This is an automated email from the ASF dual-hosted git repository. asf-gitbox-commits pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/ant-antlibs-cyclonedx.git
commit 6dbc2fdc7a4dd3ab88f63afe1d3d175ffab68e66 Author: Stefan Bodewig <[email protected]> AuthorDate: Fri May 8 14:49:15 2026 +0200 reference components by their SBOM --- examples/ant-cyclonedx-0.1alpha-cyclonedx.json | 75 +++-- examples/ant-cyclonedx-0.1alpha-cyclonedx.xml | 68 ++-- src/main/org/apache/ant/cyclonedx/Component.java | 77 +++++ .../org/apache/ant/cyclonedx/ComponentBomTask.java | 1 + .../org/apache/ant/cyclonedx/Organization.java | 10 + src/tests/antunit/componentbom-test.xml | 11 +- .../cyclonedx-core-java-12.2.0-cyclonedx.json | 366 +++++++++++++++++++++ 7 files changed, 558 insertions(+), 50 deletions(-) diff --git a/examples/ant-cyclonedx-0.1alpha-cyclonedx.json b/examples/ant-cyclonedx-0.1alpha-cyclonedx.json index 55c6ef1..0303b43 100644 --- a/examples/ant-cyclonedx-0.1alpha-cyclonedx.json +++ b/examples/ant-cyclonedx-0.1alpha-cyclonedx.json @@ -1,10 +1,10 @@ { "bomFormat" : "CycloneDX", "specVersion" : "1.6", - "serialNumber" : "urn:uuid:817ebe65-d467-4d89-b134-17c005157e74", + "serialNumber" : "urn:uuid:1b67466f-e18e-401b-857b-ce95cdd9cc82", "version" : 1, "metadata" : { - "timestamp" : "2026-05-02T08:03:43Z", + "timestamp" : "2026-05-08T12:48:39Z", "lifecycles" : [ { "phase" : "build" @@ -33,35 +33,35 @@ "hashes" : [ { "alg" : "MD5", - "content" : "14f2e711dd0b6d5abc7a9e5f2a5233a7" + "content" : "0504c60f77b82c2d29f3b71d7c4af59b" }, { "alg" : "SHA-1", - "content" : "720f308380ae53446b78643d9d0b0561a9a6a1e8" + "content" : "a58ca1d9c117d4a53c1d542746d06ea9a600900d" }, { "alg" : "SHA-256", - "content" : "d823adf48bded32d8420c02932837cacdcb1052dc1e4abdd27039e2801ab4907" + "content" : "ecb1194156998b8ab00e924bdcde7feb3db5e58ee9f3b25f7d2c035faea4cb0a" }, { "alg" : "SHA-512", - "content" : "036835030909cdf345a4f8b104f9fcdefc34873024feed1a96899327ca96c7c2be2eecee46b80bf8c2e86b60cb9902f8c17cfae9ea1f30813d8d58f9d880eb37" + "content" : "54753aed7aff4e081f73f0c650b7123b38e75d72b0435fcc53cba999fbcb76eb28dfca338dedc7a45baf255295ca91b810c30dfbf831d046d7e93a294bd09934" }, { "alg" : "SHA3-256", - "content" : "622f01c152661392d2d5cf46e075d9602439b9f9fa6bca0e4b3e10815dc4eeed" + "content" : "55278e0880bc15adee69a99914ae0e6b21168dc42686645ecbe70e35ee43a7bf" }, { "alg" : "SHA3-512", - "content" : "675e597165e3bf5fcdab6075628c1dbf6e3c6c346aaaf619a54c54d7eae45458a1f1c9e144cd8571994e34404d1c52f4721f42fde79050cf56db4460aee28aea" + "content" : "88fba63cfe760889da636707607e9ecbe6939956047b2fe93a2c7d2c41f7fb224b45156cc5e91c3d4622d3cba9fb4125e9db44db56f75ddc961441837f3249ed" }, { "alg" : "SHA-384", - "content" : "02c0c52fe4504538c894b5fd24fe51f9c754a6935c6c241c2419492d6a11cd57bc3f7b1c561ee8a8c038dc5fe3ec1386" + "content" : "30bc5a491bfee55b328c5396750a20ead6539eaff5dbfb8f7a87c6d2fc3b554c1a98fc97bb54fda567fce3e6aae4d08a" }, { "alg" : "SHA3-384", - "content" : "406ff03cf5b204c79e41da2f484b8d86ea1c873ff6a41b752a02beb8e235a901c1de5b764a7688c9f12acacd4a623d84" + "content" : "a5da389ae35bd9dde14e4cff5ead642ca63f54170726166f978f0573cffda4d8c5424f599f522e28da4bff8b1c43d3c9" } ], "licenses" : [ @@ -108,35 +108,35 @@ "hashes" : [ { "alg" : "MD5", - "content" : "14f2e711dd0b6d5abc7a9e5f2a5233a7" + "content" : "0504c60f77b82c2d29f3b71d7c4af59b" }, { "alg" : "SHA-1", - "content" : "720f308380ae53446b78643d9d0b0561a9a6a1e8" + "content" : "a58ca1d9c117d4a53c1d542746d06ea9a600900d" }, { "alg" : "SHA-256", - "content" : "d823adf48bded32d8420c02932837cacdcb1052dc1e4abdd27039e2801ab4907" + "content" : "ecb1194156998b8ab00e924bdcde7feb3db5e58ee9f3b25f7d2c035faea4cb0a" }, { "alg" : "SHA-512", - "content" : "036835030909cdf345a4f8b104f9fcdefc34873024feed1a96899327ca96c7c2be2eecee46b80bf8c2e86b60cb9902f8c17cfae9ea1f30813d8d58f9d880eb37" + "content" : "54753aed7aff4e081f73f0c650b7123b38e75d72b0435fcc53cba999fbcb76eb28dfca338dedc7a45baf255295ca91b810c30dfbf831d046d7e93a294bd09934" }, { "alg" : "SHA3-256", - "content" : "622f01c152661392d2d5cf46e075d9602439b9f9fa6bca0e4b3e10815dc4eeed" + "content" : "55278e0880bc15adee69a99914ae0e6b21168dc42686645ecbe70e35ee43a7bf" }, { "alg" : "SHA3-512", - "content" : "675e597165e3bf5fcdab6075628c1dbf6e3c6c346aaaf619a54c54d7eae45458a1f1c9e144cd8571994e34404d1c52f4721f42fde79050cf56db4460aee28aea" + "content" : "88fba63cfe760889da636707607e9ecbe6939956047b2fe93a2c7d2c41f7fb224b45156cc5e91c3d4622d3cba9fb4125e9db44db56f75ddc961441837f3249ed" }, { "alg" : "SHA-384", - "content" : "02c0c52fe4504538c894b5fd24fe51f9c754a6935c6c241c2419492d6a11cd57bc3f7b1c561ee8a8c038dc5fe3ec1386" + "content" : "30bc5a491bfee55b328c5396750a20ead6539eaff5dbfb8f7a87c6d2fc3b554c1a98fc97bb54fda567fce3e6aae4d08a" }, { "alg" : "SHA3-384", - "content" : "406ff03cf5b204c79e41da2f484b8d86ea1c873ff6a41b752a02beb8e235a901c1de5b764a7688c9f12acacd4a623d84" + "content" : "a5da389ae35bd9dde14e4cff5ead642ca63f54170726166f978f0573cffda4d8c5424f599f522e28da4bff8b1c43d3c9" } ], "licenses" : [ @@ -197,11 +197,42 @@ }, { "type" : "library", - "bom-ref" : "pkg:maven/org.cyclonedx/[email protected]?type=jar", + "bom-ref" : "pkg:maven/org.cyclonedx/[email protected]?type=jar", "group" : "org.cyclonedx", "name" : "cyclonedx-core-java", - "version" : "12.1.0", - "purl" : "pkg:maven/org.cyclonedx/[email protected]?type=jar" + "version" : "12.2.0", + "description" : "The CycloneDX core module provides a model representation of the BOM along with utilities to assist in creating, parsing, and validating BOMs.", + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0", + "url" : "https://www.apache.org/licenses/LICENSE-2.0"; + } + } + ], + "purl" : "pkg:maven/org.cyclonedx/[email protected]?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/CycloneDX/cyclonedx-core-java"; + }, + { + "type" : "build-system", + "url" : "https://github.com/CycloneDX/cyclonedx-core-java/actions"; + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/"; + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/CycloneDX/cyclonedx-core-java/issues"; + }, + { + "type" : "vcs", + "url" : "https://github.com/CycloneDX/cyclonedx-core-java.git"; + } + ] } ], "dependencies" : [ @@ -209,7 +240,7 @@ "ref" : "pkg:maven/org.apache.ant/[email protected]?type=jar", "dependsOn" : [ "pkg:maven/org.apache.ant/[email protected]?type=jar", - "pkg:maven/org.cyclonedx/[email protected]?type=jar" + "pkg:maven/org.cyclonedx/[email protected]?type=jar" ] } ] diff --git a/examples/ant-cyclonedx-0.1alpha-cyclonedx.xml b/examples/ant-cyclonedx-0.1alpha-cyclonedx.xml index ab5a2a2..bfaa5e9 100644 --- a/examples/ant-cyclonedx-0.1alpha-cyclonedx.xml +++ b/examples/ant-cyclonedx-0.1alpha-cyclonedx.xml @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="UTF-8"?