Conversation
I've manually copied the antlib jar itself to lib/optional
not sure whether nested macrodefs qualify as simplification
asf-gitbox-commits
force-pushed
the
cyclonedx
branch
from
5510a36 to
aa977e4
Compare
| }, | ||
| { | ||
| "type" : "build-system", | ||
| "url" : "https://ci-builds.apache.org/job/Ant/job/CycloneDX%20Antlib/" |
There was a problem hiding this comment.
Hello Stefan, is the "build-system" type mandated for these SBOM files? Although ci-builds.apache.org is something that is almost guaranteed to be present (at least in near future). I don't know if we can guarantee that the jobs referred here are going to be "permanent". We keep changing their names etc... as and when it pleases us because they are just internal jobs. So I'm unsure if we should publish this job link in the SBOM.
There was a problem hiding this comment.
no external link is mandatory at all. I thought I'd put in as many as we can reasonably fill.
What you say about the CI system may also be true for the Bug-Tracker. I could change things to stop at the level of the Ant project rather than the individual component. Or even at the system level itself (i.e. ci-builds.apache.org and issues.apache.org).
The concrete line you commented on comes from the released ant-cyclonedx library and can only be modified with a new release, but I believe we are talking about the links in general.
| }, | ||
| { | ||
| "type" : "rfc-9116", | ||
| "url" : "https://ant.apache.org/.well-known/security.txt" |
There was a problem hiding this comment.
I didn't know that there was a RFC which specifies a security.txt file for projects. Good to know.
There was a problem hiding this comment.
actually the "type" is an enum defined by the spec: https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences_items_type - the types may be more restricted based on the context they appear in as they may apply to the SBOM itself or a component mentioned therein.
I vaguely recalled the RFC as I do have security.txt files for my own websites as well, but had forgotten it was an actual RFC.
2 participants
Example SBOMs can be seen at https://repository.apache.org/content/repositories/orgapacheant-1069/org/apache/ant/ - of course I don't intend to publish anything at this point.