siculo
Allow project-specific customization
It would be good to provide projects with a way to make project-specific customizations to the Bom object, so we allow them to express facts about the software that are not picked up automatically yet (such as embedded/shaded artifacts).
Maybe we can refactor things so that creating the Bom object is a separate sbt task, that can then be overridden in the project, so the customized Bom object is picked up by the configuration that adds it to the published artifacts.
Do you think of modelling our own Bom object or exposing the cyclonedx Bom object to the user? The first option would pobably make it format-agnostic and it would be easier to support spdx in the future.
Good question. I could see value in either: indeed having our own Bom object is useful when making changes that should apply to both CycloneDX and (later) SPDX, but hooking into the upstream data structures would allow more fine-grained format-specific tweaks. If we end up implementing SPDX support (#89) with https://github.com/spdx/cdx2spdx then updates to the CycloneDX might also affect SPDX.
As this is a poweruser feature I'd be OK with not committing to any particular API yet and just doing 'the simplest thing that could possibly work', knowing we can refactor it later.