From 011dcc52d155b4ba54a79ca49f57e35db42fbd58 Mon Sep 17 00:00:00 2001
From: Stefan Bodewig <bodewig@apache.org>
Date: Sat, 23 May 2026 18:32:23 +0200
Subject: [PATCH 1/9] add dependencies necessary for ant-antlibs-cyclonedx

I've manually copied the antlib jar itself to lib/optional
---
 fetch.xml                | 8 +++++++-
 lib/libraries.properties | 1 +
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/fetch.xml b/fetch.xml
index d223ecb8d1..da05846478 100644
--- a/fetch.xml
+++ b/fetch.xml
@@ -388,8 +388,14 @@ Set -Ddest=LOCATION on the command line
     <f2 project="org.tukaani" archive="xz"/>
   </target>
 
+  <target name="cyclonedx-core-java"
+          description="load CycloneDX Core (Java) library"
+          depends="init">
+    <f2 project="org.cyclonedx" archive="cyclonedx-core-java"/>
+  </target>
+
   <target name="all"
     description="load all the libraries (except jython)"
     depends="antunit,ivy,logging,junit,junitlauncher,xml,networking,regexp,antlr,bcel,jdepend,bsf,debugging,script,
-      javamail,jakartamail,jspc,jai,xz,junit-engine-vintage,junit-engine-jupiter,netrexx"/>
+      javamail,jakartamail,jspc,jai,xz,junit-engine-vintage,junit-engine-jupiter,netrexx,cyclonedx-core-java"/>
 </project>
diff --git a/lib/libraries.properties b/lib/libraries.properties
index 15fe1994a5..46351acc70 100644
--- a/lib/libraries.properties
+++ b/lib/libraries.properties
@@ -42,6 +42,7 @@ bsh.version=2.0b5
 commons-net.version=3.10.0
 commons-logging.version=1.1
 commons-logging-api.version=${commons-logging.version}
+cyclonedx-core-java.version=12.2.0
 js.version=20.1.0
 js-scriptengine.version=${js.version}
 # Note - When updating the hamcrest version here, make sure to also update the

From 080da9854589f41758595bc2aa148190d26121a7 Mon Sep 17 00:00:00 2001
From: Stefan Bodewig <bodewig@apache.org>
Date: Sun, 24 May 2026 10:33:43 +0200
Subject: [PATCH 2/9] start building a few SBOMs

---
 build.xml | 225 ++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 220 insertions(+), 5 deletions(-)

diff --git a/build.xml b/build.xml
index 5fd0edecfb..b66861cbf5 100644
--- a/build.xml
+++ b/build.xml
@@ -46,7 +46,7 @@
   <property name="optional.package" value="${taskdefs.package}/optional"/>
   <property name="type.package" value="${ant.package}/types"/>
   <property name="optional.type.package" value="${type.package}/optional"/>
-  <property name="apache.resolver.type.package" value="${type.package}/resolver"/>
+  <property name="apache-resolver.type.package" value="${type.package}/resolver"/>
   <property name="util.package" value="${ant.package}/util"/>
   <property name="regexp.package" value="${util.package}/regexp"/>
 
@@ -193,7 +193,7 @@
   </selector>
 
   <selector id="needs.apache-resolver">
-    <filename name="${apache.resolver.type.package}/"/>
+    <filename name="${apache-resolver.type.package}/"/>
   </selector>
 
   <selector id="needs.junit">
@@ -446,7 +446,7 @@
     <available property="netrexx.present"
                classname="netrexx.lang.Rexx"
                classpathref="classpath" ignoresystemclasses="${ignoresystemclasses}"/>
-    <available property="apache.resolver.present"
+    <available property="apache-resolver.present"
                classname="org.apache.xml.resolver.tools.CatalogResolver"
                classpathref="classpath" ignoresystemclasses="${ignoresystemclasses}"/>
     <available property="recent.xalan2.present"
@@ -723,7 +723,7 @@
           <or>
             <selector refid="needs.jdk9+"/>
             <selector refid="not.in.kaffe" if="kaffe"/>
-            <selector refid="needs.apache-resolver" unless="apache.resolver.present"/>
+            <selector refid="needs.apache-resolver" unless="apache-resolver.present"/>
             <selector refid="needs.junit" unless="junit.present"/> <!-- TODO should perhaps use -source 1.4? -->
             <selector refid="needs.junit4" unless="junit4.present"/>
             <selector refid="needs.junitlauncher" unless="junitlauncher.present"/>
@@ -2020,7 +2020,7 @@ ${antunit.reports}
 
           <!-- needs resolver.jar to work -->
           <exclude name="${optional.package}/XmlValidateCatalogTest.java"
-                   unless="apache.resolver.present"/>
+                   unless="apache-resolver.present"/>
 
           <!-- needs jasperc -->
           <exclude name="${optional.package}/JspcTest.java"
@@ -2217,4 +2217,219 @@ ${antunit.reports}
     </dn:wix>
   </target>
 
