Craig Andrews
Craig Andrews
I'm still really hoping to see this merged :crossed_fingers: Thank you all for this great work and your continued efforts!
> is there a plan to maintain Jakarta EE release now that Spring 6 has it's official release? [Spring Boot 3 was released in November 2022](https://spring.io/blog/2022/11/24/spring-boot-3-0-goes-ga) and it uses `jakara.*`...
Is there a workaround or otherwise a fix available for this issue? I'm attempting to run the tests in https://github.com/aquasecurity/trivy-policies (using `make bundle`) and hitting this issue.
I also tested with `clamav/clamav:unstable` and got the same result.
I reported this finding to the esbuild project, here's their response: https://github.com/evanw/esbuild/issues/3599#issuecomment-1894585562 It appears that the Go standard library contains these bytes at https://github.com/golang/go/blob/b44f6378233ada888f0dc79e0ac56def4673d9ed/src/net/http/sniff.go#L183-L190 which is what's being picked up...
Other tools, such as Trivy, are now producing CycloneDX 1.5 SBOM's: https://github.com/aquasecurity/trivy/releases/tag/v0.43.0
Reported issue to the library at https://github.com/CycloneDX/cyclonedx-dotnet-library/issues/237
It appears that cyclonedx-cli was released a short time ago and it include cyclonedx 1.5 support: https://github.com/CycloneDX/cyclonedx-cli/releases/tag/v0.25.0
I'm eagerly awaiting the merge of this improvement 🤞
Thanks for those great points - do the tweaks I made address those concerns? If not, please let me know what else I can do.