Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support additional external references on main artifact #421

Closed
ppkarwasz opened this issue Nov 4, 2023 · 1 comment
Closed

Support additional external references on main artifact #421

ppkarwasz opened this issue Nov 4, 2023 · 1 comment
Labels
enhancement

Comments

@ppkarwasz
Copy link
Contributor

ppkarwasz commented Nov 4, 2023
edited
Loading

Version 1.5 of CycloneDX introduces new interesting external reference types, such as vulnerability-assertion (VEX), exploitability-statement (VDR) or static-analysis-report.

It would be useful to be able to add such references to the main component of the SBOM through a plugin configuration like this:

<configuration>
  <externalReferences>
    <reference type="exploitability-statement">
      <url>https://...</url>
    </reference>
  </externalReferences>
</configuration>

(the proposed schema is identical to the CycloneDX schema).

This configuration would apply add additional <reference> elements:

  • for simple SBOMs only to the /metadata/component/externalReferences element of the SBOM,
  • for aggregate SBOMs also to the /components/component/externalReferences elements representing Maven modules.

Such a feature could easily replace #414.
ppkarwasz added a commit to ppkarwasz/logging-parent that referenced this issue Nov 4, 2023
@ppkarwasz
Add serialNumber and VEX references to generate SBOMs
0c83647 
The `cyclonedx-maven-plugin` has still some limitations that prevent it
from publishing a reproducible `serialNumber`
(CycloneDX/cyclonedx-maven-plugin#420) and adding a reference to a VEX
document (CycloneDX/cyclonedx-maven-plugin#419 and
CycloneDX/cyclonedx-maven-plugin#421).

This PR provides a temporary workaround that will allow us to produce an
CycloneDX (only the XML version), enhanced with these two elements.
@ppkarwasz ppkarwasz mentioned this issue Nov 4, 2023
Merged
@vy vy mentioned this issue Nov 6, 2023
Closed
vy added a commit to apache/logging-parent that referenced this issue Nov 6, 2023
@ppkarwasz @vy
Add serialNumber and VEX references to generate SBOMs (#56)
954f7f2 
* Add `serialNumber` and VEX references to generate SBOMs

The `cyclonedx-maven-plugin` has still some limitations that prevent it
from publishing a reproducible `serialNumber`
(CycloneDX/cyclonedx-maven-plugin#420) and adding a reference to a VEX
document (CycloneDX/cyclonedx-maven-plugin#419 and
CycloneDX/cyclonedx-maven-plugin#421).

This PR provides a temporary workaround that will allow us to produce an
CycloneDX (only the XML version), enhanced with these two elements.

---------

Co-authored-by: Volkan Yazıcı <volkan@yazi.ci>
vy added a commit to apache/logging-parent that referenced this issue Nov 6, 2023
@ppkarwasz @vy
Add serialNumber and VEX references to generate SBOMs (#56)
7700c97 
* Add `serialNumber` and VEX references to generate SBOMs

The `cyclonedx-maven-plugin` has still some limitations that prevent it
from publishing a reproducible `serialNumber`
(CycloneDX/cyclonedx-maven-plugin#420) and adding a reference to a VEX
document (CycloneDX/cyclonedx-maven-plugin#419 and
CycloneDX/cyclonedx-maven-plugin#421).

This PR provides a temporary workaround that will allow us to produce an
CycloneDX (only the XML version), enhanced with these two elements.

---------

Co-authored-by: Volkan Yazıcı <volkan@yazi.ci>
@vy vy mentioned this issue Nov 8, 2023
Closed
11 tasks
vy added a commit to vy/cyclonedx-maven-plugin that referenced this issue Nov 10, 2023
@vy
Fix JsonUnit baseline to a Java 8 compatible version (CycloneDX#421)
de55e94
vy added a commit to vy/cyclonedx-maven-plugin that referenced this issue Nov 10, 2023
@vy
Add support for custom external references (CycloneDX#421)
7581074
vy added a commit to vy/cyclonedx-maven-plugin that referenced this issue Nov 10, 2023
@vy
Extract external reference of each reactor project (CycloneDX#421)
770e062
vy added a commit to vy/cyclonedx-maven-plugin that referenced this issue Nov 10, 2023
@vy
Fix JsonUnit baseline to a Java 8 compatible version (CycloneDX#421)
d614564
@vy vy mentioned this issue Nov 10, 2023
Merged
vy added a commit to vy/cyclonedx-maven-plugin that referenced this issue Nov 10, 2023
@vy
Add support for custom external references (CycloneDX#421)
c2de8f5 
Signed-off-by: Volkan Yazıcı <volkan@yazi.ci>
vy added a commit to vy/cyclonedx-maven-plugin that referenced this issue Nov 27, 2023
@vy
Fix JsonUnit baseline to a Java 8 compatible version (CycloneDX#421)
67326ee 
Signed-off-by: Volkan Yazıcı <volkan@yazi.ci>
hboutemy pushed a commit that referenced this issue Dec 9, 2023
@vy @hboutemy
Fix JsonUnit baseline to a Java 8 compatible version (#421)
e8dd5cb 
Signed-off-by: Volkan Yazıcı <volkan@yazi.ci>
vy added a commit to vy/cyclonedx-maven-plugin that referenced this issue Jan 5, 2024
@vy
Add support for custom external references (CycloneDX#421)
543e9b3 
Signed-off-by: Volkan Yazıcı <volkan@yazi.ci>
vy added a commit to vy/cyclonedx-maven-plugin that referenced this issue Jan 15, 2024
@vy
Add support for custom external references (CycloneDX#421)
f0be993 
Signed-off-by: Volkan Yazıcı <volkan@yazi.ci>
hboutemy pushed a commit that referenced this issue Jan 15, 2024
@vy
Add support for custom external references (#428)
8836cbd 
* Add support for custom external references (#421)

Signed-off-by: Volkan Yazıcı <volkan@yazi.ci>
@hboutemy
Copy link
Contributor

done in #428

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hboutemy @ppkarwasz