CycloneDX
Can 'externalReferences' be disabled?
I'm just wondering if 'externalReferences' can be disabled since they are optional?
My problem is, that I don't want this information in my bom since I don't want some internal company information "leaked".
The second problem which I have, that I don't get how the External Reference type 'website' is calculated. The documentation (https://cyclonedx.github.io/cyclonedx-maven-plugin/external-references.html) states, that is is taken from POM field 'project.url'. Now if the dependency has no 'project.url' itself, but its parent has one calculates the 'website' somethig like "website = parent 'project.url' + artifactId", which leads to odd urls. I wonder if this is a bug? Could not find any documentation on this behaviour.
I'm just wondering if 'externalReferences' can be disabled since they are optional?
no option has been prepared for that: I fear this could add a lot of complexity, without a use case until now
I don't want this information in my bom since I don't want some internal company information "leaked".
thinking at it, managing such expectation about redacting content is probably something that should be done as a post-processing step
somethig like "website = parent 'project.url' + artifactId", which leads to odd urls. I wonder if this is a bug? Could not find any documentation on this behaviour.
here is the documentation of the mechanism involved = inheritance: https://maven.apache.org/ref/3.9.8/maven-model-builder/#inheritance-assembly , which is one of the mechanisms about building effective POM
We use the jq command tool to delete contents from the generated bom: "jq 'del(.dependencies, .metadata, .components[].properties, .components[].hashes, .components[].scope, .components[].swid, .components[].cpe) | " + "del(.components[] | try .externalReferences[] | select(.type | IN("issue-tracker", "website", "vcs") | not)) | " + "del(.components[] | try .externalReferences[].comment) "