> -<bom serialNumber="urn:uuid:817ebe65-d467-4d89-b134-17c005157e74" version="1" xmlns="http://cyclonedx.org/schema/bom/1.6";> +<bom serialNumber="urn:uuid:1b67466f-e18e-401b-857b-ce95cdd9cc82" version="1" xmlns="http://cyclonedx.org/schema/bom/1.6";> <metadata> - <timestamp>2026-05-02T08:03:43Z</timestamp> + <timestamp>2026-05-08T12:48:39Z</timestamp> <lifecycles> <lifecycle> <phase>build</phase> @@ -23,14 +23,14 @@ <version>0.1alpha</version> <description>Apache CycloneDX Antlib</description> <hashes> - <hash alg="MD5">14f2e711dd0b6d5abc7a9e5f2a5233a7</hash> - <hash alg="SHA-1">720f308380ae53446b78643d9d0b0561a9a6a1e8</hash> - <hash alg="SHA-256">d823adf48bded32d8420c02932837cacdcb1052dc1e4abdd27039e2801ab4907</hash> - <hash alg="SHA-512">036835030909cdf345a4f8b104f9fcdefc34873024feed1a96899327ca96c7c2be2eecee46b80bf8c2e86b60cb9902f8c17cfae9ea1f30813d8d58f9d880eb37</hash> - <hash alg="SHA3-256">622f01c152661392d2d5cf46e075d9602439b9f9fa6bca0e4b3e10815dc4eeed</hash> - <hash alg="SHA3-512">675e597165e3bf5fcdab6075628c1dbf6e3c6c346aaaf619a54c54d7eae45458a1f1c9e144cd8571994e34404d1c52f4721f42fde79050cf56db4460aee28aea</hash> - <hash alg="SHA-384">02c0c52fe4504538c894b5fd24fe51f9c754a6935c6c241c2419492d6a11cd57bc3f7b1c561ee8a8c038dc5fe3ec1386</hash> - <hash alg="SHA3-384">406ff03cf5b204c79e41da2f484b8d86ea1c873ff6a41b752a02beb8e235a901c1de5b764a7688c9f12acacd4a623d84</hash> + <hash alg="MD5">0504c60f77b82c2d29f3b71d7c4af59b</hash> + <hash alg="SHA-1">a58ca1d9c117d4a53c1d542746d06ea9a600900d</hash> + <hash alg="SHA-256">ecb1194156998b8ab00e924bdcde7feb3db5e58ee9f3b25f7d2c035faea4cb0a</hash> + <hash alg="SHA-512">54753aed7aff4e081f73f0c650b7123b38e75d72b0435fcc53cba999fbcb76eb28dfca338dedc7a45baf255295ca91b810c30dfbf831d046d7e93a294bd09934</hash> + <hash alg="SHA3-256">55278e0880bc15adee69a99914ae0e6b21168dc42686645ecbe70e35ee43a7bf</hash> + <hash alg="SHA3-512">88fba63cfe760889da636707607e9ecbe6939956047b2fe93a2c7d2c41f7fb224b45156cc5e91c3d4622d3cba9fb4125e9db44db56f75ddc961441837f3249ed</hash> + <hash alg="SHA-384">30bc5a491bfee55b328c5396750a20ead6539eaff5dbfb8f7a87c6d2fc3b554c1a98fc97bb54fda567fce3e6aae4d08a</hash> + <hash alg="SHA3-384">a5da389ae35bd9dde14e4cff5ead642ca63f54170726166f978f0573cffda4d8c5424f599f522e28da4bff8b1c43d3c9</hash> </hashes> <licenses> <license> @@ -64,14 +64,14 @@ <version>0.1alpha</version> <description>Apache CycloneDX Antlib</description> <hashes> - <hash alg="MD5">14f2e711dd0b6d5abc7a9e5f2a5233a7</hash> - <hash alg="SHA-1">720f308380ae53446b78643d9d0b0561a9a6a1e8</hash> - <hash alg="SHA-256">d823adf48bded32d8420c02932837cacdcb1052dc1e4abdd27039e2801ab4907</hash> - <hash alg="SHA-512">036835030909cdf345a4f8b104f9fcdefc34873024feed1a96899327ca96c7c2be2eecee46b80bf8c2e86b60cb9902f8c17cfae9ea1f30813d8d58f9d880eb37</hash> - <hash alg="SHA3-256">622f01c152661392d2d5cf46e075d9602439b9f9fa6bca0e4b3e10815dc4eeed</hash> - <hash alg="SHA3-512">675e597165e3bf5fcdab6075628c1dbf6e3c6c346aaaf619a54c54d7eae45458a1f1c9e144cd8571994e34404d1c52f4721f42fde79050cf56db4460aee28aea</hash> - <hash alg="SHA-384">02c0c52fe4504538c894b5fd24fe51f9c754a6935c6c241c2419492d6a11cd57bc3f7b1c561ee8a8c038dc5fe3ec1386</hash> - <hash alg="SHA3-384">406ff03cf5b204c79e41da2f484b8d86ea1c873ff6a41b752a02beb8e235a901c1de5b764a7688c9f12acacd4a623d84</hash> + <hash alg="MD5">0504c60f77b82c2d29f3b71d7c4af59b</hash> + <hash alg="SHA-1">a58ca1d9c117d4a53c1d542746d06ea9a600900d</hash> + <hash alg="SHA-256">ecb1194156998b8ab00e924bdcde7feb3db5e58ee9f3b25f7d2c035faea4cb0a</hash> + <hash alg="SHA-512">54753aed7aff4e081f73f0c650b7123b38e75d72b0435fcc53cba999fbcb76eb28dfca338dedc7a45baf255295ca91b810c30dfbf831d046d7e93a294bd09934</hash> + <hash alg="SHA3-256">55278e0880bc15adee69a99914ae0e6b21168dc42686645ecbe70e35ee43a7bf</hash> + <hash alg="SHA3-512">88fba63cfe760889da636707607e9ecbe6939956047b2fe93a2c7d2c41f7fb224b45156cc5e91c3d4622d3cba9fb4125e9db44db56f75ddc961441837f3249ed</hash> + <hash alg="SHA-384">30bc5a491bfee55b328c5396750a20ead6539eaff5dbfb8f7a87c6d2fc3b554c1a98fc97bb54fda567fce3e6aae4d08a</hash> + <hash alg="SHA3-384">a5da389ae35bd9dde14e4cff5ead642ca63f54170726166f978f0573cffda4d8c5424f599f522e28da4bff8b1c43d3c9</hash> </hashes> <licenses> <license> @@ -116,17 +116,41 @@ </reference> </externalReferences> </component> - <component type="library" bom-ref="pkg:maven/org.cyclonedx/[email protected]?type=jar"> + <component type="library" bom-ref="pkg:maven/org.cyclonedx/[email protected]?type=jar"> <group>org.cyclonedx</group> <name>cyclonedx-core-java</name> - <version>12.1.0</version> - <purl>pkg:maven/org.cyclonedx/[email protected]?type=jar</purl> + <version>12.2.0</version> + <description>The CycloneDX core module provides a model representation of the BOM along with utilities to assist in creating, parsing, and validating BOMs.</description> + <licenses> + <license> + <id>Apache-2.0</id> + <url>https://www.apache.org/licenses/LICENSE-2.0</url> + </license> + </licenses> + <purl>pkg:maven/org.cyclonedx/[email protected]?type=jar</purl> + <externalReferences> + <reference type="website"> + <url>https://github.com/CycloneDX/cyclonedx-core-java</url> + </reference> + <reference type="build-system"> + <url>https://github.com/CycloneDX/cyclonedx-core-java/actions</url> + </reference> + <reference type="distribution-intake"> + <url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url> + </reference> + <reference type="issue-tracker"> + <url>https://github.com/CycloneDX/cyclonedx-core-java/issues</url> + </reference> + <reference type="vcs"> + <url>https://github.com/CycloneDX/cyclonedx-core-java.git</url> + </reference> + </externalReferences> </component> </components> <dependencies> <dependency ref="pkg:maven/org.apache.ant/[email protected]?type=jar"> <dependency ref="pkg:maven/org.apache.ant/[email protected]?type=jar"/> - <dependency ref="pkg:maven/org.cyclonedx/[email protected]?type=jar"/> + <dependency ref="pkg:maven/org.cyclonedx/[email protected]?type=jar"/> </dependency> </dependencies> </bom> diff --git a/src/main/org/apache/ant/cyclonedx/Component.java b/src/main/org/apache/ant/cyclonedx/Component.java index 8b8f715..50518f0 100644 --- a/src/main/org/apache/ant/cyclonedx/Component.java +++ b/src/main/org/apache/ant/cyclonedx/Component.java @@ -1,7 +1,9 @@ package org.apache.ant.cyclonedx; +import java.io.ByteArrayOutputStream; import java.io.File; import java.io.IOException; +import java.io.InputStream; import java.util.ArrayList; import java.util.List; @@ -10,10 +12,15 @@ import org.apache.tools.ant.ProjectComponent; import org.apache.tools.ant.types.DataType; import org.apache.tools.ant.types.Resource; import org.apache.tools.ant.types.resources.FileProvider; +import org.apache.tools.ant.types.resources.Union; import org.cyclonedx.Version; +import org.cyclonedx.exception.ParseException; +import org.cyclonedx.model.Bom; import org.cyclonedx.model.LicenseChoice; import org.cyclonedx.model.OrganizationalEntity; +import org.cyclonedx.parsers.BomParserFactory; +import org.cyclonedx.parsers.Parser; import org.cyclonedx.util.BomUtils; public class Component extends DataType { @@ -34,6 +41,7 @@ public class Component extends DataType { private boolean isExternal = false; private List<Dependency> dependencies = new ArrayList<>(); private boolean unknownDependencies = false; + private Union sbomLink; public void add(Resource resource) { checkChildrenAllowed(); @@ -159,6 +167,11 @@ public class Component extends DataType { this.unknownDependencies = unknownDependencies; } + public Union createSbomLink() { + checkChildrenAllowed(); + return sbomLink == null ? (sbomLink = new Union()) : sbomLink; + } + public boolean areDependenciesUnknown() { if (isReference()) { return getRef().areDependenciesUnknown(); @@ -166,6 +179,70 @@ public class Component extends DataType { return unknownDependencies; } + public void resolve() throws IOException { + if (isReference()) { + getRef().resolve(); + return; + } + + if (sbomLink != null) { + if (sbomLink.size() != 1) { + throw new BuildException("sbomLink requires exactly one nested resource"); + } + Resource sbom = sbomLink.iterator().next(); + try (InputStream data = sbom.getInputStream(); + ByteArrayOutputStream baos = new ByteArrayOutputStream()) { + byte[] buf = new byte[4096]; + int count = data.read(buf, 0, buf.length); + while (count >= 0) { + baos.write(buf, 0, count); + count = data.read(buf, 0, buf.length); + } + byte[] content = baos.toByteArray(); + try { + Parser parser = BomParserFactory.createParser(content); + Bom bom = parser.parse(content); + if (bom.getMetadata() == null) { + throw new BuildException("referenced SBOM file lacks metadata"); + } + org.cyclonedx.model.Component real = bom.getMetadata().getComponent(); + if (real == null) { + throw new BuildException("referenced SBOM file lacks component"); + } + setType(real.getType()); + setName(real.getName()); + setGroup(real.getGroup()); + setVersion(real.getVersion()); + setDescription(real.getDescription()); + setPurl(real.getPurl()); + setBomRef(real.getBomRef()); + setScope(real.getScope()); + setUnknownDependencies(true); + OrganizationalEntity manufacturer = real.getManufacturer(); + if (manufacturer != null) { + this.manufacturer = Organization.from(manufacturer); + } + OrganizationalEntity supplier = real.getSupplier(); + if (supplier != null) { + this.supplier = Organization.from(supplier); + } + LicenseChoice licenses = real.getLicenses(); + if (licenses != null) { + this.licenses.clear(); + this.licenses.addAll(licenses.getLicenses()); + } + if (real.getExternalReferences() != null) { + this.externalReferences.clear(); + this.externalReferences.addAll(real.getExternalReferences()); + } + } catch (ParseException ex) { + throw new BuildException("failed to parse sbomlink " + sbom.getName()); + } + } + sbomLink = null; + } + } + public org.cyclonedx.model.Component toMainCycloneDxComponent(Version bomVersion) throws IOException { if (isReference()) { diff --git a/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java b/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java index 14172ad..c29cf2f 100644 --- a/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java +++ b/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java @@ -149,6 +149,7 @@ public class ComponentBomTask extends Task { if (!additionalComponents.isEmpty()) { List<org.cyclonedx.model.Component> cs = new ArrayList<>(); for (Component c : additionalComponents) { + c.resolve(); cs.add(c.toAdditionalCycloneDxComponent(specVersion.getVersion())); } bom.setComponents(cs); diff --git a/src/main/org/apache/ant/cyclonedx/Organization.java b/src/main/org/apache/ant/cyclonedx/Organization.java index 93d7c52..949bdde 100644 --- a/src/main/org/apache/ant/cyclonedx/Organization.java +++ b/src/main/org/apache/ant/cyclonedx/Organization.java @@ -36,6 +36,16 @@ public class Organization extends DataType { return oe; } + public static Organization