This is an automated email from the ASF dual-hosted git repository.
asf-gitbox-commits pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/ant-antlibs-cyclonedx.git
The following commit(s) were added to refs/heads/main by this push:
new e8e8df9 allow imported SBOMs to provide components for their
dependencies
e8e8df9 is described below
commit e8e8df936c17e971132f897ac70140be5bfd25a7
Author: Stefan Bodewig <[email protected]>
AuthorDate: Fri May 8 18:20:38 2026 +0200
allow imported SBOMs to provide components for their dependencies
but don't do so transitively, as we are talking about manual
dependency management for this task.
---
examples/ant-cyclonedx-0.1alpha-cyclonedx.json | 333 +++++++++++++++++++--
examples/ant-cyclonedx-0.1alpha-cyclonedx.xml | 265 ++++++++++++++--
src/main/org/apache/ant/cyclonedx/Component.java | 134 +++++++--
.../org/apache/ant/cyclonedx/ComponentBomTask.java | 22 +-
4 files changed, 685 insertions(+), 69 deletions(-)
diff --git a/examples/ant-cyclonedx-0.1alpha-cyclonedx.json
b/examples/ant-cyclonedx-0.1alpha-cyclonedx.json
index 0303b43..4c0fd98 100644
--- a/examples/ant-cyclonedx-0.1alpha-cyclonedx.json
+++ b/examples/ant-cyclonedx-0.1alpha-cyclonedx.json
@@ -1,10 +1,10 @@
{
"bomFormat" : "CycloneDX",
"specVersion" : "1.6",
- "serialNumber" : "urn:uuid:1b67466f-e18e-401b-857b-ce95cdd9cc82",
+ "serialNumber" : "urn:uuid:87cc16ad-4397-473c-bab8-fbd7899b27cb",
"version" : 1,
"metadata" : {
- "timestamp" : "2026-05-08T12:48:39Z",
+ "timestamp" : "2026-05-08T16:15:00Z",
"lifecycles" : [
{
"phase" : "build"
@@ -33,35 +33,35 @@
"hashes" : [
{
"alg" : "MD5",
- "content" : "0504c60f77b82c2d29f3b71d7c4af59b"
+ "content" : "6aeaa4d90eb5a78e1de7de2e4d4ad034"
},
{
"alg" : "SHA-1",
- "content" : "a58ca1d9c117d4a53c1d542746d06ea9a600900d"
+ "content" : "ed43b1dbded26e2a2a24c6d213d7b813c4e2bc6e"
},
{
"alg" : "SHA-256",
- "content" :
"ecb1194156998b8ab00e924bdcde7feb3db5e58ee9f3b25f7d2c035faea4cb0a"
+ "content" :
"dca5a782a71ec62524e1d570c6473258d019656e12fe0fe4bdbc2a44545c5324"
},
{
"alg" : "SHA-512",
- "content" :
"54753aed7aff4e081f73f0c650b7123b38e75d72b0435fcc53cba999fbcb76eb28dfca338dedc7a45baf255295ca91b810c30dfbf831d046d7e93a294bd09934"
+ "content" :
"f427019b0505e0860dd1ded1866296ec363fb5d832cb49072a23aa27be3632192570c7339330308bf6a6b8a39555f816b2d9afcd6c798f1a06fbaec8361d5f22"
},
{
"alg" : "SHA3-256",
- "content" :
"55278e0880bc15adee69a99914ae0e6b21168dc42686645ecbe70e35ee43a7bf"
+ "content" :
"a69ab61d30bf7d890622726a448a44ff02a741c91d205c45e943fc94ac0ff328"
},
{
"alg" : "SHA3-512",
- "content" :
"88fba63cfe760889da636707607e9ecbe6939956047b2fe93a2c7d2c41f7fb224b45156cc5e91c3d4622d3cba9fb4125e9db44db56f75ddc961441837f3249ed"
+ "content" :
"305eb78224477a3b88a0506db5fd99f08706b20c8707851150b207f4127adbe648f4ba44c139a07799153cb46367bd382284f43874be3e49b7ec30cee69c0844"
},
{
"alg" : "SHA-384",
- "content" :
"30bc5a491bfee55b328c5396750a20ead6539eaff5dbfb8f7a87c6d2fc3b554c1a98fc97bb54fda567fce3e6aae4d08a"
+ "content" :
"faa448fc61c705102c4f7edf584c1660c697fb723297522021e462e3911de05a3bbd049dd607139c203d67f44ce5fc09"
},
{
"alg" : "SHA3-384",
- "content" :
"a5da389ae35bd9dde14e4cff5ead642ca63f54170726166f978f0573cffda4d8c5424f599f522e28da4bff8b1c43d3c9"
+ "content" :
"d19b4b2d1aff17e35a76c2fa731200e3ee9d32ce784e2efa8f86e985513fb1568efbf7e1612df068e0871c8e0918263b"
}
],
"licenses" : [
@@ -108,35 +108,35 @@
"hashes" : [
{
"alg" : "MD5",
- "content" : "0504c60f77b82c2d29f3b71d7c4af59b"
+ "content" : "6aeaa4d90eb5a78e1de7de2e4d4ad034"
},
{
"alg" : "SHA-1",
- "content" : "a58ca1d9c117d4a53c1d542746d06ea9a600900d"
+ "content" : "ed43b1dbded26e2a2a24c6d213d7b813c4e2bc6e"
},
{
"alg" : "SHA-256",
- "content" :
"ecb1194156998b8ab00e924bdcde7feb3db5e58ee9f3b25f7d2c035faea4cb0a"
+ "content" :
"dca5a782a71ec62524e1d570c6473258d019656e12fe0fe4bdbc2a44545c5324"
},
{
"alg" : "SHA-512",
- "content" :
"54753aed7aff4e081f73f0c650b7123b38e75d72b0435fcc53cba999fbcb76eb28dfca338dedc7a45baf255295ca91b810c30dfbf831d046d7e93a294bd09934"
+ "content" :
"f427019b0505e0860dd1ded1866296ec363fb5d832cb49072a23aa27be3632192570c7339330308bf6a6b8a39555f816b2d9afcd6c798f1a06fbaec8361d5f22"
},
{
"alg" : "SHA3-256",
- "content" :
"55278e0880bc15adee69a99914ae0e6b21168dc42686645ecbe70e35ee43a7bf"
+ "content" :
"a69ab61d30bf7d890622726a448a44ff02a741c91d205c45e943fc94ac0ff328"
},
{
"alg" : "SHA3-512",
- "content" :
"88fba63cfe760889da636707607e9ecbe6939956047b2fe93a2c7d2c41f7fb224b45156cc5e91c3d4622d3cba9fb4125e9db44db56f75ddc961441837f3249ed"
+ "content" :
"305eb78224477a3b88a0506db5fd99f08706b20c8707851150b207f4127adbe648f4ba44c139a07799153cb46367bd382284f43874be3e49b7ec30cee69c0844"