+  <!--
+       ===================================================================
+         CycloneDX targets - create SBOMs
+       ===================================================================
+  -->
+  <available property="cyclonedx.antlib.present"
+             classname="org.apache.ant.cyclonedx.ComponentBomTask"
+             classpathref="classpath" ignoresystemclasses="${ignoresystemclasses}"/>
+
+  <target name="init-cyclonedx" if="cyclonedx.antlib.present">
+    <typedef uri="antlib:org.apache.ant.cyclonedx"
+      resource="org/apache/ant/cyclonedx/antlib.xml">
+      <classpath refid="classpath"/>
+    </typedef>
+
+    <cdx:organization
+        name="Apache Ant Development Team"
+        id="ant-team"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <url url="https://ant.apache.org/"/>
+    </cdx:organization>
+    <cdx:license
+        licenseId="Apache-2.0"
+        id="apache-2"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <url url="https://www.apache.org/licenses/LICENSE-2.0.txt"/>
+    </cdx:license>
+    <cdx:externalreferenceset
+        id="ant-common-refs"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <externalReference
+          type="LICENSE"
+          url="https://www.apache.org/licenses/LICENSE-2.0.txt"/>
+      <externalReference
+          type="MAILING_LIST"
+          url="https://ant.apache.org/mail.html"/>
+      <externalReference
+          type="SECURITY_CONTACT"
+          url="https://www.apache.org/security/"/>
+      <externalReference
+          type="VCS"
+          url="https://github.com/apache/ant"/>
+      <externalReference
+          type="BUILD_SYSTEM"
+          url="https://ci-builds.apache.org/job/Ant/"/>
+      <externalReference
+          type="ISSUE_TRACKER"
+          url="https://bz.apache.org/bugzilla/buglist.cgi?product=Ant"/>
+      <externalReference
+          type="WEBSITE"
+          url="https://ant.apache.org/"/>
+      <externalReference
+          type="DISTRIBUTION"
+          url="https://ant.apache.org/bindownload.cgi"/>
+      <externalReference
+          type="SOURCE_DISTRIBUTION"
+          url="https://ant.apache.org/srcdownload.cgi"/>
+    </cdx:externalreferenceset>
+  </target>
+
+  <target name="component-boms" depends="init-cyclonedx,jars"
+          if="cyclonedx.antlib.present">
+
+    <property file="${lib.dir}/libraries.properties"/>
+
+    <cdx:componentbom
+        bomName="${name}-launcher-cyclonedx"
+        outputdirectory="${build.lib}"
+        format="all"
+        useComponentSupplier="true"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <component
+          id="cdx-ant-launcher"
+          name="ant-launcher"
+          group="org.apache.ant"
+          version="${pom.version}"
+          description="Apache Ant Launcher"
+          publisher="The Apache Software Foundation"
+          manufacturerIsSupplier="true">
+        <file file="${build.lib}/${name}-launcher.jar"/>
+        <manufacturer refid="ant-team"/>
+        <license refid="apache-2"/>
+        <externalReferenceSet refid="ant-common-refs"/>
+      </component>
+      <license refid="apache-2"/>
+    </cdx:componentbom>
+    <cdx:componentbom
+        bomName="${name}-cyclonedx"
+        outputdirectory="${build.lib}"
+        format="all"
+        useComponentSupplier="true"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <component
+          id="cdx-ant"
+          name="ant"
+          group="org.apache.ant"
+          version="${pom.version}"
+          description="Apache Ant Core"
+          publisher="The Apache Software Foundation"
+          manufacturerIsSupplier="true">
+        <file file="${build.lib}/${name}.jar"/>
+        <manufacturer refid="ant-team"/>
+        <license refid="apache-2"/>
+        <externalReferenceSet refid="ant-common-refs"/>
+        <dependency componentRef="cdx-ant-launcher"/>
+      </component>
+      <additionalComponent refid="cdx-ant-launcher"/>
+      <license refid="apache-2"/>
+    </cdx:componentbom>
+
+    <macrodef name="optional-sbom">
+      <attribute name="dep"/>
+      <attribute name="nameSuffix"/>
+      <element name="additionalContent" implicit="true" optional="true"/>
+      <sequential>
+        <cdx:componentbom
+            bomName="${optional.jars.prefix}-@{dep}-cyclonedx"
+            outputdirectory="${build.lib}"
+            format="all"
+            useComponentSupplier="true"
+            if:set="@{dep}.present" xmlns:if="ant:if"
+            xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+          <component
+              id="cdx-ant-@{dep}"
+              name="ant-@{dep}"
+              group="org.apache.ant"
+              version="${pom.version}"
+              description="Apache Ant @{nameSuffix}"
+              publisher="The Apache Software Foundation"
+              manufacturerIsSupplier="true">
+            <file file="${build.lib}/${optional.jars.prefix}-@{dep}.jar"/>
+            <manufacturer refid="ant-team"/>
+            <license refid="apache-2"/>
+            <externalReferenceSet refid="ant-common-refs"/>
+            <dependency componentRef="cdx-ant"/>
+            <dependency componentRef="cdx-@{dep}"/>
+          </component>
+          <additionalComponent refid="cdx-ant"/>
+          <additionalComponent refid="cdx-ant-launcher"/>
+          <additionalComponent refid="cdx-@{dep}"/>
+          <license refid="apache-2"/>
+          <additionalContent/>
+        </cdx:componentbom>
+      </sequential>
+    </macrodef>
+
+    <cdx:component
+        id="cdx-apache-resolver"
+        name="xml-resolver"
+        group="xml-resolver"
+        version="${xml-resolver.version}"
+        description="xml-commons provides an Apache-hosted set of DOM, SAX, and JAXP interfaces for use in other xml-based projects. Our hope is that we can standardize on both a common version and packaging scheme for these critical XML standards interfaces to make the lives of both our developers and users easier."
+        publisher="The Apache Software Foundation"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <license refid="apache-2"/>
+      <externalReference
+          type="WEBSITE"
+          url="http://xml.apache.org/commons/components/resolver/"/>
+    </cdx:component>
+    <optional-sbom dep="apache-resolver" nameSuffix="+ Apache Resolver"/>
+
+    <cdx:component
+        id="cdx-junit"
+        name="junit"
+        group="junit"
+        version="${junit.version}"
+        description="JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck."
+        publisher="JUnit"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <license licenseId="EPL-1.0">
+        <url url="http://www.eclipse.org/legal/epl-v10.html"/>
+      </license>
+      <externalReference
+          type="WEBSITE"
+          url="http://junit.org"/>
+      <dependency componentRef="cdx-hamcrest"/>
+    </cdx:component>
+    <cdx:component
+        id="cdx-hamcrest"
+        name="hamcrest"
+        group="org.hamcrest"
+        version="${hamcrest.version}"
+        description="Core API and libraries of hamcrest matcher framework."
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <license licenseId="BSD-3-Clause">
+        <url url="https://raw.githubusercontent.com/hamcrest/JavaHamcrest/master/LICENSE"/>
+      </license>
+      <externalReference
+          type="WEBSITE"
+          url="http://hamcrest.org/JavaHamcrest/"/>
+    </cdx:component>
+    <optional-sbom dep="junit" nameSuffix="+ JUnit">
+      <additionalComponent refid="cdx-hamcrest"/>
+    </optional-sbom>
+
+    <cdx:component
+        id="cdx-netrexx"
+        bomRef="https://www.netrexx.org/files/NetRexxC-${netrexx.version}.jar"
+        name="netrexx"
+        version="${netrexx.version}"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <license licenseId="ICU">
+        <url url="https://github.com/RexxLA/NetRexx/blob/master/LICENSE"/>
+      </license>
+      <externalReference
+          type="WEBSITE"
+          url="https://www.netrexx.org/"/>
+      <externalReference
+          type="DISTRIBUTION"
+          url="https://www.netrexx.org/downloads.nsp"/>
+    </cdx:component>
+    <optional-sbom dep="netrexx" nameSuffix="+ NetRexx"/>
+
+  </target>
+
 </project>

From d005350a54ccb0263084770477ad3e8cec9b2445 Mon Sep 17 00:00:00 2001
From: Stefan Bodewig <bodewig@apache.org>
Date: Sun, 24 May 2026 11:02:53 +0200
Subject: [PATCH 3/9] I must admit I no longer know why there is ant-junit and
 ant-junit4

---
 build.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/build.xml b/build.xml
index b66861cbf5..f46cb8482a 100644
--- a/build.xml
+++ b/build.xml
@@ -2412,11 +2412,20 @@ ${antunit.reports}
       <additionalComponent refid="cdx-hamcrest"/>
     </optional-sbom>
 
+    <cdx:component
+        id="cdx-junit4"
+        refid="cdx-junit"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx"/>
+    <optional-sbom dep="junit4" nameSuffix="+ JUnit 4">
+      <additionalComponent refid="cdx-hamcrest"/>
+    </optional-sbom>
+
     <cdx:component
         id="cdx-netrexx"
         bomRef="https://www.netrexx.org/files/NetRexxC-${netrexx.version}.jar"
         name="netrexx"
         version="${netrexx.version}"
+        unknownDependencies="true"
         xmlns:cdx="antlib:org.apache.ant.cyclonedx">
       <license licenseId="ICU">
         <url url="https://github.com/RexxLA/NetRexx/blob/master/LICENSE"/>

From a7c8426069b64d91b8c4e13566ac9e1d7d395dbf Mon Sep 17 00:00:00 2001
From: Stefan Bodewig <bodewig@apache.org>
Date: Sun, 24 May 2026 11:03:34 +0200
Subject: [PATCH 4/9] SBOM for ant-testutil.jar

---
 build.xml | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/build.xml b/build.xml
index f46cb8482a..cec142ca33 100644
--- a/build.xml
+++ b/build.xml
@@ -2277,7 +2277,7 @@ ${antunit.reports}
     </cdx:externalreferenceset>
   </target>
 
-  <target name="component-boms" depends="init-cyclonedx,jars"
+  <target name="component-boms" depends="init-cyclonedx,jars,test-jar"
           if="cyclonedx.antlib.present">
 
     <property file="${lib.dir}/libraries.properties"/>
@@ -2439,6 +2439,34 @@ ${antunit.reports}
     </cdx:component>
     <optional-sbom dep="netrexx" nameSuffix="+ NetRexx"/>
 
+    <cdx:componentbom
+        bomName="${name}-testutil-cyclonedx"
+        outputdirectory="${build.lib}"
+        format="all"
+        useComponentSupplier="true"
+        if:set="junit.present" xmlns:if="ant:if"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <component
+          id="cdx-ant-testutil"
+          name="ant-testutil"
+          group="org.apache.ant"
+          version="${pom.version}"
+          description="Apache Ant Test Utilities"
+          publisher="The Apache Software Foundation"
+          manufacturerIsSupplier="true">
+        <file file="${build.lib}/${name}-testutil.jar"/>
+        <manufacturer refid="ant-team"/>
+        <license refid="apache-2"/>
+        <externalReferenceSet refid="ant-common-refs"/>
+        <dependency componentRef="cdx-ant"/>
+        <dependency componentRef="cdx-junit"/>
+      </component>
+      <additionalComponent refid="cdx-ant"/>
+      <additionalComponent refid="cdx-ant-launcher"/>
+      <additionalComponent refid="cdx-junit"/>
+      <additionalComponent refid="cdx-hamcrest"/>
+      <license refid="apache-2"/>
+    </cdx:componentbom>
   </target>
 
 </project>

From ec497cbd8712832ea05fe54c5b8abd50fd8064cd Mon Sep 17 00:00:00 2001
From: Stefan Bodewig <bodewig@apache.org>
Date: Sun, 24 May 2026 13:27:33 +0200
Subject: [PATCH 5/9] a few more sboms

---
 build.xml | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 72 insertions(+), 6 deletions(-)

diff --git a/build.xml b/build.xml
index cec142ca33..9ef5062f73 100644
--- a/build.xml
+++ b/build.xml
@@ -476,10 +476,10 @@
     <available property="antlr.present"
                classname="antlr.Tool"
                classpathref="classpath" ignoresystemclasses="${ignoresystemclasses}"/>
-    <available property="apache.regexp.present"
+    <available property="apache-regexp.present"
                classname="org.apache.regexp.RE"
                classpathref="classpath" ignoresystemclasses="${ignoresystemclasses}"/>
-    <available property="apache.oro.present"
+    <available property="apache-oro.present"
                classname="org.apache.oro.text.regex.Perl5Matcher"
                classpathref="classpath" ignoresystemclasses="${ignoresystemclasses}"/>
     <available property="imageio.present"
@@ -509,7 +509,7 @@
     <available property="xerces.present"
                classname="org.apache.xerces.parsers.SAXParser"
                classpathref="classpath" ignoresystemclasses="${ignoresystemclasses}"/>
-    <available property="bcel.present"
+    <available property="apache-bcel.present"
                classname="org.apache.bcel.Constants"
                classpathref="classpath" ignoresystemclasses="${ignoresystemclasses}"/>
     <available property="javamail.present"
@@ -729,9 +729,9 @@
             <selector refid="needs.junitlauncher" unless="junitlauncher.present"/>
             <selector refid="needs.junit.engine.vintage" unless="junit.engine.vintage.present"/>
             <selector refid="needs.junit.engine.jupiter" unless="junit.engine.jupiter.present"/>
-            <selector refid="needs.apache-regexp" unless="apache.regexp.present"/>
-            <selector refid="needs.apache-oro" unless="apache.oro.present"/>
-            <selector refid="needs.apache-bcel" unless="bcel.present"/>
+            <selector refid="needs.apache-regexp" unless="apache-regexp.present"/>
+            <selector refid="needs.apache-oro" unless="apache-oro.present"/>
+            <selector refid="needs.apache-bcel" unless="apache-bcel.present"/>
             <selector refid="needs.apache-log4j" unless="log4j.present"/>
             <selector refid="needs.commons-logging" unless="commons.logging.present"/>
             <selector refid="needs.apache-bsf" unless="bsf.present"/>
@@ -2420,6 +2420,61 @@ ${antunit.reports}
       <additionalComponent refid="cdx-hamcrest"/>
     </optional-sbom>
 
+    <cdx:component
+        id="cdx-junitlauncher"
+        name="junit-platform-launcher"
+        group="org.junit.platform"
+        version="${junit-platform-launcher.version}"
+        description='Module "junit-platform-launcher" of JUnit 5.'
+        unknownDependencies="true"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <license licenseId="EPL-2.0">
+        <url url="https://www.eclipse.org/legal/epl-v20.html"/>
+      </license>
+      <externalReference
+          type="WEBSITE"
+          url="https://junit.org/junit5"/>
+    </cdx:component>
+    <optional-sbom dep="junitlauncher" nameSuffix="+ JUnit 5"/>
+
+    <cdx:component
+        id="cdx-apache-regexp"
+        name="jakarta-regexp"
+        group="jakarta-regexp"
+        version="${jakarta-regexp.version}"
+        unknownDependencies="true"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <license refid="apache-2"/>
+    </cdx:component>
+    <optional-sbom dep="apache-regexp" nameSuffix="+ Apache Regexp"/>
+
+    <cdx:component
+        id="cdx-apache-oro"
+        name="oro"
+        group="oro"
+        version="${oro.version}"
+        unknownDependencies="true"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <license refid="apache-2"/>
+    </cdx:component>
+    <optional-sbom dep="apache-oro" nameSuffix="+ Apache Oro"/>
+
+    <cdx:component
+        id="cdx-apache-bcel"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <sbomLink>
+        <url
+            url="https://repo1.maven.org/maven2/org/apache/bcel/bcel/${bcel.version}/bcel-${bcel.version}-cyclonedx.json"/>
+      </sbomLink>
+    </cdx:component>
+    <optional-sbom dep="apache-bcel" nameSuffix="+ BCEL"/>
+
+    <!--optional-jar dep="apache-log4j"/>
+    <optional-jar dep="commons-logging"/>
+    <optional-jar dep="apache-bsf"/>
+    <optional-jar dep="javamail"/>
+    <optional-jar dep="jakartamail"/-->
+
     <cdx:component
         id="cdx-netrexx"
         bomRef="https://www.netrexx.org/files/NetRexxC-${netrexx.version}.jar"
@@ -2439,6 +2494,17 @@ ${antunit.reports}
     </cdx:component>
     <optional-sbom dep="netrexx" nameSuffix="+ NetRexx"/>
 
+    <!--optional-jar dep="commons-net"/>
+    <optional-jar dep="antlr"/>
+    <optional-jar dep="imageio"/>
+    <optional-jar dep="jmf"/>
+    <optional-jar dep="jai"/>
+    <optional-jar dep="swing"/>
+    <optional-jar dep="jsch"/>
+    <optional-jar dep="jdepend"/>
+    <optional-jar dep="apache-xalan2"/>
+    <optional-jar dep="xz"/-->
+
     <cdx:componentbom
         bomName="${name}-testutil-cyclonedx"
         outputdirectory="${build.lib}"

From 6e79857f4fa2ac94518449c3d1a2bf14b24a0c73 Mon Sep 17 00:00:00 2001
From: Stefan Bodewig <bodewig@apache.org>
Date: Sun, 24 May 2026 19:33:06 +0200
Subject: [PATCH 6/9] complete set of SBOMs for all Ant jars

---
 build.xml | 256 +++++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 227 insertions(+), 29 deletions(-)

diff --git a/build.xml b/build.xml
index 9ef5062f73..1e60a1c35d 100644
--- a/build.xml
+++ b/build.xml
@@ -440,7 +440,7 @@
     <available property="kaffe" classname="kaffe.util.NotImplemented"/>
     <available property="harmony"
                classname="org.apache.harmony.luni.util.Base64"/>
-    <available property="bsf.present"
+    <available property="apache-bsf.present"
                classname="org.apache.bsf.BSFManager"
                classpathref="classpath" ignoresystemclasses="${ignoresystemclasses}"/>
     <available property="netrexx.present"
@@ -449,7 +449,7 @@
     <available property="apache-resolver.present"
                classname="org.apache.xml.resolver.tools.CatalogResolver"
                classpathref="classpath" ignoresystemclasses="${ignoresystemclasses}"/>
-    <available property="recent.xalan2.present"
+    <available property="apache-xalan2.present"
                classname="org.apache.xalan.trace.TraceListenerEx3"
                classpathref="classpath" ignoresystemclasses="${ignoresystemclasses}"/>
     <available property="junit.present"
@@ -470,7 +470,7 @@
     <available property="antunit.present"
                classname="org.apache.ant.antunit.AntUnit"
                classpathref="classpath" ignoresystemclasses="${ignoresystemclasses}"/>
-    <available property="commons.net.present"
+    <available property="commons-net.present"
                classname="org.apache.commons.net.ftp.FTPClient"
                classpathref="classpath" ignoresystemclasses="${ignoresystemclasses}"/>
     <available property="antlr.present"
@@ -494,10 +494,10 @@
     <available property="jdepend.present"
                classname="jdepend.framework.JDepend"
                classpathref="classpath" ignoresystemclasses="${ignoresystemclasses}"/>
-    <available property="log4j.present"
+    <available property="apache-log4j.present"
                classname="org.apache.log4j.Logger"
                classpathref="classpath" ignoresystemclasses="${ignoresystemclasses}"/>
-    <available property="commons.logging.present"
+    <available property="commons-logging.present"
                classname="org.apache.commons.logging.LogFactory"
                classpathref="classpath" ignoresystemclasses="${ignoresystemclasses}"/>
     <available property="xalan.envcheck"
@@ -732,13 +732,13 @@
             <selector refid="needs.apache-regexp" unless="apache-regexp.present"/>
             <selector refid="needs.apache-oro" unless="apache-oro.present"/>
             <selector refid="needs.apache-bcel" unless="apache-bcel.present"/>
-            <selector refid="needs.apache-log4j" unless="log4j.present"/>
-            <selector refid="needs.commons-logging" unless="commons.logging.present"/>
-            <selector refid="needs.apache-bsf" unless="bsf.present"/>
+            <selector refid="needs.apache-log4j" unless="apache-log4j.present"/>
+            <selector refid="needs.commons-logging" unless="commons-logging.present"/>
+            <selector refid="needs.apache-bsf" unless="apache-bsf.present"/>
             <selector refid="needs.javamail" unless="javamail.present"/>
             <selector refid="needs.jakartamail" unless="jakartamail.present"/>
             <selector refid="needs.netrexx" unless="netrexx.present"/>
-            <selector refid="needs.commons-net" unless="commons.net.present"/>
+            <selector refid="needs.commons-net" unless="commons-net.present"/>
             <selector refid="needs.antlr" unless="antlr.present"/>
             <selector refid="needs.imageio" unless="imageio.present"/>
             <selector refid="needs.jmf" unless="jmf.present"/>
@@ -748,7 +748,7 @@
             <selector refid="needs.jsch" unless="jsch.present"/>
             <selector refid="needs.xz" unless="xz.present"/>
             <selector refid="needs.xmlschema" unless="xmlschema.present"/>
-            <selector refid="needs.apache-xalan2" unless="recent.xalan2.present"/>
+            <selector refid="needs.apache-xalan2" unless="apache-xalan2.present"/>
           </or>
         </not>
       </selector>
@@ -1984,19 +1984,19 @@ ${antunit.reports}
 
           <!-- needs BSF to work -->
           <exclude name="${optional.package}/Rhino*.java"
-                   unless="bsf.present"/>
+                   unless="apache-bsf.present"/>
           <exclude name="${optional.package}/Rhino*.java"
                    unless="rhino.present"/>
           <exclude name="${optional.package}/script/*.java"
-                   unless="bsf.present"/>
+                   unless="apache-bsf.present"/>
           <exclude name="${optional.package}/script/*.java"
                    unless="rhino.present"/>
           <exclude name="${optional.package}/BeanShellScriptTest.java"
-                   unless="bsf.present"/>
+                   unless="apache-bsf.present"/>
           <exclude name="${optional.package}/BeanShellScriptTest.java"
                    unless="beanshell.present"/>
           <exclude name="${optional.type.package}/Script*.java"
-                   unless="bsf.present"/>
+                   unless="apache-bsf.present"/>
           <exclude name="${optional.type.package}/Script*.java"
                    unless="rhino.present"/>
 
@@ -2469,11 +2469,55 @@ ${antunit.reports}
     </cdx:component>
     <optional-sbom dep="apache-bcel" nameSuffix="+ BCEL"/>
 
-    <!--optional-jar dep="apache-log4j"/>
-    <optional-jar dep="commons-logging"/>
-    <optional-jar dep="apache-bsf"/>
-    <optional-jar dep="javamail"/>
-    <optional-jar dep="jakartamail"/-->
+    <cdx:component
+        id="cdx-apache-log4j"
+        name="log4j"
+        group="log4j"
+        version="${log4j.version}"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <license refid="apache-2"/>
+    </cdx:component>
+    <optional-sbom dep="apache-log4j" nameSuffix="+ Log4J 1.x"/>
+
+    <cdx:component
+        id="cdx-commons-logging"
+        name="commons-logging-api"
+        group="commons-logging"
+        version="${commons-logging-api.version}"
+        description="Commons Logging is a thin adapter allowing configurable bridging to other, well known logging systems."
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <license refid="apache-2"/>
+    </cdx:component>
+    <optional-sbom dep="commons-logging" nameSuffix="+ Commons Logging"/>
+
+    <cdx:component
+        id="cdx-apache-bsf"
+        name="bsf"
+        group="bsf"
+        version="${bsf.version}"
+        unknownDependencies="true"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <license refid="apache-2"/>
+    </cdx:component>
+    <optional-sbom dep="apache-bsf" nameSuffix="+ BSF"/>
+
+    <cdx:component
+        id="cdx-javamail"
+        name="javax.mail"
+        group="com.sun.mail"
+        version="${javax.mail.version}"
+        unknownDependencies="true"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx"/>
+    <optional-sbom dep="javamail" nameSuffix="+ JavaMail"/>
+
+    <cdx:component
+        id="cdx-jakartamail"
+        name="jakarta.mail"
+        group="com.sun.mail"
+        version="${jakarta.mail.version}"
+        unknownDependencies="true"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx"/>
+    <optional-sbom dep="jakartamail" nameSuffix="+ JakartaMail"/>
 
