Hi all for the CycloneDX Antlib release the SBOMs are ant-cyclonedx-0.1-cyclonedx.json (and xml respectively) nxt to the ant-cyclonedx-0.1.jar . For the tarballs I added .cyclonedx.json after the archvie name (apache-ant-cyclonedx-9-1-bin.zip.cyclonedx.json).
During the vote thread Jaikiran suggested to use bom instead of cyclonedx. For the jars in Maven Central the file names are the same that theMaven and Gradle plugins would create. Also some of the tooling developed at the ASF seems to expect that[1]. Other tooling like that of the Apache Trusted Releases stuff[2] expects .cdx.json (for the source/binary tarballs, I believe). Personally I'm not attached to any names. Since I am currently adding SBOM creation to AntUnit and working on PRs to do the same for Ant and Ivy it would be good if could agree on something. As far as the Maven artifacts are concerned I'm leaning towards sticking with the conventions set by existing tools (i.e. what I did with the CycloneDX release). For the tarballs it doesn't look as if there have been any conventions at all. Commons as an Apache project that publishes SBOMs to Maven doesn't create SBOMs for the tarballs at all, for example. Stefan [1] https://github.com/apache/security-site/blob/sboms/scripts/collect-sboms-from-maven-central.py#L144 [2] https://github.com/apache/tooling-trusted-releases --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