},
{
"alg" : "SHA-384",
- "content" :
"30bc5a491bfee55b328c5396750a20ead6539eaff5dbfb8f7a87c6d2fc3b554c1a98fc97bb54fda567fce3e6aae4d08a"
+ "content" :
"faa448fc61c705102c4f7edf584c1660c697fb723297522021e462e3911de05a3bbd049dd607139c203d67f44ce5fc09"
},
{
"alg" : "SHA3-384",
- "content" :
"a5da389ae35bd9dde14e4cff5ead642ca63f54170726166f978f0573cffda4d8c5424f599f522e28da4bff8b1c43d3c9"
+ "content" :
"d19b4b2d1aff17e35a76c2fa731200e3ee9d32ce784e2efa8f86e985513fb1568efbf7e1612df068e0871c8e0918263b"
}
],
"licenses" : [
@@ -233,6 +233,291 @@
"url" : "https://github.com/CycloneDX/cyclonedx-core-java.git";
}
]
+ },
+ {
+ "type" : "library",
+ "bom-ref" : "pkg:maven/commons-io/[email protected]?type=jar",
+ "group" : "commons-io",
+ "name" : "commons-io",
+ "version" : "2.21.0",
+ "description" : "The Apache Commons IO library contains utility classes,
stream implementations, file filters, file comparators, endian transformation
classes, and much more.",
+ "scope" : "required",
+ "licenses" : [
+ {
+ "license" : {
+ "id" : "Apache-2.0",
+ "url" : "https://www.apache.org/licenses/LICENSE-2.0";
+ }
+ }
+ ],
+ "purl" : "pkg:maven/commons-io/[email protected]?type=jar",
+ "externalReferences" : [
+ {
+ "type" : "website",
+ "url" : "https://commons.apache.org/proper/commons-io/";
+ },
+ {
+ "type" : "build-system",
+ "url" : "https://github.com/apache/commons-parent/actions";
+ },
+ {
+ "type" : "distribution-intake",
+ "url" :
"https://repository.apache.org/service/local/staging/deploy/maven2";
+ },
+ {
+ "type" : "issue-tracker",
+ "url" : "https://issues.apache.org/jira/browse/IO";
+ },
+ {
+ "type" : "mailing-list",
+ "url" : "https://mail-archives.apache.org/mod_mbox/commons-user/";
+ },
+ {
+ "type" : "vcs",
+ "url" : "https://gitbox.apache.org/repos/asf?p=commons-io.git";
+ }
+ ]
+ },
+ {
+ "type" : "library",
+ "bom-ref" :
"pkg:maven/org.apache.commons/[email protected]?type=jar",
+ "group" : "org.apache.commons",
+ "name" : "commons-collections4",
+ "version" : "4.5.0",
+ "description" : "The Apache Commons Collections package contains types
that extend and augment the Java Collections Framework.",
+ "scope" : "required",
+ "licenses" : [
+ {
+ "license" : {
+ "id" : "Apache-2.0"
+ }
+ }
+ ],
+ "purl" :
"pkg:maven/org.apache.commons/[email protected]?type=jar",
+ "externalReferences" : [
+ {
+ "type" : "website",
+ "url" : "https://commons.apache.org/proper/commons-collections/";
+ },
+ {
+ "type" : "build-system",
+ "url" : "https://builds.apache.org/";
+ },
+ {
+ "type" : "distribution-intake",
+ "url" :
"https://repository.apache.org/service/local/staging/deploy/maven2";
+ },
+ {
+ "type" : "issue-tracker",
+ "url" : "http://issues.apache.org/jira/browse/COLLECTIONS";
+ },
+ {
+ "type" : "mailing-list",
+ "url" : "https://mail-archives.apache.org/mod_mbox/commons-user/";
+ },
+ {
+ "type" : "vcs",
+ "url" :
"https://git-wip-us.apache.org/repos/asf?p=commons-collections.git";
+ }
+ ]
+ },
+ {
+ "type" : "library",
+ "bom-ref" :
"pkg:maven/com.github.package-url/[email protected]?type=jar",
+ "group" : "com.github.package-url",
+ "name" : "packageurl-java",
+ "version" : "1.5.0",
+ "description" : "The official Java implementation of the PackageURL
specification. PackageURL (purl) is a minimal specification for describing a
package via a \"mostly universal\" URL.",
+ "scope" : "required",
+ "licenses" : [
+ {
+ "license" : {
+ "id" : "MIT",
+ "url" : "https://opensource.org/licenses/MIT";
+ }
+ }
+ ],
+ "purl" :
"pkg:maven/com.github.package-url/[email protected]?type=jar",
+ "externalReferences" : [
+ {
+ "type" : "website",
+ "url" : "https://github.com/package-url/packageurl-java";
+ },
+ {
+ "type" : "build-system",
+ "url" : "https://travis-ci.com/package-url/packageurl-java";
+ },
+ {
+ "type" : "distribution-intake",
+ "url" :
"https://oss.sonatype.org/service/local/staging/deploy/maven2/";
+ },
+ {
+ "type" : "issue-tracker",
+ "url" : "https://github.com/package-url/packageurl-java/issues";
+ },
+ {
+ "type" : "vcs",
+ "url" : "https://github.com/package-url/packageurl-java.git";
+ }
+ ]
+ },
+ {
+ "type" : "library",
+ "bom-ref" :
"pkg:maven/com.fasterxml.jackson.dataformat/[email protected]?type=jar",
+ "group" : "com.fasterxml.jackson.dataformat",
+ "name" : "jackson-dataformat-xml",
+ "version" : "2.21.1",
+ "description" : "Data format extension for Jackson to offer alternative
support for serializing POJOs as XML and deserializing XML as pojos.",
+ "scope" : "required",
+ "licenses" : [
+ {
+ "license" : {
+ "id" : "Apache-2.0"
+ }
+ }
+ ],
+ "purl" :
"pkg:maven/com.fasterxml.jackson.dataformat/[email protected]?type=jar",
+ "externalReferences" : [
+ {
+ "type" : "website",
+ "url" : "https://github.com/FasterXML/jackson-dataformat-xml";
+ },
+ {
+ "type" : "distribution-intake",
+ "url" :
"https://oss.sonatype.org/service/local/staging/deploy/maven2/";
+ },
+ {
+ "type" : "issue-tracker",
+ "url" : "https://github.com/FasterXML/jackson-dataformat-xml/issues";
+ },
+ {
+ "type" : "vcs",
+ "url" : "http://github.com/FasterXML/jackson-dataformat-xml";
+ }
+ ]
+ },
+ {
+ "type" : "library",
+ "bom-ref" :
"pkg:maven/com.networknt/[email protected]?type=jar",
+ "group" : "com.networknt",
+ "name" : "json-schema-validator",
+ "version" : "2.0.1",
+ "description" : "A json schema validator that supports draft v4, v6, v7,
v2019-09 and v2020-12",
+ "scope" : "required",
+ "licenses" : [
+ {
+ "license" : {
+ "id" : "Apache-2.0"
+ }
+ }
+ ],
+ "purl" : "pkg:maven/com.networknt/[email protected]?type=jar",
+ "externalReferences" : [
+ {
+ "type" : "website",
+ "url" : "https://github.com/networknt/json-schema-validator";
+ },
+ {
+ "type" : "distribution-intake",
+ "url" :
"https://oss.sonatype.org/service/local/staging/deploy/maven2/";
+ },
+ {
+ "type" : "issue-tracker",
+ "url" : "https://github.com/networknt/json-schema-validator/issues";
+ },
+ {
+ "type" : "vcs",
+ "url" : "https://github.com:networknt/json-schema-validator.git";
+ }
+ ]
+ },
+ {
+ "type" : "library",
+ "bom-ref" : "pkg:maven/commons-codec/[email protected]?type=jar",
+ "group" : "commons-codec",
+ "name" : "commons-codec",
+ "version" : "1.21.1",
+ "description" : "The Apache Commons Codec component contains encoders
and decoders for various formats such as Base16, Base32, Base64, digest, and
Hexadecimal. In addition to these widely used encoders and decoders, the codec
package also maintains a collection of phonetic encoding utilities.",
+ "scope" : "required",
+ "licenses" : [
+ {
+ "license" : {
+ "id" : "Apache-2.0",
+ "url" : "https://www.apache.org/licenses/LICENSE-2.0";
+ }
+ }
+ ],
+ "purl" : "pkg:maven/commons-codec/[email protected]?type=jar",
+ "externalReferences" : [
+ {
+ "type" : "website",
+ "url" : "https://commons.apache.org/proper/commons-codec/";
+ },
+ {
+ "type" : "build-system",
+ "url" : "https://github.com/apache/commons-parent/actions";
+ },
+ {
+ "type" : "distribution-intake",
+ "url" :
"https://repository.apache.org/service/local/staging/deploy/maven2";
+ },
+ {
+ "type" : "issue-tracker",
+ "url" : "https://issues.apache.org/jira/browse/CODEC";
+ },
+ {
+ "type" : "mailing-list",
+ "url" : "https://mail-archives.apache.org/mod_mbox/commons-user/";
+ },
+ {
+ "type" : "vcs",
+ "url" : "https://github.com/apache/commons-codec";
+ }
+ ]
+ },
+ {
+ "type" : "library",
+ "bom-ref" : "pkg:maven/org.apache.commons/[email protected]?type=jar",
+ "group" : "org.apache.commons",
+ "name" : "commons-lang3",
+ "version" : "3.20.0",
+ "description" : "Apache Commons Lang, a package of Java utility classes
for the classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang. The code is tested using the
latest revision of the JDK for supported LTS releases: 8, 11, 17 and 21
currently. See
https://github.com/apache/commons-lang/blob/master/.github/workflows/maven.yml
Please ensure your build environment is up-to-date and kindly report any build
issues.",
+ "scope" : "required",
+ "licenses" : [
+ {
+ "license" : {
+ "id" : "Apache-2.0",
+ "url" : "https://www.apache.org/licenses/LICENSE-2.0";
+ }
+ }
+ ],
+ "purl" : "pkg:maven/org.apache.commons/[email protected]?type=jar",
+ "externalReferences" : [
+ {
+ "type" : "website",
+ "url" : "https://commons.apache.org/proper/commons-lang/";
+ },
+ {
+ "type" : "build-system",
+ "url" : "https://github.com/apache/commons-parent/actions";
+ },
+ {
+ "type" : "distribution-intake",
+ "url" :
"https://repository.apache.org/service/local/staging/deploy/maven2";
+ },
+ {
+ "type" : "issue-tracker",
+ "url" : "https://issues.apache.org/jira/browse/LANG";
+ },
+ {
+ "type" : "mailing-list",
+ "url" : "https://mail-archives.apache.org/mod_mbox/commons-user/";
+ },
+ {
+ "type" : "vcs",
+ "url" : "https://gitbox.apache.org/repos/asf?p=commons-lang.git";
+ }
+ ]
}
],
"dependencies" : [
@@ -242,6 +527,18 @@
"pkg:maven/org.apache.ant/[email protected]?type=jar",
"pkg:maven/org.cyclonedx/[email protected]?type=jar"
]
+ },
+ {
+ "ref" : "pkg:maven/org.cyclonedx/[email protected]?type=jar",
+ "dependsOn" : [
+ "pkg:maven/commons-codec/[email protected]?type=jar",
+ "pkg:maven/commons-io/[email protected]?type=jar",
+ "pkg:maven/org.apache.commons/[email protected]?type=jar",
+ "pkg:maven/org.apache.commons/[email protected]?type=jar",
+ "pkg:maven/com.github.package-url/[email protected]?type=jar",
+
"pkg:maven/com.fasterxml.jackson.dataformat/[email protected]?type=jar",
+ "pkg:maven/com.networknt/[email protected]?type=jar"
+ ]
}
]
}
\ No newline at end of file
diff --git a/examples/ant-cyclonedx-0.1alpha-cyclonedx.xml
b/examples/ant-cyclonedx-0.1alpha-cyclonedx.xml
index bfaa5e9..11bf946 100644
--- a/examples/ant-cyclonedx-0.1alpha-cyclonedx.xml
+++ b/examples/ant-cyclonedx-0.1alpha-cyclonedx.xml
@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
-<bom serialNumber="urn:uuid:1b67466f-e18e-401b-857b-ce95cdd9cc82" version="1"
xmlns="http://cyclonedx.org/schema/bom/1.6";>
+<bom serialNumber="urn:uuid:87cc16ad-4397-473c-bab8-fbd7899b27cb" version="1"
xmlns="http://cyclonedx.org/schema/bom/1.6";>
<metadata>
- <timestamp>2026-05-08T12:48:39Z</timestamp>
+ <timestamp>2026-05-08T16:15:00Z</timestamp>
<lifecycles>
<lifecycle>
<phase>build</phase>
@@ -23,14 +23,14 @@
<version>0.1alpha</version>
<description>Apache CycloneDX Antlib</description>
<hashes>
- <hash alg="MD5">0504c60f77b82c2d29f3b71d7c4af59b</hash>
- <hash alg="SHA-1">a58ca1d9c117d4a53c1d542746d06ea9a600900d</hash>
- <hash
alg="SHA-256">ecb1194156998b8ab00e924bdcde7feb3db5e58ee9f3b25f7d2c035faea4cb0a</hash>
- <hash
alg="SHA-512">54753aed7aff4e081f73f0c650b7123b38e75d72b0435fcc53cba999fbcb76eb28dfca338dedc7a45baf255295ca91b810c30dfbf831d046d7e93a294bd09934</hash>
- <hash
alg="SHA3-256">55278e0880bc15adee69a99914ae0e6b21168dc42686645ecbe70e35ee43a7bf</hash>
- <hash
alg="SHA3-512">88fba63cfe760889da636707607e9ecbe6939956047b2fe93a2c7d2c41f7fb224b45156cc5e91c3d4622d3cba9fb4125e9db44db56f75ddc961441837f3249ed</hash>
- <hash
alg="SHA-384">30bc5a491bfee55b328c5396750a20ead6539eaff5dbfb8f7a87c6d2fc3b554c1a98fc97bb54fda567fce3e6aae4d08a</hash>
- <hash
alg="SHA3-384">a5da389ae35bd9dde14e4cff5ead642ca63f54170726166f978f0573cffda4d8c5424f599f522e28da4bff8b1c43d3c9</hash>
+ <hash alg="MD5">6aeaa4d90eb5a78e1de7de2e4d4ad034</hash>
+ <hash alg="SHA-1">ed43b1dbded26e2a2a24c6d213d7b813c4e2bc6e</hash>
+ <hash
alg="SHA-256">dca5a782a71ec62524e1d570c6473258d019656e12fe0fe4bdbc2a44545c5324</hash>
+ <hash
alg="SHA-512">f427019b0505e0860dd1ded1866296ec363fb5d832cb49072a23aa27be3632192570c7339330308bf6a6b8a39555f816b2d9afcd6c798f1a06fbaec8361d5f22</hash>
+ <hash
alg="SHA3-256">a69ab61d30bf7d890622726a448a44ff02a741c91d205c45e943fc94ac0ff328</hash>
+ <hash
alg="SHA3-512">305eb78224477a3b88a0506db5fd99f08706b20c8707851150b207f4127adbe648f4ba44c139a07799153cb46367bd382284f43874be3e49b7ec30cee69c0844</hash>
+ <hash
alg="SHA-384">faa448fc61c705102c4f7edf584c1660c697fb723297522021e462e3911de05a3bbd049dd607139c203d67f44ce5fc09</hash>
+ <hash
alg="SHA3-384">d19b4b2d1aff17e35a76c2fa731200e3ee9d32ce784e2efa8f86e985513fb1568efbf7e1612df068e0871c8e0918263b</hash>
</hashes>
<licenses>
<license>
@@ -64,14 +64,14 @@
<version>0.1alpha</version>
<description>Apache CycloneDX Antlib</description>
<hashes>
- <hash alg="MD5">0504c60f77b82c2d29f3b71d7c4af59b</hash>
- <hash alg="SHA-1">a58ca1d9c117d4a53c1d542746d06ea9a600900d</hash>
- <hash
alg="SHA-256">ecb1194156998b8ab00e924bdcde7feb3db5e58ee9f3b25f7d2c035faea4cb0a</hash>
- <hash
alg="SHA-512">54753aed7aff4e081f73f0c650b7123b38e75d72b0435fcc53cba999fbcb76eb28dfca338dedc7a45baf255295ca91b810c30dfbf831d046d7e93a294bd09934</hash>
- <hash
alg="SHA3-256">55278e0880bc15adee69a99914ae0e6b21168dc42686645ecbe70e35ee43a7bf</hash>
- <hash
alg="SHA3-512">88fba63cfe760889da636707607e9ecbe6939956047b2fe93a2c7d2c41f7fb224b45156cc5e91c3d4622d3cba9fb4125e9db44db56f75ddc961441837f3249ed</hash>
- <hash
alg="SHA-384">30bc5a491bfee55b328c5396750a20ead6539eaff5dbfb8f7a87c6d2fc3b554c1a98fc97bb54fda567fce3e6aae4d08a</hash>
- <hash
alg="SHA3-384">a5da389ae35bd9dde14e4cff5ead642ca63f54170726166f978f0573cffda4d8c5424f599f522e28da4bff8b1c43d3c9</hash>
+ <hash alg="MD5">6aeaa4d90eb5a78e1de7de2e4d4ad034</hash>
+ <hash alg="SHA-1">ed43b1dbded26e2a2a24c6d213d7b813c4e2bc6e</hash>
+ <hash
alg="SHA-256">dca5a782a71ec62524e1d570c6473258d019656e12fe0fe4bdbc2a44545c5324</hash>
+ <hash
alg="SHA-512">f427019b0505e0860dd1ded1866296ec363fb5d832cb49072a23aa27be3632192570c7339330308bf6a6b8a39555f816b2d9afcd6c798f1a06fbaec8361d5f22</hash>
+ <hash
alg="SHA3-256">a69ab61d30bf7d890622726a448a44ff02a741c91d205c45e943fc94ac0ff328</hash>
+ <hash
alg="SHA3-512">305eb78224477a3b88a0506db5fd99f08706b20c8707851150b207f4127adbe648f4ba44c139a07799153cb46367bd382284f43874be3e49b7ec30cee69c0844</hash>
+ <hash
