cyclonedx-maven-plugin icon indicating copy to clipboard operation
cyclonedx-maven-plugin copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Upgrade to CycloneDX version 1.6

Open XSpielinbox opened this issue 10 months ago • 6 comments

Version 1.6 of the CycloneDX spec has been released on 09 April 2024.

The spec is available at https://cyclonedx.org/docs/1.6/json/

XSpielinbox avatar Apr 21 '24 20:04 XSpielinbox

requires https://github.com/CycloneDX/cyclonedx-core-java/issues/392

hboutemy avatar Apr 23 '24 06:04 hboutemy

@XSpielinbox @hboutemy The CycloneDX Core Java version 9.00 has been released with CycloneDX 1.6 support, thanks to @mr-zepol, @stevespringett, and @nscuro for their help with this.

https://github.com/CycloneDX/cyclonedx-core-java/releases/tag/cyclonedx-core-java-9.0.0

VinodAnandan avatar May 15 '24 02:05 VinodAnandan

A heads-up wrt progressing further.

cyclonedx-core-java v9.0.0 has had this issue reported: CycloneDX/cyclonedx-core-java/issues/409

It is being worked on with a fix due ASAP (thanks to @mr-zepol).

So, suggest it will be cyclonedx-core-java v9.0.1 that will be needed in order to unlock being able to add support for CycloneDX 1.6 in the maven plugin.

msymons avatar May 23 '24 14:05 msymons

@hboutemy, with the release of cyclonedx-core-java v9.0.2 that addresses validation failures, things should now be unblocked, allowing support for CycloneDX 1.6 to be added to the maven plugin.

msymons avatar Jun 09 '24 15:06 msymons

@msymons ok is there any update to the generated content we should do while changing the dependency version? Or is it just about generating a new "1.6" value to the version field?

hboutemy avatar Jun 10 '24 05:06 hboutemy

@hboutemy , apologies for the slow response.

For me, there are several reasons for upgrading:

  • Support for the latest version of the specification is important for CycloneDX projects because they are reference implementations. In that sense, it does not matter if the maven plugin cannot deliver on the two new areas of 1.6 functionality: crypto and attestations. Or can it? As the maven expert you would know best on this.

  • Avoiding build-up of technical debt (or, just spotting problems earlier). I use the maven plugin extensively and all BOMs are uploaded to the latest version of Dependency-Track and the latest DT Snapshot as well... with DT also being a reference implementation for CycloneDX. DT now includes schema validation for uploaded BOMs and the Snapshot (ie, upcoming v4.12.0) does now support CycloneDX 1.6. Thus, the quicker the plugin supports CycloneDX 1.6, the quicker we can get feedback that all is looking good!

  • Upgrading core-java to 9.0.x (9.0.3 now released) offers additional functionality. Specifically, an additional SPDX Licence ID mapping. It's for MPL, so I very much look forward to the next release of the maven plugin generating a BOM that includes this mapping so that my rhino components can now be evaluated by DT license policies. If that works then I plan to submit PRs to core-java for additional (more useful) mappings.

For what it's worth, I think there is a bunch of CycloneDX 1.5 functionality is currently missing and that could/should be supported by the plugin... but that's a separate concern.

msymons avatar Jun 20 '24 13:06 msymons