Wayne Beaton
Wayne Beaton
> Just for my understanding: After an artifact is checked and deemed acceptable, I guess you will identify it later via its coordinates in a stable Repository (like Maven Central)?...
I'll note that the problem that we're trying to solve here is not "make the Dash License Tool happy", but to more generally improve the odds that any attempts to...
If, for example, you added a license header with an `SPDX-License-Identifier` tag to the top of the `license` files in bndtools/bnd (e.g., [GPL_2_0.java](https://github.com/bndtools/bnd/blob/77fd67eb25d4e1509c8a0b733ec8477af57c3393/biz.aQute.bnd.annotation/src/aQute/bnd/annotation/licenses/GPL_2_0.java)), then automated tools would have a fighting...
Returning back to the original request... You can create an IPLab issue with an [attachment](https://www.eclipse.org/projects/handbook/#ip-request-attachments).
Any thoughts on any of the above, @juergen-albert?
> (Probably obvious but [cyclonedx-core-java](https://github.com/CycloneDX/cyclonedx-core-java) library should probably be used to add support of **cycloneDX** : . it is used by : [cyclonedx-maven-plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin)) Yup. There's no point in reinventing this....
@sbernard31 The tools that generate SBOMs grab licence information directly from the content. The Maven plug-in, for example, grabs licence information from the pom.xml files of dependencies. This licence information...
I don't think that it's strange. We'd effectively be post-processing. Another option is to sort out how to extend the SBOM generators to use our licence information.
Yes. I'm mostly interested concerned with dependencies. We can coach our own project teams to get the metadata right. Moving forward, it looks like Sonatype is doing a better job...
> Ok I get it your point now. Maybe SBOM generator could also warn to get folks to specify good metadata ? The biggest challenge here is that many of...