alg="SHA-384">faa448fc61c705102c4f7edf584c1660c697fb723297522021e462e3911de05a3bbd049dd607139c203d67f44ce5fc09</hash>
+ <hash
alg="SHA3-384">d19b4b2d1aff17e35a76c2fa731200e3ee9d32ce784e2efa8f86e985513fb1568efbf7e1612df068e0871c8e0918263b</hash>
</hashes>
<licenses>
<license>
@@ -146,11 +146,240 @@
</reference>
</externalReferences>
</component>
+ <component type="library"
bom-ref="pkg:maven/commons-io/[email protected]?type=jar">
+ <group>commons-io</group>
+ <name>commons-io</name>
+ <version>2.21.0</version>
+ <description>The Apache Commons IO library contains utility classes,
stream implementations, file filters, file comparators, endian transformation
classes, and much more.</description>
+ <scope>required</scope>
+ <licenses>
+ <license>
+ <id>Apache-2.0</id>
+ <url>https://www.apache.org/licenses/LICENSE-2.0</url>
+ </license>
+ </licenses>
+ <purl>pkg:maven/commons-io/[email protected]?type=jar</purl>
+ <externalReferences>
+ <reference type="website">
+ <url>https://commons.apache.org/proper/commons-io/</url>
+ </reference>
+ <reference type="build-system">
+ <url>https://github.com/apache/commons-parent/actions</url>
+ </reference>
+ <reference type="distribution-intake">
+
<url>https://repository.apache.org/service/local/staging/deploy/maven2</url>
+ </reference>
+ <reference type="issue-tracker">
+ <url>https://issues.apache.org/jira/browse/IO</url>
+ </reference>
+ <reference type="mailing-list">
+ <url>https://mail-archives.apache.org/mod_mbox/commons-user/</url>
+ </reference>
+ <reference type="vcs">
+ <url>https://gitbox.apache.org/repos/asf?p=commons-io.git</url>
+ </reference>
+ </externalReferences>
+ </component>
+ <component type="library"
bom-ref="pkg:maven/org.apache.commons/[email protected]?type=jar">
+ <group>org.apache.commons</group>
+ <name>commons-collections4</name>
+ <version>4.5.0</version>
+ <description>The Apache Commons Collections package contains types that
extend and augment the Java Collections Framework.</description>
+ <scope>required</scope>
+ <licenses>
+ <license>
+ <id>Apache-2.0</id>
+ </license>
+ </licenses>
+
<purl>pkg:maven/org.apache.commons/[email protected]?type=jar</purl>
+ <externalReferences>
+ <reference type="website">
+ <url>https://commons.apache.org/proper/commons-collections/</url>
+ </reference>
+ <reference type="build-system">
+ <url>https://builds.apache.org/</url>
+ </reference>
+ <reference type="distribution-intake">
+
<url>https://repository.apache.org/service/local/staging/deploy/maven2</url>
+ </reference>
+ <reference type="issue-tracker">
+ <url>http://issues.apache.org/jira/browse/COLLECTIONS</url>
+ </reference>
+ <reference type="mailing-list">
+ <url>https://mail-archives.apache.org/mod_mbox/commons-user/</url>
+ </reference>
+ <reference type="vcs">
+
<url>https://git-wip-us.apache.org/repos/asf?p=commons-collections.git</url>
+ </reference>
+ </externalReferences>
+ </component>
+ <component type="library"
bom-ref="pkg:maven/com.github.package-url/[email protected]?type=jar">
+ <group>com.github.package-url</group>
+ <name>packageurl-java</name>
+ <version>1.5.0</version>
+ <description>The official Java implementation of the PackageURL
specification. PackageURL (purl) is a minimal specification for describing a
package via a "mostly universal" URL.</description>
+ <scope>required</scope>
+ <licenses>
+ <license>
+ <id>MIT</id>
+ <url>https://opensource.org/licenses/MIT</url>
+ </license>
+ </licenses>
+
<purl>pkg:maven/com.github.package-url/[email protected]?type=jar</purl>
+ <externalReferences>
+ <reference type="website">
+ <url>https://github.com/package-url/packageurl-java</url>
+ </reference>
+ <reference type="build-system">
+ <url>https://travis-ci.com/package-url/packageurl-java</url>
+ </reference>
+ <reference type="distribution-intake">
+
<url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
+ </reference>
+ <reference type="issue-tracker">
+ <url>https://github.com/package-url/packageurl-java/issues</url>
+ </reference>
+ <reference type="vcs">
+ <url>https://github.com/package-url/packageurl-java.git</url>
+ </reference>
+ </externalReferences>
+ </component>
+ <component type="library"
bom-ref="pkg:maven/com.fasterxml.jackson.dataformat/[email protected]?type=jar">
+ <group>com.fasterxml.jackson.dataformat</group>
+ <name>jackson-dataformat-xml</name>
+ <version>2.21.1</version>
+ <description>Data format extension for Jackson to offer alternative
support for serializing POJOs as XML and deserializing XML as
pojos.</description>
+ <scope>required</scope>
+ <licenses>
+ <license>
+ <id>Apache-2.0</id>
+ </license>
+ </licenses>
+
