cyclonedx-maven-plugin icon indicating copy to clipboard operation
cyclonedx-maven-plugin copied to clipboard
verified publisher icon CycloneDX

support for `maven-shade-plugin`

Open raboof opened this issue 1 year ago • 21 comments

When using maven-shade-plugin, the sbom should likely somehow encode which dependencies are 'embedded' in the jar, and which are 'regular' dependencies.

AFAIK there is no convention on how to express this difference yet in CycloneDX. Likely it would make sense to make use of the assembly concept?

I have a test/demo project for this at https://github.com/raboof/maven-shade-sbom/

raboof avatar Mar 06 '24 16:03 raboof

Yes, using a CycloneDX assembly would be the correct way to represent this.

stevespringett avatar Mar 07 '24 05:03 stevespringett

evidence.identity can also be used to describe the technique and confidence.

prabhu avatar Apr 18 '24 12:04 prabhu

@stevespringett,

By assembly do you mean components.components or something else?

ppkarwasz avatar May 16 '24 06:05 ppkarwasz

Correct @ppkarwasz

stevespringett avatar May 16 '24 14:05 stevespringett