pekko icon indicating copy to clipboard operation
pekko copied to clipboard
verified publisher icon apache

cyclonedx sbom published for builds has an XML extension but contains JSON

Open pjfanning opened this issue 10 months ago • 1 comments

https://repository.apache.org/content/groups/staging/org/apache/pekko/pekko-actor-typed_2.13/1.2.0-M1-RC1/pekko-actor-typed_2.13-1.2.0-M1-RC1-cyclonedx.xml

Actually has JSON and not XML.

I don't think this is a release blocker, especially because this is just a milestone release.

Partial content:

{
  "bomFormat" : "CycloneDX",
  "specVersion" : "1.6",
  "version" : 1,
  "metadata" : {
    "tools" : [
      {
        "name" : "CycloneDX SBT plugin",
        "version" : "0.4.0"
      }
    ]
  },
  "components" : [
    {
      "type" : "library",
      "bom-ref" : "pkg:maven/org.scala-lang/[email protected]",
      "group" : "org.scala-lang",
      "name" : "scala-library",
      "version" : "2.13.16",
      "scope" : "required",
      "hashes" : [
        {
          "alg" : "MD5",
          "content" : "0794d44b2d6c8e395cc9684ab50d82d7"
        },
        {
          "alg" : "SHA-1",
          "content" : "9e064d9304904fd7b6bd2b55a9e601b8c1c9006e"
        },
        {
          "alg" : "SHA-256",
          "content" : "1ebb2b6f9e4eb4022497c19b1e1e825019c08514f962aaac197145f88ed730f1"
        },
        {
          "alg" : "SHA-512",
          "content" : "31054e41700bdc3c2546083d6dbac2c4e7bb693674d7abed1ed72a0d551bae4b4238d3fa2da8472d5af3b5e7d636326d6b9dc0d8357630ffb9d7c6a434fdb894"
        },
        {
          "alg" : "SHA-384",
          "content" : "758c65023454212af7c8507da25e6d9a631420531c7dbf8c74f97ba773721d9f7c498e83bc3d40d34ddbe1ff6b4e8b2a"
        },
        {
          "alg" : "SHA3-384",
          "content" : "6d487f5710ad296ddd2cce44c242fe0a4ff73fff19e98d8da97e65b684ef67ce31a5698d7d96a5b3eb4456602326bcbf"
        },
        {
          "alg" : "SHA3-256",
          "content" : "b376d8f0dbdbbfaed2ed6d98baa27cc029673762a90cfbe69dce3a95fee7c47c"
        },
        {
          "alg" : "SHA3-512",
          "content" : "c6d25774a0d1f417cb3c5f5f5ae34730117f9643890b045b31014bc08afc222f5bb278aaaca623c1e9ba097bd9b3de5198f56339962050f8e8cb4fa9b52ae68f"
        }
      ],
      "licenses" : [
        {
          "license" : {
            "id" : "Apache-2.0",
            "url" : "https://www.apache.org/licenses/LICENSE-2.0"
          }
        }
      ],
      "purl" : "pkg:maven/org.scala-lang/[email protected]",
      "modified" : false,
      "externalReferences" : [
        {
          "type" : "website",
          "url" : "https://www.scala-lang.org/"
        }
      ]
    },

fyi @raboof

pjfanning avatar Jan 31 '25 00:01 pjfanning

https://github.com/sbt/sbt-sbom/pull/116 is looking for a reviewer :)

raboof avatar Jan 31 '25 10:01 raboof