Merge pull request #39 from spdx/releasepom

Update POM file to use release plugin

RELEASE-CHECKLIST.md

@@ -0,0 +1,10 @@
+# Release Checklist for the CycloneDX to SPDX Utilities
+
+- [ ] Check for any warnings from the compiler and findbugs
+- [ ] Run unit tests
+- [ ] Run dependency check to find any potential vulnerabilities `mvn dependency-check:check`
+- [ ] Run `mvn release:prepare` - you will be prompted for the release - typically take the defaults
+- [ ] Run `mvn release:perform`
+- [ ] Release artifacts to Maven Central
+- [ ] Create a Git release including release notes
+- [ ] Zip up the files from the Maven archive and add them to the release

dependency-check-supress.xml

@@ -31,4 +31,12 @@
       <packageUrl regex="true">^pkg:maven/org\.apache\.poi/poi\-ooxml\-schemas@.*$</packageUrl>
       <cve>CVE-2022-26336</cve>
    </suppress>
+   <suppress>
+      <notes><![CDATA[
+      file name: jackson-databind-2.14.0-rc1.jar
+      the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+      <cve>CVE-2023-35116</cve>
+   </suppress>
 </suppressions>

pom.xml

@@ -31,8 +31,9 @@
 	</organization>
 	<scm>
 		<url>https://github.com/spdx/cdx2spdx</url>
-		<connection>https://github.com/spdx/cdx2spdx.git</connection>
-		<developerConnection>https://github.com/spdx/cdx2spdx.git</developerConnection>
+		<connection>scm:git:git@github.com:spdx/cdx2spdx.git</connection>
+		<developerConnection>scm:git:git@github.com:spdx/cdx2spdx.git</developerConnection>
+		<tag>main</tag>
 	</scm>
 	<issueManagement>
 		<system>Github</system>
@@ -55,7 +56,7 @@
 	  <sonar.host.url>https://sonarcloud.io</sonar.host.url>
 	  <sonar.organization>spdx</sonar.organization>
 	  <sonar.projectKey>cdx2spdx</sonar.projectKey>
-	  <dependency-check-maven.version>7.2.1</dependency-check-maven.version>
+	  <dependency-check-maven.version>8.4.3</dependency-check-maven.version>
     </properties>
 	<profiles>
 		<profile>
@@ -68,9 +69,23 @@
 			</properties>
 		</profile>
 		<profile>
-			<id>gpg-signing</id>
+			<id>release</id>
 			<build>
 				<plugins>
+				   	<plugin>
+				      <groupId>org.apache.maven.plugins</groupId>
+				      <artifactId>maven-source-plugin</artifactId>
+				      <version>3.2.1</version>
+				      <executions>
+				        <execution>
+				          <id>attach-sources</id>
+				          <phase>verify</phase>
+				          <goals>
+				            <goal>jar-no-fork</goal>
+				          </goals>
+				        </execution>
+				      </executions>
+				    </plugin>
 					<plugin>
 		      			<groupId>org.apache.maven.plugins</groupId>
 		      			<artifactId>maven-gpg-plugin</artifactId>
@@ -185,7 +200,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-compiler-plugin</artifactId>
-				<version>3.8.0</version>
+				<version>3.11.0</version>
 				<configuration>
 					<release>11</release>
 					<encoding>${project.build.sourceEncoding}</encoding>
@@ -238,20 +253,6 @@
 					</execution>
 				</executions>
 			</plugin>
-		   	<plugin>
-		      <groupId>org.apache.maven.plugins</groupId>
-		      <artifactId>maven-source-plugin</artifactId>
-		      <version>3.2.1</version>
-		      <executions>
-		        <execution>
-		          <id>attach-sources</id>
-		          <phase>verify</phase>
-		          <goals>
-		            <goal>jar-no-fork</goal>
-		          </goals>
-		        </execution>
-		      </executions>
-		    </plugin>
 			<plugin>
 				<groupId>org.spdx</groupId>
 					<artifactId>spdx-maven-plugin</artifactId>
@@ -292,6 +293,16 @@
 						<originator>Organization: Source Auditor Inc.</originator>
 					</configuration>
 	          </plugin>
+			  <plugin>
+			    <groupId>org.apache.maven.plugins</groupId>
+			    <artifactId>maven-release-plugin</artifactId>
+			    <version>3.0.1</version>
+			    <configuration>
+			      <tagNameFormat>v@{project.version}</tagNameFormat>
+			      <releaseProfiles>release</releaseProfiles>
+			      <goals>deploy</goals>
+			    </configuration>
+			  </plugin>
 		</plugins>
   	</build>
 </project>