</hash> <hash alg="SHA3-256">c7c48884317a2d0e1596f201763acbca4ef76462af9172fd5e68aca3465303e1</hash> <hash alg="SHA3-512">bf053d4fe995cb5c1d6c01320fc73530017ee364de6ae21eb98fa0372b2aa6eff2fa4ac2d9cd5f692c930ee573c2f6226441918123fcfc48b5b4a126d350928c</hash> </hashes> <licenses> <expression>(CDDL-1.0 OR GPL-2.0-with-classpath-exception)</expression> </licenses> <purl>pkg:maven/javax.transaction/javax.transaction-api@1.3?type=jar</purl> <externalReferences> <reference type="website"> <url>http://jta-spec.java.net</url> </reference> <reference type="distribution-intake"> <url>https://maven.java.net/service/local/staging/deploy/maven2/</url> </reference> <reference type="issue-tracker"> <url>https://github.com/javaee/javax.transaction/issues</url> </reference> <reference type="mailing-list"> <url>javaee-s...@javaee.groups.io</url> </reference> <reference type="vcs"> <url>https://github.com/javaee/javax.transaction</url> </reference> </externalReferences> </component> <component type="library" bom-ref="pkg:maven/org.glassfish.corba/glassfish-corba-omgapi@4.2.5?type=jar"> <publisher>Eclipse Foundation</publisher> <group>org.glassfish.corba</group> <name>glassfish-corba-omgapi</name> <version>4.2.5</version> <description>A CORBA ORB for Glassfish</description> <scope>required</scope> <hashes> <hash alg="MD5">e5e7ed5c3664e33956e6f006e5f2c34a</hash> <hash alg="SHA-1">112740b44afd5739b4ef614a8ff5221cc3f338b7</hash> <hash alg="SHA-256">25ed65894264ffedfc3aada1da7ace3323672ea6b9ca2e3c9931309818bf2eed</hash> <hash alg="SHA-512">42336ddcec2881523e908fb50ce122c9caf48489cb30efbdf33920178755b2d0394d7784c36d830c083490dc4a53b466ff75fbeb39c0d14438d6d815b71f951a</hash> <hash alg="SHA-384">6e03ccc5965654eb50f30fb37419c13f7900d14af556e25f5d5e773151a30239e8ade957a98aac4cb4b45a32e707fee6</hash> <hash alg="SHA3-384">128ce4e9d9502cd1715fa8c8ccade3046cc1b8fbe989c93ced4eed1e652451389f847e6731053b11dcd7e3a9ac2a34a4</hash> <hash alg="SHA3-256">f2464ba0f3573997f6ec301d3036107820261d4f3227ebd50c270ea0b6f6cb16</hash> <hash alg="SHA3-512">42425fe14f8c90c24b3ddd5e7a69808e9cbd96139ac2b06e2f490363a9592b4c035e61fecaa66deb6ee7a3ce5d9426d102b4cb1b0ee3f32dedb3dc45369bc35d</hash> </hashes> <licenses> <license> <id>BSD-3-Clause</id> </license> </licenses> <purl>pkg:maven/org.glassfish.corba/glassfish-corba-omgapi@4.2.5?type=jar</purl> <externalReferences> <reference type="website"> <url>https://projects.eclipse.org/proposals/eclipse-orb/glassfish-corba-omgapi</url> </reference> <reference type="distribution-intake"> <url>https://jakarta.oss.sonatype.org/service/local/staging/deploy/maven2/</url> </reference> <reference type="issue-tracker"> <url>https://github.com/eclipse-ee4j/orb/issues</url> </reference> <reference type="mailing-list"> <url>https://dev.eclipse.org/mhonarc/lists/orb-dev</url> </reference> <reference type="vcs"> <url>https://github.com/eclipse-ee4j/orb/glassfish-corba-omgapi</url> </reference> </externalReferences> </component> </components> <dependencies> <dependency ref="pkg:maven/javax.jdo/jdo-api@3.3-SNAPSHOT?type=jar"> <dependency ref="pkg:maven/javax.transaction/javax.transaction-api@1.3?type=jar"/> <dependency ref="pkg:maven/org.glassfish.corba/glassfish-corba-omgapi@4.2.5?type=jar"/> </dependency> <dependency ref="pkg:maven/javax.transaction/javax.transaction-api@1.3?type=jar"/> <dependency ref="pkg:maven/org.glassfish.corba/glassfish-corba-omgapi@4.2.5?type=jar"/> </dependencies> </bom>
