Alexey Loubyansky

AFAIU, currently `bom-ref`s are not required to be explicitly set in the text document and, if absent, would be set to the value of `purl`. To be able to parse...

Just so I understand it correctly, don't `bom-ref`s exist specifically to record dependencies? Are they used for anything else? It's true that `bom-ref`s do allow recording dependency trees (runtime, build...

`./mvnw -Psbom` from the platform project generates SBOMs for all the members.

It depends on what you expect to be captured in an SBOM. But generally, I think we can make it work.

It depends on what the consumer of the SBOM is expecting to find in it. It's about supply chain story and depends on how much details of that store you...

Components (Maven artifacts) that come from Quarkus itself.

Prod and test resources may have differences. It might be tricky to evaluate whether an existing build outcome can be re-used as the outcome of the subsequent build.

> I think this same mechanism could be useful for lifting the [restriction](https://quarkus.io/guides/capabilities#capabilitybuilditem) that, in order to be visible to the tools, capabilities have to be registered in the pom.xml...

@MFehmiB does `quarkus create app` work? It looks like it shouldn't be specific to `quarkus update`

Yes, we have all the info, of course. It's a matter of properly manifesting it. I'll share some examples soon.