-
-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for CycloneDX 1.5 BOMs #317
Comments
There are multiple PRs in progress to support 1.5. |
While writing spec 1.5 SBOMs was added for version 8.0.0 via #316, it seems that the serialized JSON (and XML) do not pass validation as I'm getting
for (Kotlin) code val metadata = Metadata().apply {
timestamp = Date()
toolChoice = ToolInformation().apply {
components = listOf(
Component().apply {
type = Component.Type.APPLICATION
name = ORT_FULL_NAME
version = Environment.ORT_VERSION
}
)
}
licenseChoice = LicenseChoice().apply { expression = dataLicense }
} |
@mr-zepol looks like this went unnoticed as the test data still uses the deprecated way to declare tools. |
This is still valid metadata, the deprecated tool was not removed and from the spec examples ( where those tests were created) they are still valid https://github.com/CycloneDX/specification/blob/master/tools/src/test/resources/1.5/valid-metadata-tool-deprecated-1.5.xml |
I will check this and will be back with more info, I am going to try to reproduce it, thanks |
Right; what I was trying to say is: If you use the non-deprecated way and declare tools via
|
I found the issue, I hope to have a PR soon so it can be merged and have a new release for this, thank you |
I can confirm that release 8.0.1 fixed the issue, thanks. So I guess this issue can be closed @stevespringett? |
DependencyTrack/dependency-track#2850 lists this project as a dependency.
https://github.com/CycloneDX/cdxgen has support maybe cherrypick commits related to java sections.
The text was updated successfully, but these errors were encountered: