-
-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support for maven-shade-plugin
#472
Comments
Yes, using a CycloneDX assembly would be the correct way to represent this. |
evidence.identity can also be used to describe the technique and confidence. |
By assembly do you mean |
Correct @ppkarwasz |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When using maven-shade-plugin, the sbom should likely somehow encode which dependencies are 'embedded' in the jar, and which are 'regular' dependencies.
AFAIK there is no convention on how to express this difference yet in CycloneDX. Likely it would make sense to make use of the assembly concept?
I have a test/demo project for this at https://github.com/raboof/maven-shade-sbom/
The text was updated successfully, but these errors were encountered: