Skip to content

Cyclonedx #233

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
bodewig wants to merge 17 commits into
base: master
Choose a base branch
from
Draft

Cyclonedx #233

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
d01f7ba
add dependencies necessary for ant-antlibs-cyclonedx
bodewig May 23, 2026
f4aceca
start building a few SBOMs
bodewig May 24, 2026
9ef5704
I must admit I no longer know why there is ant-junit and ant-junit4
bodewig May 24, 2026
8bfd1c3
SBOM for ant-testutil.jar
bodewig May 24, 2026
e4210e5
a few more sboms
bodewig May 24, 2026
c8dc415
complete set of SBOMs for all Ant jars
bodewig May 24, 2026
6dc1d74
add cyclonedx SBOMs to distributions
bodewig May 24, 2026
dcba90a
publish cyclonedx SBOMs
bodewig May 24, 2026
16d36d0
use gitbox instead of github vor VCS links
bodewig May 25, 2026
e7036c5
become more formal
bodewig May 26, 2026
d48afca
adjust to changes in antlib
bodewig May 26, 2026
73c840c
some extra external references
bodewig May 31, 2026
fdd3e39
reduce duplication in bom definitions
bodewig May 31, 2026
32a58a9
ant-cyclonedx has been released
bodewig Jun 3, 2026
aa977e4
one more external link
bodewig Jun 5, 2026
4845f98
create SBOMs for distribution tarballs
bodewig Jun 7, 2026
796c2e9
temporary folder with example sboms
bodewig Jun 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion ReleaseInstructions
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,7 @@ Note: This document was adapted from the one created in the context of
b. Using gpg

$ for i in distribution/*/*.zip distribution/*/*.gz distribution/*/*.bz2 distribution/*/*.xz; do gpg --use-agent --detach-sign --armor $i; done
$ for i in java-repository/org/apache/ant/ant*/*/*.jar java-repository/org/apache/ant/ant*/*/*.pom; do gpg --use-agent --detach-sign --armor $i; done
$ for i in java-repository/org/apache/ant/ant*/*/*.jar java-repository/org/apache/ant/ant*/*/*.pom java-repository/org/apache/ant/ant*/*/*-cyclonedx.*; do gpg --use-agent --detach-sign --armor $i; done

11. Convert the part of the WHATSNEW file covering the changes
since the last release into HTML for the README file on the
Expand Down
900 changes: 872 additions & 28 deletions build.xml
View file
Open in desktop

Large diffs are not rendered by default.

8 changes: 7 additions & 1 deletion fetch.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -388,8 +388,14 @@ Set -Ddest=LOCATION on the command line
<f2 project="org.tukaani" archive="xz"/>
</target>

<target name="ant-cyclonedx"
description="load CycloneDX Antlib"
depends="init">
<f2 project="org.apache.ant" archive="ant-cyclonedx"/>
</target>

<target name="all"
description="load all the libraries (except jython)"
depends="antunit,ivy,logging,junit,junitlauncher,xml,networking,regexp,antlr,bcel,jdepend,bsf,debugging,script,
javamail,jakartamail,jspc,jai,xz,junit-engine-vintage,junit-engine-jupiter,netrexx"/>
javamail,jakartamail,jspc,jai,xz,junit-engine-vintage,junit-engine-jupiter,netrexx,ant-cyclonedx"/>
</project>
1 change: 1 addition & 0 deletions lib/libraries.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ m2.repo=https://repo1.maven.org/maven2/
# when a specific dependency forces them to be out-of-order
ivy.version=2.5.3
ant-antunit.version=1.4.1
ant-cyclonedx.version=0.1
antlr.version=2.7.7
bcel.version=6.9.0
bsf.version=2.4.0
Expand Down
104 changes: 104 additions & 0 deletions release/ivy.xml
View file
Open in desktop

Large diffs are not rendered by default.

