Why is this not done as an Apache project? Gary
On Wed, Feb 5, 2025, 06:53 Piotr P. Karwasz <pi...@mailing.copernik.eu> wrote: > Hi Gary, > > On 5.02.2025 12:26, Gary Gregory wrote: > > Would it be possible to treat a VEX like a POM and let other tooling deal > > with building an "effective" VEX like Maven builds an effective POM? > > This is one of the goals of a small Maven plugin I am developing with > Christian[1]. Right now we are working on achieving an "effective" > CycloneDX SBOM, i.e. an SBOM that contains both the information from > your SBOM and those published by your dependencies. > > In a phase 10 we would like to merge VDR/VEX documents for the entire > dependency tree. > > Piotr > > [1] https://github.com/sbom-enforcer/sbom-enforcer > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org > For additional commands, e-mail: > security-discuss-h...@community.apache.org > >