from(OrganizationalEntity oe) { + Organization o = new Organization(); + o.setName(oe.getName()); + List<String> urls = oe.getUrls(); + if (urls != null) { + o.urls.addAll(urls); + } + return o; + } + /** * Perform the check for circular references and return the * referenced Organization. diff --git a/src/tests/antunit/componentbom-test.xml b/src/tests/antunit/componentbom-test.xml index ff4d61c..1fa123d 100644 --- a/src/tests/antunit/componentbom-test.xml +++ b/src/tests/antunit/componentbom-test.xml @@ -419,12 +419,11 @@ type="WEBSITE" url="https://ant.apache.org/"/> </additionalComponent> - <additionalComponent - name="cyclonedx-core-java" - group="org.cyclonedx" - version="12.1.0" - id="cyclonedx-core" - unknownDependencies="true"/> + <additionalComponent id="cyclonedx-core"> + <sbomLink> + <file file="resources/cyclonedx-core-java-12.2.0-cyclonedx.json"/> + </sbomLink> + </additionalComponent> </cdx:componentbom> <copy todir="/tmp"> <fileset dir="${output}" includes="ant-cyclonedx*"/> diff --git a/src/tests/antunit/resources/cyclonedx-core-java-12.2.0-cyclonedx.json b/src/tests/antunit/resources/cyclonedx-core-java-12.2.0-cyclonedx.json new file mode 100644 index 0000000..9a0bd47 --- /dev/null +++ b/src/tests/antunit/resources/cyclonedx-core-java-12.2.0-cyclonedx.json @@ -0,0 +1,366 @@ +{ + "bomFormat" : "CycloneDX", + "specVersion" : "1.5", + "serialNumber" : "urn:uuid:98ec33f4-dd93-4090-bb72-fe4c5febb88a", + "version" : 1, + "metadata" : { + "timestamp" : "2026-05-08T11:10:13Z", + "lifecycles" : [ + { + "phase" : "build" + } + ], + "authors": [ + { + "name": "Stefan Bodewig", + "email": "[email protected]" + } + ], + "component" : { + "publisher" : "OWASP Foundation", + "group" : "org.cyclonedx", + "name" : "cyclonedx-core-java", + "version" : "12.2.0", + "description" : "The CycloneDX core module provides a model representation of the BOM along with utilities to assist in creating, parsing, and validating BOMs.", + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0", + "url" : "https://www.apache.org/licenses/LICENSE-2.0"; + } + } + ], + "purl" : "pkg:maven/org.cyclonedx/[email protected]?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/CycloneDX/cyclonedx-core-java"; + }, + { + "type" : "build-system", + "url" : "https://github.com/CycloneDX/cyclonedx-core-java/actions"; + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/"; + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/CycloneDX/cyclonedx-core-java/issues"; + }, + { + "type" : "vcs", + "url" : "https://github.com/CycloneDX/cyclonedx-core-java.git"; + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.cyclonedx/[email protected]?type=jar" + } + }, + "components" : [ + { + "publisher" : "The Apache Software Foundation", + "group" : "commons-io", + "name" : "commons-io", + "version" : "2.21.0", + "description" : "The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.", + "scope" : "required", + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0", + "url" : "https://www.apache.org/licenses/LICENSE-2.0"; + } + } + ], + "purl" : "pkg:maven/commons-io/[email protected]?