<purl>pkg:maven/com.fasterxml.jackson.dataformat/[email protected]?type=jar</purl>
+ <externalReferences>
+ <reference type="website">
+ <url>https://github.com/FasterXML/jackson-dataformat-xml</url>
+ </reference>
+ <reference type="distribution-intake">
+
<url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
+ </reference>
+ <reference type="issue-tracker">
+ <url>https://github.com/FasterXML/jackson-dataformat-xml/issues</url>
+ </reference>
+ <reference type="vcs">
+ <url>http://github.com/FasterXML/jackson-dataformat-xml</url>
+ </reference>
+ </externalReferences>
+ </component>
+ <component type="library"
bom-ref="pkg:maven/com.networknt/[email protected]?type=jar">
+ <group>com.networknt</group>
+ <name>json-schema-validator</name>
+ <version>2.0.1</version>
+ <description>A json schema validator that supports draft v4, v6, v7,
v2019-09 and v2020-12</description>
+ <scope>required</scope>
+ <licenses>
+ <license>
+ <id>Apache-2.0</id>
+ </license>
+ </licenses>
+ <purl>pkg:maven/com.networknt/[email protected]?type=jar</purl>
+ <externalReferences>
+ <reference type="website">
+ <url>https://github.com/networknt/json-schema-validator</url>
+ </reference>
+ <reference type="distribution-intake">
+
<url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
+ </reference>
+ <reference type="issue-tracker">
+ <url>https://github.com/networknt/json-schema-validator/issues</url>
+ </reference>
+ <reference type="vcs">
+ <url>https://github.com:networknt/json-schema-validator.git</url>
+ </reference>
+ </externalReferences>
+ </component>
+ <component type="library"
bom-ref="pkg:maven/commons-codec/[email protected]?type=jar">
+ <group>commons-codec</group>
+ <name>commons-codec</name>
+ <version>1.21.1</version>
+ <description>The Apache Commons Codec component contains encoders and
decoders for various formats such as Base16, Base32, Base64, digest, and
Hexadecimal. In addition to these widely used encoders and decoders, the codec
package also maintains a collection of phonetic encoding
utilities.</description>
+ <scope>required</scope>
+ <licenses>
+ <license>
+ <id>Apache-2.0</id>
+ <url>https://www.apache.org/licenses/LICENSE-2.0</url>
+ </license>
+ </licenses>
+ <purl>pkg:maven/commons-codec/[email protected]?type=jar</purl>
+ <externalReferences>
+ <reference type="website">
+ <url>https://commons.apache.org/proper/commons-codec/</url>
+ </reference>
+ <reference type="build-system">
+ <url>https://github.com/apache/commons-parent/actions</url>
+ </reference>
+ <reference type="distribution-intake">
+
<url>https://repository.apache.org/service/local/staging/deploy/maven2</url>
+ </reference>
+ <reference type="issue-tracker">
+ <url>https://issues.apache.org/jira/browse/CODEC</url>
+ </reference>
+ <reference type="mailing-list">
+ <url>https://mail-archives.apache.org/mod_mbox/commons-user/</url>
+ </reference>
+ <reference type="vcs">
+ <url>https://github.com/apache/commons-codec</url>
+ </reference>
+ </externalReferences>
+ </component>
+ <component type="library"
bom-ref="pkg:maven/org.apache.commons/[email protected]?type=jar">
+ <group>org.apache.commons</group>
+ <name>commons-lang3</name>
+ <version>3.20.0</version>
+ <description>Apache Commons Lang, a package of Java utility classes for
the classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang. The code is tested using the
latest revision of the JDK for supported LTS releases: 8, 11, 17 and 21
currently. See
https://github.com/apache/commons-lang/blob/master/.github/workflows/maven.yml
Please ensure your build environment is up-to-date and kindly report any build
issues.</description>
+ <scope>required</scope>
+ <licenses>
+ <license>
+ <id>Apache-2.0</id>
+ <url>https://www.apache.org/licenses/LICENSE-2.0</url>
+ </license>
+ </licenses>
+ <purl>pkg:maven/org.apache.commons/[email protected]?type=jar</purl>
+ <externalReferences>
+ <reference type="website">
+ <url>https://commons.apache.org/proper/commons-lang/</url>
+ </reference>
+ <reference type="build-system">
+ <url>https://github.com/apache/commons-parent/actions</url>
+ </reference>
+ <reference type="distribution-intake">
+
<url>https://repository.apache.org/service/local/staging/deploy/maven2</url>
+ </reference>
+ <reference type="issue-tracker">
+ <url>https://issues.apache.org/jira/browse/LANG</url>
+ </reference>
+ <reference type="mailing-list">
+ <url>https://mail-archives.apache.org/mod_mbox/commons-user/</url>
+ </reference>
+ <reference type="vcs">
+ <url>https://gitbox.apache.org/repos/asf?p=commons-lang.git</url>
+ </reference>
+ </externalReferences>
