Hi Gary, On 5.02.2025 12:26, Gary Gregory wrote:
Would it be possible to treat a VEX like a POM and let other tooling deal with building an "effective" VEX like Maven builds an effective POM?
This is one of the goals of a small Maven plugin I am developing with Christian[1]. Right now we are working on achieving an "effective" CycloneDX SBOM, i.e. an SBOM that contains both the information from your SBOM and those published by your dependencies.
In a phase 10 we would like to merge VDR/VEX documents for the entire dependency tree.
Piotr [1] https://github.com/sbom-enforcer/sbom-enforcer --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
