Hi all I've created a new git repository for an Ant Task Library named CycloneDX Antlib: https://github.com/apache/ant-antlibs-cyclonedx
I went ahead and added it to the sandbox Antlibs at the site. In fact I removed all other sandbox components since they are no longer developed - we never even migrated them to git. Right now the "Antlib" cannot do anything useful. It contains a single task that will emit a CycloneDX BOM in JSON Format containing nothing but the metadata section - but this section should be correct :-) My plan here is to add a task that can create an SBOM for an artifact where all information including dependencies need to be specified manually. At one point it should be able to read existing SBOMs of the dependencies, removing part of the manual work. I'd also like to create a task that can merge several component SBOMs to create a composition - and use that for our tarballs. Right now I'm not sure a separate task for a pre-build stage SBOM for the source tarballs would be useful, we'll see. The antlib in my head deliberately relies on manual configuration instead of automatic dependency management because I believe this to be useful on its own (Ant will need something like this for the netrexx artifact, for example) - and also I only need to learn one library first. I do envision a separate antlib that uses Ivy and can create SBOMs based on ivy descriptors or POMs, but that would be a separate step. In order to use something like this for Ant's own release the build process would need to use Ivy in the first place, leading to more changes - and at least I would like to start small first. While setting up the repository I realized our Antlib "common" system is quite dated, but that's content for a different thread on another day. Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