+ </component>
</components>
<dependencies>
<dependency ref="pkg:maven/org.apache.ant/[email protected]?type=jar">
<dependency ref="pkg:maven/org.apache.ant/[email protected]?type=jar"/>
<dependency
ref="pkg:maven/org.cyclonedx/[email protected]?type=jar"/>
</dependency>
+ <dependency
ref="pkg:maven/org.cyclonedx/[email protected]?type=jar">
+ <dependency ref="pkg:maven/commons-codec/[email protected]?type=jar"/>
+ <dependency ref="pkg:maven/commons-io/[email protected]?type=jar"/>
+ <dependency
ref="pkg:maven/org.apache.commons/[email protected]?type=jar"/>
+ <dependency
ref="pkg:maven/org.apache.commons/[email protected]?type=jar"/>
+ <dependency
ref="pkg:maven/com.github.package-url/[email protected]?type=jar"/>
+ <dependency
ref="pkg:maven/com.fasterxml.jackson.dataformat/[email protected]?type=jar"/>
+ <dependency
ref="pkg:maven/com.networknt/[email protected]?type=jar"/>
+ </dependency>
</dependencies>
</bom>
diff --git a/src/main/org/apache/ant/cyclonedx/Component.java
b/src/main/org/apache/ant/cyclonedx/Component.java
index 50518f0..3db4b66 100644
--- a/src/main/org/apache/ant/cyclonedx/Component.java
+++ b/src/main/org/apache/ant/cyclonedx/Component.java
@@ -5,7 +5,11 @@ import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
import java.util.List;
+import java.util.Objects;
+import java.util.stream.Collectors;
import org.apache.tools.ant.BuildException;
import org.apache.tools.ant.ProjectComponent;
@@ -41,6 +45,7 @@ public class Component extends DataType {
private boolean isExternal = false;
private List<Dependency> dependencies = new ArrayList<>();
private boolean unknownDependencies = false;
+ private boolean sbomLinkResolved = false;
private Union sbomLink;
public void add(Resource resource) {
@@ -61,11 +66,25 @@ public class Component extends DataType {
this.name = name;
}
+ public String getName() {
+ if (isReference()) {
+ return getRef().getName();
+ }
+ return name;
+ }
+
public void setGroup(String group) {
checkAttributesAllowed();
this.group = group;
}
+ public String getGroup() {
+ if (isReference()) {
+ return getRef().getGroup();
+ }
+ return group;
+ }
+
public void setVersion(String version) {
checkAttributesAllowed();
this.version = version;
@@ -172,6 +191,13 @@ public class Component extends DataType {
return sbomLink == null ? (sbomLink = new Union()) : sbomLink;
}
+ public boolean hasSbomLink() {
+ if (isReference()) {
+ return getRef().hasSbomLink();
+ }
+ return sbomLink != null;
+ }
+
public boolean areDependenciesUnknown() {
if (isReference()) {
return getRef().areDependenciesUnknown();
@@ -179,13 +205,12 @@ public class Component extends DataType {
return unknownDependencies;
}
- public void resolve() throws IOException {
+ public Collection<Component> resolve() throws IOException {
if (isReference()) {
- getRef().resolve();
- return;
+ return getRef().resolve();
}
- if (sbomLink != null) {
+ if (sbomLink != null && !sbomLinkResolved) {
if (sbomLink.size() != 1) {
throw new BuildException("sbomLink requires exactly one nested
resource");
}
@@ -209,38 +234,49 @@ public class Component extends DataType {
if (real == null) {
throw new BuildException("referenced SBOM file lacks
component");
}
- setType(real.getType());
- setName(real.getName());
- setGroup(real.getGroup());
- setVersion(real.getVersion());
- setDescription(real.getDescription());
- setPurl(real.getPurl());
- setBomRef(real.getBomRef());
- setScope(real.getScope());
- setUnknownDependencies(true);
- OrganizationalEntity manufacturer = real.getManufacturer();
- if (manufacturer != null) {
- this.manufacturer = Organization.from(manufacturer);
- }
- OrganizationalEntity supplier = real.getSupplier();
- if (supplier != null) {
- this.supplier = Organization.from(supplier);
- }
- LicenseChoice licenses = real.getLicenses();
- if (licenses != null) {
- this.licenses.clear();
- this.licenses.addAll(licenses.getLicenses());
+ fillFrom(real);
+
+ List<org.cyclonedx.model.Dependency> allDependencies =
bom.getDependencies();
+ if (allDependencies != null) {
+ setUnknownDependencies(true);
+ org.cyclonedx.model.Dependency myDependencies =
allDependencies
+ .stream()
+ .filter(d -> Objects.equals(d.getRef(),
getBomRef()))
+ .findAny()
+ .orElse(null);
+ if (myDependencies != null &&
myDependencies.getDependencies() != null) {
+ setUnknownDependencies(false);
+ dependencies.clear();
+ dependencies
+ .addAll(myDependencies.getDependencies()
+ .stream()
+ .map(Dependency::from)
+ .collect(Collectors.toList()));
+ }
}
- if (real.getExternalReferences() != null) {
- this.externalReferences.clear();
-