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://commons.apache.org/proper/commons-io/"; + }, + { + "type" : "build-system", + "url" : "https://github.com/apache/commons-parent/actions"; + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2"; + }, + { + "type" : "issue-tracker", + "url" : "https://issues.apache.org/jira/browse/IO"; + }, + { + "type" : "mailing-list", + "url" : "https://mail-archives.apache.org/mod_mbox/commons-user/"; + }, + { + "type" : "vcs", + "url" : "https://gitbox.apache.org/repos/asf?p=commons-io.git"; + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/commons-io/[email protected]?type=jar" + }, + { + "publisher" : "The Apache Software Foundation", + "group" : "org.apache.commons", + "name" : "commons-collections4", + "version" : "4.5.0", + "description" : "The Apache Commons Collections package contains types that extend and augment the Java Collections Framework.", + "scope" : "required", + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/org.apache.commons/[email protected]?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://commons.apache.org/proper/commons-collections/"; + }, + { + "type" : "build-system", + "url" : "https://builds.apache.org/"; + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2"; + }, + { + "type" : "issue-tracker", + "url" : "http://issues.apache.org/jira/browse/COLLECTIONS"; + }, + { + "type" : "mailing-list", + "url" : "https://mail-archives.apache.org/mod_mbox/commons-user/"; + }, + { + "type" : "vcs", + "url" : "https://git-wip-us.apache.org/repos/asf?p=commons-collections.git"; + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.apache.commons/[email protected]?type=jar" + }, + { + "group" : "com.github.package-url", + "name" : "packageurl-java", + "version" : "1.5.0", + "description" : "The official Java implementation of the PackageURL specification. PackageURL (purl) is a minimal specification for describing a package via a \"mostly universal\" URL.", + "scope" : "required", + "licenses" : [ + { + "license" : { + "id" : "MIT", + "url" : "https://opensource.org/licenses/MIT"; + } + } + ], + "purl" : "pkg:maven/com.github.package-url/[email protected]?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/package-url/packageurl-java"; + }, + { + "type" : "build-system", + "url" : "https://travis-ci.com/package-url/packageurl-java"; + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/"; + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/package-url/packageurl-java/issues"; + }, + { + "type" : "vcs", + "url" : "https://github.com/package-url/packageurl-java.git"; + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.github.package-url/[email protected]?type=jar" + }, + { + "publisher" : "FasterXML", + "group" : "com.fasterxml.jackson.dataformat", + "name" : "jackson-dataformat-xml", + "version" : "2.21.1", + "description" : "Data format extension for Jackson to offer alternative support for serializing POJOs as XML and deserializing XML as pojos.", + "scope" : "required", + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.fasterxml.jackson.dataformat/[email protected]?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/FasterXML/jackson-dataformat-xml"; + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/"; + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/FasterXML/jackson-dataformat-xml/issues"; + }, + { + "type" : "vcs", + "url" : "http://github.com/FasterXML/jackson-dataformat-xml"; + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.fasterxml.jackson.dataformat/[email protected]?type=jar" + }, + { + "group" : "com.networknt", + "name" : "json-schema-validator", + "version" : "2.0.1", + "description" : "A json schema validator that supports draft v4, v6, v7, v2019-09 and v2020-12", + "scope" : "required", + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0" + } + } + ], + "purl" : "pkg:maven/com.networknt/[email protected]?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://github.com/networknt/json-schema-validator"; + }, + { + "type" : "distribution-intake", + "url" : "https://oss.sonatype.org/service/local/staging/deploy/maven2/"; + }, + { + "type" : "issue-tracker", + "url" : "https://github.com/networknt/json-schema-validator/issues"; + }, + { + "type" : "vcs", + "url" : "https://github.com:networknt/json-schema-validator.git"; + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/com.networknt/[email protected]?type=jar" + }, + { + "publisher" : "The Apache Software Foundation", + "group" : "commons-codec", + "name" : "commons-codec", + "version" : "1.21.1", + "description" : "The Apache Commons Codec component contains encoders and decoders for various formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.", + "scope" : "required", + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0", + "url" : "https://www.apache.org/licenses/LICENSE-2.0"; + } + } + ], + "purl" : "pkg:maven/commons-codec/[email protected]?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://commons.apache.org/proper/commons-codec/"; + }, + { + "type" : "build-system", + "url" : "https://github.com/apache/commons-parent/actions"; + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2"; + }, + { + "type" : "issue-tracker", + "url" : "https://issues.apache.org/jira/browse/CODEC"; + }, + { + "type" : "mailing-list", + "url" : "https://mail-archives.apache.org/mod_mbox/commons-user/"; + }, + { + "type" : "vcs", + "url" : "https://github.com/apache/commons-codec"; + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/commons-codec/[email protected]?type=jar" + }, + { + "publisher" : "The Apache Software Foundation", + "group" : "org.apache.commons", + "name" : "commons-lang3", + "version" : "3.20.0", + "description" : "Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang. The code is tested using the latest revision of the JDK for supported LTS releases: 8, 11, 17 and 21 currently. See https://github.com/apache/commons-lang/blob/master/.github/workflows/maven.yml Please ensure your build environment is up-to-date and kindly report any build issues.", + "scope" : "required", + "licenses" : [ + { + "license" : { + "id" : "Apache-2.0", + "url" : "https://www.apache.org/licenses/LICENSE-2.0"; + } + } + ], + "purl" : "pkg:maven/org.apache.commons/[email protected]?type=jar", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://commons.apache.org/proper/commons-lang/"; + }, + { + "type" : "build-system", + "url" : "https://github.com/apache/commons-parent/actions"; + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2"; + }, + { + "type" : "issue-tracker", + "url" : "https://issues.apache.org/jira/browse/LANG"; + }, + { + "type" : "mailing-list", + "url" : "https://mail-archives.apache.org/mod_mbox/commons-user/"; + }, + { + "type" : "vcs", + "url" : "https://gitbox.apache.org/repos/asf?p=commons-lang.git"; + } + ], + "type" : "library", + "bom-ref" : "pkg:maven/org.apache.commons/[email protected]?type=jar" + } + ], + "dependencies" : [ + { + "ref" : "pkg:maven/org.cyclonedx/[email protected]?type=jar", + "dependsOn" : [ + "pkg:maven/commons-codec/[email protected]?type=jar", + "pkg:maven/commons-io/[email protected]?type=jar", + "pkg:maven/org.apache.commons/[email protected]?type=jar", + "pkg:maven/org.apache.commons/[email protected]?type=jar", + "pkg:maven/com.github.package-url/[email protected]?type=jar", + "pkg:maven/com.fasterxml.jackson.dataformat/[email protected]?type=jar", + "pkg:maven/com.networknt/[email protected]?type=jar" + ] + } + ] +}