     <cdx:component
         id="cdx-netrexx"
@@ -2494,16 +2538,170 @@ ${antunit.reports}
     </cdx:component>
     <optional-sbom dep="netrexx" nameSuffix="+ NetRexx"/>
 
-    <!--optional-jar dep="commons-net"/>
-    <optional-jar dep="antlr"/>
-    <optional-jar dep="imageio"/>
-    <optional-jar dep="jmf"/>
-    <optional-jar dep="jai"/>
-    <optional-jar dep="swing"/>
-    <optional-jar dep="jsch"/>
-    <optional-jar dep="jdepend"/>
-    <optional-jar dep="apache-xalan2"/>
-    <optional-jar dep="xz"/-->
+    <cdx:component
+        id="cdx-commons-net"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <sbomLink>
+        <url
+            url="https://repo1.maven.org/maven2/commons-net/commons-net/${commons-net.version}/commons-net-${commons-net.version}-cyclonedx.json"/>
+      </sbomLink>
+    </cdx:component>
+    <optional-sbom dep="commons-net" nameSuffix="+ Commons Net"/>
+
+    <cdx:component
+        id="cdx-antlr"
+        name="antlr"
+        group="antlr"
+        version="${antlr.version}"
+        description="A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions."
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <license name="BSD License">
+        <url url="http://www.antlr.org/license.html"/>
+      </license>
+      <externalReference
+          type="WEBSITE"
+          url="http://www.antlr.org/"/>
+    </cdx:component>
+    <optional-sbom dep="antlr" nameSuffix="+ ANTLR"/>
+
+    <cdx:componentbom
+        bomName="${name}-imageio-cyclonedx"
+        outputdirectory="${build.lib}"
+        format="all"
+        useComponentSupplier="true"
+        if:set="imageio.present" xmlns:if="ant:if"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <component
+          id="cdx-ant-imageio"
+          name="ant-imageio"
+          group="org.apache.ant"
+          version="${pom.version}"
+          description="Apache Ant + ImageIO"
+          publisher="The Apache Software Foundation"
+          manufacturerIsSupplier="true">
+        <file file="${build.lib}/${name}-imageio.jar"/>
+        <manufacturer refid="ant-team"/>
+        <license refid="apache-2"/>
+        <externalReferenceSet refid="ant-common-refs"/>
+        <dependency componentRef="cdx-ant"/>
+      </component>
+      <additionalComponent refid="cdx-ant"/>
+      <additionalComponent refid="cdx-ant-launcher"/>
+      <license refid="apache-2"/>
+    </cdx:componentbom>
+
+    <cdx:componentbom
+        bomName="${name}-jmf-cyclonedx"
+        outputdirectory="${build.lib}"
+        format="all"
+        useComponentSupplier="true"
+        if:set="jmf.present" xmlns:if="ant:if"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <component
+          id="cdx-ant-jmf"
+          name="ant-jmf"
+          group="org.apache.ant"
+          version="${pom.version}"
+          description="Apache Ant + JMF"
+          publisher="The Apache Software Foundation"
+          manufacturerIsSupplier="true">
+        <file file="${build.lib}/${name}-jmf.jar"/>
+        <manufacturer refid="ant-team"/>
+        <license refid="apache-2"/>
+        <externalReferenceSet refid="ant-common-refs"/>
+        <dependency componentRef="cdx-ant"/>
+      </component>
+      <additionalComponent refid="cdx-ant"/>
+      <additionalComponent refid="cdx-ant-launcher"/>
+      <license refid="apache-2"/>
+    </cdx:componentbom>
+
+    <cdx:component
+        id="cdx-jai"
+        name="jai-core"
+        group="javax.media"
+        description="The Java Advanced Imaging API extends the Java 2 platform by allowing sophisticated, high-performance image processing to be incorporated into Java applets and applications. It is a set of classes providing imaging functionality beyond that of Java 2D and the Java Foundation classes, though it is designed for compatibility with those APIs. This API implements a set of core image processing capabilities including image tiling, regions of interest, deferred execution and a set of core image processing operators, including many common point, area, and frequency domain operators."
+        version="${jai-core.version}"
+        unknownDependencies="true"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <license name="Sun Microsystems, Inc. Binary Code License Agreement"/>
+    </cdx:component>
+    <optional-sbom dep="jai" nameSuffix="+ JAI"/>
+
+    <cdx:componentbom
+        bomName="${name}-swing-cyclonedx"
+        outputdirectory="${build.lib}"
+        format="all"
+        useComponentSupplier="true"
+        if:set="swing.present" xmlns:if="ant:if"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <component
+          id="cdx-ant-swing"
+          name="ant-swing"
+          group="org.apache.ant"
+          version="${pom.version}"
+          description="Apache Ant + Swing"
+          publisher="The Apache Software Foundation"
+          manufacturerIsSupplier="true">
+        <file file="${build.lib}/${name}-swing.jar"/>
+        <manufacturer refid="ant-team"/>
+        <license refid="apache-2"/>
+        <externalReferenceSet refid="ant-common-refs"/>
+        <dependency componentRef="cdx-ant"/>
+      </component>
+      <additionalComponent refid="cdx-ant"/>
+      <additionalComponent refid="cdx-ant-launcher"/>
+      <license refid="apache-2"/>
+    </cdx:componentbom>
+
+    <cdx:component
+        id="cdx-jsch"
+        name="jsch"
+        group="com.jcraft"
+        description="JSch is a pure Java implementation of SSH2"
+        version="${jsch.version}"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <externalReference
+          type="WEBSITE"
+          url="http://www.jcraft.com/"/>
+      <license name="Revised BSD">
+        <url url="http://www.jcraft.com/jsch/LICENSE.txt"/>
+      </license>
+    </cdx:component>
+    <optional-sbom dep="jsch" nameSuffix="+ JSch"/>
+
+    <cdx:component
+        id="cdx-jdepend"
+        name="jdepend"
+        group="jdepend"
+        version="${jdepend.version}"
+        unknownDependencies="true"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx"/>
+    <optional-sbom dep="jdepend" nameSuffix="+ JDepend"/>
+
+    <cdx:component
+        id="cdx-apache-xalan2"
+        name="xalan"
+        group="xalan"
+        version="${xalan.version}"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <license refid="apache-2"/>
+    </cdx:component>
+    <optional-sbom dep="apache-xalan2" nameSuffix="+ Xalan 2"/>
+
+    <cdx:component
+        id="cdx-xz"
+        name="xz"
+        group="org.tukaani"
+        version="${xz.version}"
+        description="XZ data compression"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <externalReference
+          type="WEBSITE"
+          url="https://tukaani.org/xz/java.html"/>
+      <license name="Public Domain"/>
+    </cdx:component>
+    <optional-sbom dep="xz" nameSuffix="+ XZ for Java"/>
 
     <cdx:componentbom
         bomName="${name}-testutil-cyclonedx"

From 38918c17c186606e6ab10c3ea4199aa5d183668b Mon Sep 17 00:00:00 2001
From: Stefan Bodewig <bodewig@apache.org>
Date: Sun, 24 May 2026 19:46:17 +0200
Subject: [PATCH 7/9] add cyclonedx SBOMs to distributions

---
 build.xml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/build.xml b/build.xml
index 1e60a1c35d..b12ad93ee8 100644
--- a/build.xml
+++ b/build.xml
@@ -1030,7 +1030,7 @@
          Create the essential distribution that can run Apache Ant
        ===================================================================
   -->
-  <target name="dist-lite" depends="jars,test-jar,-ant-dist-warn-jdk9+"
+  <target name="dist-lite" depends="jars,test-jar,component-boms,-ant-dist-warn-jdk9+"
           description="--> creates a minimum distribution to run Apache Ant">
 
     <mkdir dir="${dist.dir}"/>
@@ -1415,6 +1415,12 @@
       </fileset>
       <mapper type="regexp" from="ant(.*).jar" to="ant\1/${project.version}/ant\1-${project.version}-sources.jar"/>
     </copy>
+    <copy todir="${java-repository.dir}">
+      <fileset dir="${dist.name}/lib">
+        <include name="ant*-cyclonedx.*"/>
+      </fileset>
+      <mapper type="regexp" from="ant(.*)-cyclonedx.(.*)" to="ant\1/${project.version}/ant\1-${project.version}-cyclonedx.\2"/>
+    </copy>
     <jar destfile="${java-repository.dir}/ant/${project.version}/ant-${project.version}-javadoc.jar"
       basedir="${build.javadocs}">
       <metainf dir="${build.dir}">

From 6f8f97ec8419de2b7261482b3186d61a84ba04fa Mon Sep 17 00:00:00 2001
From: Stefan Bodewig <bodewig@apache.org>
Date: Sun, 24 May 2026 20:01:12 +0200
Subject: [PATCH 8/9] publish cyclonedx SBOMs

---
 ReleaseInstructions |   2 +-
 release/ivy.xml     | 104 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 105 insertions(+), 1 deletion(-)

diff --git a/ReleaseInstructions b/ReleaseInstructions
index f87c65ad5f..b89e642eef 100644
--- a/ReleaseInstructions
+++ b/ReleaseInstructions
@@ -158,7 +158,7 @@ Note: This document was adapted from the one created in the context of
     b. Using gpg
 
     $ for i in distribution/*/*.zip distribution/*/*.gz distribution/*/*.bz2 distribution/*/*.xz; do gpg --use-agent --detach-sign --armor $i; done
-    $ for i in java-repository/org/apache/ant/ant*/*/*.jar java-repository/org/apache/ant/ant*/*/*.pom; do gpg --use-agent --detach-sign --armor $i; done
+    $ for i in java-repository/org/apache/ant/ant*/*/*.jar java-repository/org/apache/ant/ant*/*/*.pom  java-repository/org/apache/ant/ant*/*/*-cyclonedx.*; do gpg --use-agent --detach-sign --armor $i; done
 