355 changes: 355 additions & 0 deletions sboms/ant-1.10.18alpha-cyclonedx.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,355 @@
{
"bomFormat" : "CycloneDX",
"specVersion" : "1.6",
"serialNumber" : "urn:uuid:2b3c6004-1754-4985-bbf1-27f088f2b856",
"version" : 1,
"metadata" : {
"timestamp" : "2026-06-07T12:52:38Z",
"lifecycles" : [
{
"phase" : "build"
}
],
"tools" : {
"components" : [
{
"type" : "library",
"supplier" : {
"name" : "Apache Ant Project Management Committee",
"url" : [
"https://ant.apache.org/"
]
},
"manufacturer" : {
"name" : "Apache Ant Project Management Committee",
"url" : [
"https://ant.apache.org/"
]
},
"publisher" : "The Apache Software Foundation",
"group" : "org.apache.ant",
"name" : "ant-cyclonedx",
"version" : "0.1",
"description" : "Apache CycloneDX Antlib",
"licenses" : [
{
"license" : {
"id" : "Apache-2.0",
"url" : "https://www.apache.org/licenses/LICENSE-2.0.txt"
}
}
],
"purl" : "pkg:maven/org.apache.ant/ant-cyclonedx@0.1?type=jar",
"externalReferences" : [
{
"type" : "vcs",
"url" : "https://gitbox.apache.org/repos/asf/ant-antlibs-cyclonedx.git"
},
{
"type" : "license",
"url" : "https://www.apache.org/licenses/LICENSE-2.0.txt"
},
{
"type" : "build-system",
"url" : "https://ci-builds.apache.org/job/Ant/job/CycloneDX%20Antlib/"
Copy link
Copy Markdown
Member

@jaikiran jaikiran Jun 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello Stefan, is the "build-system" type mandated for these SBOM files? Although ci-builds.apache.org is something that is almost guaranteed to be present (at least in near future). I don't know if we can guarantee that the jobs referred here are going to be "permanent". We keep changing their names etc... as and when it pleases us because they are just internal jobs. So I'm unsure if we should publish this job link in the SBOM.

Copy link
Copy Markdown
Member Author

@bodewig bodewig Jun 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no external link is mandatory at all. I thought I'd put in as many as we can reasonably fill.

What you say about the CI system may also be true for the Bug-Tracker. I could change things to stop at the level of the Ant project rather than the individual component. Or even at the system level itself (i.e. ci-builds.apache.org and issues.apache.org).

The concrete line you commented on comes from the released ant-cyclonedx library and can only be modified with a new release, but I believe we are talking about the links in general.

},
{
"type" : "mailing-list",
"url" : "https://ant.apache.org/mail.html"
},
{
"type" : "issue-tracker",
"url" : "https://bz.apache.org/bugzilla/buglist.cgi?component=CycloneDX%20Antlib&product=Ant"
},
{
"type" : "website",
"url" : "https://ant.apache.org/antlibs/cyclonedx/"
},
{
"type" : "distribution",
"url" : "https://ant.apache.org/antlibs/bindownload.cgi"
},
{
"type" : "source-distribution",
"url" : "https://ant.apache.org/antlibs/srcdownload.cgi"
},
{
"type" : "security-contact",
"url" : "https://www.apache.org/security/"
}
]
}
]
},
"component" : {
"type" : "library",
"bom-ref" : "pkg:maven/org.apache.ant/ant@1.10.18-SNAPSHOT?type=jar",
"supplier" : {
"name" : "Apache Ant Project Management Committee",
"url" : [
"https://ant.apache.org/"
]
},
"manufacturer" : {
"name" : "Apache Ant Project Management Committee",
"url" : [
"https://ant.apache.org/"
]
},
"publisher" : "The Apache Software Foundation",
"group" : "org.apache.ant",
"name" : "ant",
"version" : "1.10.18-SNAPSHOT",
"description" : "Apache Ant Core",
"hashes" : [
{
"alg" : "MD5",
"content" : "5dd4aa18b6dc9a769fddf456d23525be"
},
{
"alg" : "SHA-1",
"content" : "abb46ac6ada0b6f0ecc7d2f8e10e0d1cd2011bac"
},
{
"alg" : "SHA-256",
"content" : "db0d4a594c65a4cb170d851b4cd3fe36a82e3dee8f2a3738393349606a503621"
},
{
"alg" : "SHA-512",
"content" : "ff48bfeb661736779287a6eb68b527793868e64f1da75e80649b3a6f7e0c29389f44bd17217fc0e0684761804388008f9b7c2e1d1112b79e8129b5fa5d0f1b91"
},
{
"alg" : "SHA3-256",
"content" : "20057d1b6fdd74af1a33a71f0494b88405931025d622979dcbccf4542565de9e"
},
{
"alg" : "SHA3-512",
"content" : "f9f4aceb500d8d4b15e6f0eec0c08c1d512682dc3edb2d51f5b6b9419e88d570e38e472328a2a0a0e685106d5266349878cea41dfdc4373911bd12f3b606c1d0"
},
{
"alg" : "SHA-384",
"content" : "79442c31e2b1a325105079aa9d1491deef6433e831fabdbf3e2f48a8835b4dca8cb975a8342accfddc18ca343a9d50da"
},
{
"alg" : "SHA3-384",
"content" : "49cb7a152090ba86cff13b76eeeee08a33986695e9e14f16ebca4bb4672d62e3e476381875fc9587fd57b2f802260154"
}
],
"licenses" : [
{
"license" : {
"id" : "Apache-2.0",
"url" : "https://www.apache.org/licenses/LICENSE-2.0.txt"
}
}
],
"purl" : "pkg:maven/org.apache.ant/ant@1.10.18-SNAPSHOT?type=jar",
"externalReferences" : [
{
"type" : "vcs",
"url" : "https://gitbox.apache.org/repos/asf/ant.git"
},
{
"type" : "issue-tracker",
"url" : "https://bz.apache.org/bugzilla/buglist.cgi?product=Ant"
},
{
"type" : "website",
"url" : "https://ant.apache.org/"
},
{
"type" : "advisories",
"url" : "https://ant.apache.org/security.html#Apache%20Ant%20Security%20Vulnerabilities"
},
{
"type" : "mailing-list",
"url" : "https://ant.apache.org/mail.html"
},
{
"type" : "documentation",
"url" : "https://ant.apache.org/manual/"
},
{
"type" : "source-distribution",
"url" : "https://ant.apache.org/srcdownload.cgi"
},
{
"type" : "distribution",
"url" : "https://ant.apache.org/bindownload.cgi"
},
{
"type" : "license",
"url" : "https://www.apache.org/licenses/LICENSE-2.0.txt"
},
{
"type" : "build-system",
"url" : "https://ci-builds.apache.org/job/Ant/"
},
{
"type" : "release-notes",
"url" : "https://github.com/apache/ant/blob/master/WHATSNEW"
},
{
"type" : "security-contact",
"url" : "https://www.apache.org/security/"
},
{
"type" : "rfc-9116",
"url" : "https://ant.apache.org/.well-known/security.txt"
Copy link
Copy Markdown
Member

@jaikiran jaikiran Jun 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't know that there was a RFC which specifies a security.txt file for projects. Good to know.

Copy link
Copy Markdown
Member Author

@bodewig bodewig Jun 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actually the "type" is an enum defined by the spec: https://cyclonedx.org/docs/1.7/json/#metadata_tools_oneOf_i0_components_items_externalReferences_items_type - the types may be more restricted based on the context they appear in as they may apply to the SBOM itself or a component mentioned therein.

I vaguely recalled the RFC as I do have security.txt files for my own websites as well, but had forgotten it was an actual RFC.

}
]
},
"manufacturer" : {
"name" : "Apache Ant Project Management Committee",
"url" : [
"https://ant.apache.org/"
]
},
"supplier" : {
"name" : "Apache Ant Project Management Committee",
"url" : [
"https://ant.apache.org/"
]
},
"licenses" : [
{
"license" : {
"id" : "Apache-2.0",
"url" : "https://www.apache.org/licenses/LICENSE-2.0.txt"
}
}
]
},
"components" : [
{
"type" : "library",
"bom-ref" : "pkg:maven/org.apache.ant/ant-launcher@1.10.18-SNAPSHOT?type=jar",
"supplier" : {
"name" : "Apache Ant Project Management Committee",
"url" : [
"https://ant.apache.org/"
]
},
"manufacturer" : {
"name" : "Apache Ant Project Management Committee",
"url" : [
"https://ant.apache.org/"
]
},
"publisher" : "The Apache Software Foundation",
"group" : "org.apache.ant",
"name" : "ant-launcher",
"version" : "1.10.18-SNAPSHOT",
"description" : "Apache Ant Launcher",
"hashes" : [
{
"alg" : "MD5",
"content" : "652c42e30abc21d8f65631798bf83a59"
},
{
"alg" : "SHA-1",
"content" : "d00960e241743e8ebe6328ef887c461b8e16bbd4"
},
{
"alg" : "SHA-256",
"content" : "4757294429f9f087a9fc9f3fd2ac1c0f4cddc507bc732e184401192864fa0491"
},
{
"alg" : "SHA-512",
"content" : "e820da4498ff55bbf77d0bb43311903279d153b4322931d4d4c15df2f9d4747833941ce9df08ca2cfe2525343f40a4fa6f33ccad633f4f527002dc85e4f8e179"
},
{
"alg" : "SHA3-256",
"content" : "3d545b66f1216a64690ae91d34b7ff687b6f5e9d067b2c8d703c959098d396a0"
},
{
"alg" : "SHA3-512",
"content" : "5cac03f87bee7c0a2a4fbdfad7c3e35cd6266f140a90695173f93263c792e63662e33cdd5aaed9d2bbe625ee9c42f7f4eccb0f12b510094075acf3468a439b97"
},
{
"alg" : "SHA-384",
"content" : "942643635f7a5bb201f19f99caf0099285d2b93bf46605de13c1920a03efb64a619b5f7b82e03bfe64353de2ec58511f"
},
{
"alg" : "SHA3-384",
"content" : "ac3f8171353410ee6b9f454be024726516cfe531cf0e7041028ed82e60954d0e904b6fda09465754db283707984eba72"
}
],
"licenses" : [
{
"license" : {
"id" : "Apache-2.0",
"url" : "https://www.apache.org/licenses/LICENSE-2.0.txt"
}
}
],
"purl" : "pkg:maven/org.apache.ant/ant-launcher@1.10.18-SNAPSHOT?type=jar",
"externalReferences" : [
{
"type" : "vcs",
"url" : "https://gitbox.apache.org/repos/asf/ant.git"
},
{
"type" : "issue-tracker",
"url" : "https://bz.apache.org/bugzilla/buglist.cgi?product=Ant"
},
{
"type" : "website",
"url" : "https://ant.apache.org/"
},
{
"type" : "advisories",
"url" : "https://ant.apache.org/security.html#Apache%20Ant%20Security%20Vulnerabilities"
},
{
"type" : "mailing-list",
"url" : "https://ant.apache.org/mail.html"
},
{
"type" : "documentation",
"url" : "https://ant.apache.org/manual/"
},
{
"type" : "source-distribution",
"url" : "https://ant.apache.org/srcdownload.cgi"
},
{
"type" : "distribution",
"url" : "https://ant.apache.org/bindownload.cgi"
},
{
"type" : "license",
"url" : "https://www.apache.org/licenses/LICENSE-2.0.txt"
},
{
"type" : "build-system",
"url" : "https://ci-builds.apache.org/job/Ant/"
},
{
"type" : "release-notes",
"url" : "https://github.com/apache/ant/blob/master/WHATSNEW"
},
{
"type" : "security-contact",
"url" : "https://www.apache.org/security/"
},
{
"type" : "rfc-9116",
"url" : "https://ant.apache.org/.well-known/security.txt"
}
]
}
],
"dependencies" : [
{
"ref" : "pkg:maven/org.apache.ant/ant@1.10.18-SNAPSHOT?type=jar",
"dependsOn" : [
"pkg:maven/org.apache.ant/ant-launcher@1.10.18-SNAPSHOT?type=jar"
]
},
{
"ref" : "pkg:maven/org.apache.ant/ant-launcher@1.10.18-SNAPSHOT?type=jar",
"dependsOn" : [ ]
}
]
}
Loading