Hi all tldr; I'm happy with what I've been able to create in ashort time and would like to move the Antlib from sandbox to proper. I then outline my thoughts about the way forward. Speak up if you feel I'm on the wrong track.
I've been making quite a bit of progress. Enough that I'm sure the approach is viable. Therefore I want to move the Antlib from Sandbox to proper and work towards a 0.1 release. I believe we've had a defined process for promoting Antlibs but those have been defined in times where more people have been active. Unless anybody yells I'll move the reference on the website a week or two in the future. Any release will require a proper vote anyway. The SBOMs in https://github.com/apache/ant-antlibs-cyclonedx/blob/main/examples/ are generated from the cdx:componentBom in the testAntlibsOwnBom target of https://github.com/apache/ant-antlibs-cyclonedx/blob/main/src/tests/antunit They do pass the online SBOM validators I tried. I would have liked to directly jump to CycloneDX 1.7, but the Java library doesn't support that, yet. For the BOM of a single component what is missing are documentation and more tests - and I want to add a way to create component definitions from reading *their* SBOMs. I.e. don't try to provide the info for cyclonedx-core-java but rather link to the SBOM and make it provide all information including the transitive dependencies. Ironically cyclonedx-core-java doesn't provide an SBOM itself. In order to become usable for Ant's own release this is almost enough, creation of boms for the tarballs is missing - and in the case of the source distribution I'm not even sure what the requirements would be. I intend to run the CycloneDX CLI - which talks about source code BOMs here https://github.com/CycloneDX/cyclonedx-cli#add-file-subcommand - at one point to see what it actually does. The rough plan would be to create enough to be able to build SBOMs with an Ant release and release 0.1 of the Antlib. Add that to Ant's release process. Learn and adapt - with no promise of keeping APIs compatible. Once 0.1 is out I'd explore an ivy-cyclonedx task in a separate Antlib which I'd like to get to the point where it can create SBOMs for our Antlib builds that already use Ivy. Release that, learn and adapt. Maybe then will be the right time to start thinking about embracing more of Ivy during Ant's own build process. Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
