-
-
Notifications
You must be signed in to change notification settings - Fork 521
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Dependency-Track BOM to Support CycloneDX 1.5 #3602
Comments
Should also update https://github.com/DependencyTrack/dependency-track/blob/master/src/main/resources/services.bom.json And ensure the merging of the BOM generated during the build, and the services BOM linked above still works. For reference, this command is executed in CI to achieve this:
The merge is performed using the CycloneDX CLI: Lines 516 to 540 in 757a966
It may be necessary to update the CLI in order to support CDX v1.5. In that case, this step in CI must be changed accordingly: dependency-track/.github/workflows/_meta-build.yaml Lines 36 to 42 in 757a966
|
Current Behavior
The latest release of DT is v4.10.1 and the BOM is published as a release asset.
The BOM is generated using CycloneDX v2.7.9 which only supports CDX 1.4.
Proposed Behavior
specVersion
= 1.5documentation
(via plugin config) to link to DT documentation website.chat
(link to Slack)distribution-intake
. Thus,distribution
should be defined in plugin configuration to point to the actual download location.security-contact
?release-notes
? The list of possibilities is bigThe intention of this enhancement is to provide additional value in the BOM, but also to use the BOM as a reference implementation (which will also apply once the BOM is uploaded to a DT instance for analysis).
Checklist
The text was updated successfully, but these errors were encountered: