This is an automated email from the ASF dual-hosted git repository.
asf-gitbox-commits pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/ant-antlibs-cyclonedx.git
The following commit(s) were added to refs/heads/main by this push:
new a873e80 maybe you sometimes don't want bom-externalReferences for
internal SBOMs
a873e80 is described below
commit a873e80d3cb9f6a14e7389f5d822eb8214caa1aa
Author: Stefan Bodewig <[email protected]>
AuthorDate: Fri Jun 5 08:18:51 2026 +0200
maybe you sometimes don't want bom-externalReferences for internal SBOMs
---
build.xml | 4 +--
changes.xml | 4 ++-
docs/component.html | 26 +++++++++++++-
src/main/org/apache/ant/cyclonedx/Component.java | 45 +++++++++++++++++++++---
src/tests/antunit/component-test.xml | 21 ++++++++++-
5 files changed, 91 insertions(+), 9 deletions(-)
diff --git a/build.xml b/build.xml
index e7c24ee..0cad3af 100644
--- a/build.xml
+++ b/build.xml
@@ -480,7 +480,7 @@ under the License.
binsrc="bin"
binarysource="Binary Distribution">
<component>
- <sbomLink>
+ <sbomLink createBomExternalReference="false">
<file file="${bin.dist.dir}/${artifact.stub}-cyclonedx.json"/>
</sbomLink>
<file file="${bin.dist.dir}/${artifact.stub}.jar"/>
@@ -496,7 +496,7 @@ under the License.
binsrc="bin-withdeps"
binarysource="Binary Distribution Including Dependencies">
<component>
- <sbomLink>
+ <sbomLink createBomExternalReference="false">
<file file="${bin.dist.dir}/${artifact.stub}-cyclonedx.json"/>
</sbomLink>
<file file="${bin.dist.dir}/${artifact.stub}.jar"/>
diff --git a/changes.xml b/changes.xml
index eebc431..6c49bc1 100644
--- a/changes.xml
+++ b/changes.xml
@@ -48,9 +48,11 @@
</action>
<action type="add">
When using sbomLink for a component, the link is an URL and the
- component-elemen doesn't define a "bom"-type external reference
+ component-element doesn't define a "bom"-type external reference
itself a "bom" externalreference with the URL as value is added
to the component.
+
+ This behavior can be suppressed by an attribute.
</action>
</release>
diff --git a/docs/component.html b/docs/component.html
index 5dd1c65..e93e8fb 100644
--- a/docs/component.html
+++ b/docs/component.html
@@ -172,11 +172,18 @@ <h4 id="sbomLink">sbomLink</h4>
is <code>true</code>.</li>
<li>Tags are merged wiht those of the SBOM's metadata
component.</li>
- <li><code>author</code>s, <code>license</code>s,
<code>exteranlReference</code>s,
+ <li><code>author</code>s, <code>license</code>s,
<code>externalReference</code>s,
<code>dependency</code>s and nested <code>components</code>
are taken from the SBOM's metadata component if and only if
there is no corresponding element in this component
element.</li>
+ <li>a "bom"-type <code>externalReference</code> is added to the
+ enclosing component if the nested resource provides an URL,
+ the enclosing component doesn't already
+ contain <code>externalReference</code>s, the parsed SBOM
+ doesn't already contain such an <code>externalReference</code>
+ and this element's <code>createBomExternalReference</code> is
+ not <code>false</code>.</li>
<li>Hashes of the linked SBOM are ignored completely.</li>
<li>Other components specified in the linked SBOM are also added
to the SBOM created by the compomentbom task if they are
@@ -199,6 +206,23 @@ <h4 id="sbomLink">sbomLink</h4>
<p>The <a hre="https://github.com/CycloneDX/cyclonedx-core-java";>CycloneDX
Core (Java) library</a> is used to read the linked SBOM.</p>
+ <h5>Attributes</h5>
+
+ <table class="attr">
+ <tr>
+ <th scope="col">Attribute</th>
+ <th scope="col">Description</th>
+ <th scope="col">Required</th>
+ </tr>
+ <tr>
+ <td>createBomExternalReference</td>
+ <td>Whether to create a bom-Type external reference in the
+ resolved compoment based on the nested resource's URI.<br>
+ <em>since CycloneDX Antlib 0.2</em></td>
+ <td>No, defaults to <code>true</code></td>
+ </tr>
+ </table>
+
<h4 id="manufacturer">manufacturer</h4>
<p>At most one nested <a href="organization.html">organization</a>
diff --git a/src/main/org/apache/ant/cyclonedx/Component.java
b/src/main/org/apache/ant/cyclonedx/Component.java
index 74f5fad..764e227 100644
--- a/src/main/org/apache/ant/cyclonedx/Component.java
+++ b/src/main/org/apache/ant/cyclonedx/Component.java
@@ -72,7 +72,7 @@ public class Component extends DataType {
private Set<String> tags = new HashSet<>();
private List<Property> properties = new ArrayList<>();
private String mimeType;
- private Union sbomLink;
+ private SbomLink sbomLink;
/**
* Sets the resource the component is about.
@@ -383,9 +383,9 @@ public class Component extends DataType {
*
* @return container for SBOM link resource
*/
- public Union createSbomLink() {
+ public SbomLink createSbomLink() {
checkChildrenAllowed();
- return sbomLink == null ? (sbomLink = new Union()) : sbomLink;
+ return sbomLink == null ? (sbomLink = new SbomLink(getProject())) :
sbomLink;
}
/**
@@ -524,7 +524,8 @@ public class Component extends DataType {
}
List<org.cyclonedx.model.Dependency> allDependencies =
bom.getDependencies();
fillFromBomLink(real, allDependencies);
- if (!externalReferences.stream()
+ if (sbomLink.getCreateBomExternalReference()
+ && !externalReferences.stream()
.anyMatch(e ->
e.getType().equals(org.cyclonedx.model.ExternalReference.Type.BOM))) {
Resource sbom = sbomLink.iterator().next();
URLProvider up = sbom.as(URLProvider.class);
@@ -999,4 +1000,40 @@ public class Component extends DataType {
setChecked(true);
}
}
+
+ /**
+ * @since CycloneDX Antlib 0.2
+ */
+ public static class SbomLink extends Union {
+ private boolean createBomExternalReference = true;
+
+ public SbomLink(Project project) {
+ super(project);
+ }
+
+ /**
+ * Whether to create a bom-Type external reference in the
+ * resolved compoment based on the nested resource's URI.
+ *
+ * <p>Will not create an external reference of there are
+ * already external references om the component or the
+ * resolved SBOM already contains a bom-type reference.</p>
+ *
+ * <p>Defaults to <code>true</code>.
+ *
+ * @param create whether to create a bom-Type external reference
+ */
+ public void setCreateBomExternalReference(boolean create) {
+ createBomExternalReference = create;
+ }
+
+ /**
+ * Whether to create a bom-Type external reference in the
+ * resolved compoment based on the nested resource's URI.
+ * @return create whether to create a bom-Type external reference
+ */
+ public boolean getCreateBomExternalReference() {
+ return createBomExternalReference;
+ }
+ }
}
diff --git a/src/tests/antunit/component-test.xml
b/src/tests/antunit/component-test.xml
index ba1ca13..ca9aa1c 100644
--- a/src/tests/antunit/component-test.xml
+++ b/src/tests/antunit/component-test.xml
@@ -956,7 +956,26 @@
value="https://www.apache.org/licenses/LICENSE-2.0.txt,https://ant.apache.org/mail.html,https://www.apache.org/security/,https://gitbox.apache.org/repos/asf/ant-antlibs-cyclonedx.git,https://ci-builds.apache.org/job/Ant/job/CycloneDX%20Antlib/,https://bz.apache.org/bugzilla/buglist.cgi?component=CycloneDX%20Antlib&product=Ant,https://ant.apache.org/antlibs/cyclonedx/,https://ant.apache.org/antlibs/bindownload.cgi,https://ant.apache.org/antlibs/srcdownload.cgi,https://repo1.ma
[...]
</target>
- <target name="testSbomLinkAddsDoesntOverrideExistingBomExternalLink"
depends="createMaximalComponentData">
+ <target name="testSbomLinkDoesntAddBomExternalLinkWhenDisabled"
depends="createMaximalComponentData">
+ <cdx:componentbom
+ bomName="merged"
+ outputdirectory="${output}"
+ format="xml"
+ xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+ <component>
+ <sbomLink createBomExternalReference="false">
+ <url
url="https://repo1.maven.org/maven2/org/apache/ant/ant-cyclonedx/0.1/ant-cyclonedx-0.1-cyclonedx.json"/>
+ </sbomLink>
+ </component>
+ </cdx:componentbom>
+ <xmlproperty file="${output}/merged.xml"/>
+ <au:assertPropertyEquals
+ xmlns:au="antlib:org.apache.ant.antunit"
+ name="bom.metadata.component.externalReferences.reference(type)"
+
value="license,mailing-list,security-contact,vcs,build-system,issue-tracker,website,distribution,source-distribution"/>
+ </target>
+
+ <target name="testSbomLinkDoesntOverrideExistingBomExternalLink"
depends="createMaximalComponentData">
<cdx:componentbom
bomName="merged"
outputdirectory="${output}"
