On 2026-06-19, Stefan Bodewig wrote: > the Apache tooling project is working on something that is called > "Apache Trusted Releases" which seems to require CycloneDX SBOMs to use > the .cdx.json as extension[1]. The prior art of the Maven and Gradle > plugins may force them to reconsider but I've started to change things > so we use the convention in the future.
https://github.com/apache/tooling-trusted-releases/issues/1332#issuecomment-4756893992 now looks as if some-artifact-cyclonedx.json would be supported as well. I'm really on the fence WRT how we name the SBOM we publish to Maven Central, maybe following the conventions used by Maven and Gradle will help people actually recognizing them. For the SBOMs of zip, tar.gz and so I'd stick with .cdx.(json|xml) now, as the standard clearly states this a preference. Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
