Why is this not done as an Apache project? Gary
On Wed, Feb 5, 2025, 06:53 Piotr P. Karwasz <[email protected]> wrote: > Hi Gary, > > On 5.02.2025 12:26, Gary Gregory wrote: > > Would it be possible to treat a VEX like a POM and let other tooling deal > > with building an "effective" VEX like Maven builds an effective POM? > > This is one of the goals of a small Maven plugin I am developing with > Christian[1]. Right now we are working on achieving an "effective" > CycloneDX SBOM, i.e. an SBOM that contains both the information from > your SBOM and those published by your dependencies. > > In a phase 10 we would like to merge VDR/VEX documents for the entire > dependency tree. > > Piotr > > [1] https://github.com/sbom-enforcer/sbom-enforcer > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: > [email protected] > >