this.externalReferences.addAll(real.getExternalReferences());
+
+ List<org.cyclonedx.model.Component> additionalComponents =
bom.getComponents();
+ if (additionalComponents != null &&
!areDependenciesUnknown()) {
+ List<Component> toReturn = new ArrayList<>();
+ for (org.cyclonedx.model.Component c :
additionalComponents) {
+ Component dep = from(c);
+ if (dependencies.stream().anyMatch(d ->
Objects.equals(dep.getBomRef(), d.getBomRef()))) {
+ // we don't want to resolve transitive
dependencies automatically
+ dep.setUnknownDependencies(true);
+ toReturn.add(dep);
+ }
+ }
+ return toReturn;
}
+
} catch (ParseException ex) {
throw new BuildException("failed to parse sbomlink " +
sbom.getName());
}
}
- sbomLink = null;
+ sbomLinkResolved = true;
}
+
+ return Collections.emptyList();
}
public org.cyclonedx.model.Component toMainCycloneDxComponent(Version
bomVersion)
@@ -266,6 +302,12 @@ public class Component extends DataType {
return component;
}
+ public static Component from(org.cyclonedx.model.Component real) {
+ Component c = new Component();
+ c.fillFrom(real);
+ return c;
+ }
+
private org.cyclonedx.model.Component toCycloneDxComponent(Version
bomVersion)
throws IOException {
if (name == null) {
@@ -326,6 +368,34 @@ public class Component extends DataType {
return component;
}
+ private void fillFrom(org.cyclonedx.model.Component real) {
+ setType(real.getType());
+ setName(real.getName());
+ setGroup(real.getGroup());
+ setVersion(real.getVersion());
+ setDescription(real.getDescription());
+ setPurl(real.getPurl());
+ setBomRef(real.getBomRef());
+ setScope(real.getScope());
+ OrganizationalEntity manufacturer = real.getManufacturer();
+ if (manufacturer != null) {
+ this.manufacturer = Organization.from(manufacturer);
+ }
+ OrganizationalEntity supplier = real.getSupplier();
+ if (supplier != null) {
+ this.supplier = Organization.from(supplier);
+ }
+ LicenseChoice licenses = real.getLicenses();
+ if (licenses != null) {
+ this.licenses.clear();
+ this.licenses.addAll(licenses.getLicenses());
+ }
+ if (real.getExternalReferences() != null) {
+ this.externalReferences.clear();
+ this.externalReferences.addAll(real.getExternalReferences());
+ }
+ }
+
private void addHashes(org.cyclonedx.model.Component component, Version
bomVersion)
throws IOException {
if (resource == null) {
@@ -410,6 +480,12 @@ public class Component extends DataType {
}
throw new BuildException("componentRef '" + componentRef + "'
doesn't refer to a component");
}
+
+ public static Dependency from(org.cyclonedx.model.Dependency
dependency) {
+ Dependency d = new Dependency();
+ d.setBomRef(dependency.getRef());
+ return d;
+ }
}
/**
diff --git a/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java
b/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java
index c29cf2f..d811490 100644
--- a/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java
+++ b/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java
@@ -129,6 +129,8 @@ public class ComponentBomTask extends Task {
if (component == null) {
throw new BuildException("nested component element is required");
}
+ Set<String> knownComponents = new HashSet<>();
+ knownComponents.add(component.getGroup() + ":" + component.getName());
meta.setComponent(component.toMainCycloneDxComponent(specVersion.getVersion()));
if (useComponentSupplier) {
OrganizationalEntity componentSupplier =
meta.getComponent().getSupplier();
@@ -148,10 +150,19 @@ public class ComponentBomTask extends Task {
if (!additionalComponents.isEmpty()) {
List<org.cyclonedx.model.Component> cs = new ArrayList<>();
+ List<Component> resolvedComponents = new ArrayList<>();
for (Component c : additionalComponents) {
- c.resolve();
+ knownComponents.add(c.getGroup() + ":" + c.getName());
+ resolvedComponents.addAll(c.resolve());
cs.add(c.toAdditionalCycloneDxComponent(specVersion.getVersion()));
}
+ for (Component c : resolvedComponents) {
+ String componentKey = c.getGroup() + ":" + c.getName();
+ if (!knownComponents.contains(componentKey)) {
+ knownComponents.add(componentKey);
+
cs.add(c.toAdditionalCycloneDxComponent(specVersion.getVersion()));
+ }
+ }
bom.setComponents(cs);
}
@@ -166,9 +177,12 @@ public class ComponentBomTask extends Task {
if (component.getBomRef() != null) {
bomRefs.add(component.getBomRef());
}
- for (Component c : additionalComponents) {
- if (c.getBomRef() != null) {
- bomRefs.add(c.getBomRef());
+ List<org.cyclonedx.model.Component> components = bom.getComponents();
+ if (components != null) {
+ for (org.cyclonedx.model.Component c : components) {
+ if (c.getBomRef() != null) {
+ bomRefs.add(c.getBomRef());
+ }
}
}