 11. Convert the part of the WHATSNEW file covering the changes
     since the last release into HTML for the README file on the
diff --git a/release/ivy.xml b/release/ivy.xml
index 1b414d9c7a..940f13d4d9 100644
--- a/release/ivy.xml
+++ b/release/ivy.xml
@@ -31,156 +31,260 @@
     <artifact name="ant" type="source.asc" ext="jar.asc" e:classifier="sources"/>
     <artifact name="ant" type="javadoc" ext="jar" e:classifier="javadoc"/>
     <artifact name="ant" type="javadoc.asc" ext="jar.asc" e:classifier="javadoc"/>
+    <artifact name="ant" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-antlr" type="pom" ext="pom"/>
     <artifact name="ant-antlr" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-antlr" type="jar" ext="jar"/>
     <artifact name="ant-antlr" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-antlr" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-antlr" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-antlr" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-antlr" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-antlr" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-antlr" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-apache-bcel" type="pom" ext="pom"/>
     <artifact name="ant-apache-bcel" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-apache-bcel" type="jar" ext="jar"/>
     <artifact name="ant-apache-bcel" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-apache-bcel" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-apache-bcel" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-apache-bcel" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-bcel" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-bcel" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-bcel" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-apache-bsf" type="pom" ext="pom"/>
     <artifact name="ant-apache-bsf" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-apache-bsf" type="jar" ext="jar"/>
     <artifact name="ant-apache-bsf" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-apache-bsf" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-apache-bsf" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-apache-bsf" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-bsf" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-bsf" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-bsf" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-apache-log4j" type="pom" ext="pom"/>
     <artifact name="ant-apache-log4j" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-apache-log4j" type="jar" ext="jar"/>
     <artifact name="ant-apache-log4j" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-apache-log4j" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-apache-log4j" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-apache-log4j" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-log4j" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-log4j" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-log4j" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-apache-oro" type="pom" ext="pom"/>
     <artifact name="ant-apache-oro" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-apache-oro" type="jar" ext="jar"/>
     <artifact name="ant-apache-oro" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-apache-oro" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-apache-oro" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-apache-oro" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-oro" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-oro" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-oro" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-apache-regexp" type="pom" ext="pom"/>
     <artifact name="ant-apache-regexp" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-apache-regexp" type="jar" ext="jar"/>
     <artifact name="ant-apache-regexp" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-apache-regexp" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-apache-regexp" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-apache-regexp" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-regexp" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-regexp" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-regexp" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-apache-resolver" type="pom" ext="pom"/>
     <artifact name="ant-apache-resolver" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-apache-resolver" type="jar" ext="jar"/>
     <artifact name="ant-apache-resolver" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-apache-resolver" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-apache-resolver" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-apache-resolver" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-resolver" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-resolver" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-resolver" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-apache-xalan2" type="pom" ext="pom"/>
     <artifact name="ant-apache-xalan2" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-apache-xalan2" type="jar" ext="jar"/>
     <artifact name="ant-apache-xalan2" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-apache-xalan2" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-apache-xalan2" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-apache-xalan2" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-xalan2" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-xalan2" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-apache-xalan2" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-commons-logging" type="pom" ext="pom"/>
     <artifact name="ant-commons-logging" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-commons-logging" type="jar" ext="jar"/>
     <artifact name="ant-commons-logging" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-commons-logging" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-commons-logging" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-commons-logging" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-commons-logging" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-commons-logging" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-commons-logging" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-commons-net" type="pom" ext="pom"/>
     <artifact name="ant-commons-net" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-commons-net" type="jar" ext="jar"/>
     <artifact name="ant-commons-net" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-commons-net" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-commons-net" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-commons-net" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-commons-net" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-commons-net" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-commons-net" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-imageio" type="pom" ext="pom"/>
     <artifact name="ant-imageio" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-imageio" type="jar" ext="jar"/>
     <artifact name="ant-imageio" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-imageio" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-imageio" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-imageio" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-imageio" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-imageio" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-imageio" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-jai" type="pom" ext="pom"/>
     <artifact name="ant-jai" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-jai" type="jar" ext="jar"/>
     <artifact name="ant-jai" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-jai" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-jai" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-jai" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-jai" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-jai" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-jai" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-javamail" type="pom" ext="pom"/>
     <artifact name="ant-javamail" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-javamail" type="jar" ext="jar"/>
     <artifact name="ant-javamail" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-javamail" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-javamail" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-javamail" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-javamail" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-javamail" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-javamail" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-jakartamail" type="pom" ext="pom"/>
     <artifact name="ant-jakartamail" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-jakartamail" type="jar" ext="jar"/>
     <artifact name="ant-jakartamail" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-jakartamail" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-jakartamail" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-jakartamail" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-jakartamail" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-jakartamail" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-jakartamail" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-jdepend" type="pom" ext="pom"/>
     <artifact name="ant-jdepend" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-jdepend" type="jar" ext="jar"/>
     <artifact name="ant-jdepend" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-jdepend" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-jdepend" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-jdepend" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-jdepend" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-jdepend" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-jdepend" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-jmf" type="pom" ext="pom"/>
     <artifact name="ant-jmf" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-jmf" type="jar" ext="jar"/>
     <artifact name="ant-jmf" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-jmf" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-jmf" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-jmf" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-jmf" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-jmf" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-jmf" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-jsch" type="pom" ext="pom"/>
     <artifact name="ant-jsch" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-jsch" type="jar" ext="jar"/>
     <artifact name="ant-jsch" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-jsch" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-jsch" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-jsch" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-jsch" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-jsch" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-jsch" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-junit" type="pom" ext="pom"/>
     <artifact name="ant-junit" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-junit" type="jar" ext="jar"/>
     <artifact name="ant-junit" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-junit" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-junit" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-junit" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-junit" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-junit" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-junit" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-junit4" type="pom" ext="pom"/>
     <artifact name="ant-junit4" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-junit4" type="jar" ext="jar"/>
     <artifact name="ant-junit4" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-junit4" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-junit4" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-junit4" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-junit4" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-junit4" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-junit4" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-junitlauncher" type="pom" ext="pom"/>
     <artifact name="ant-junitlauncher" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-junitlauncher" type="jar" ext="jar"/>
     <artifact name="ant-junitlauncher" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-junitlauncher" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-junitlauncher" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-junitlauncher" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-junitlauncher" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-junitlauncher" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-junitlauncher" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-launcher" type="pom" ext="pom"/>
     <artifact name="ant-launcher" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-launcher" type="jar" ext="jar"/>
     <artifact name="ant-launcher" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-launcher" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-launcher" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-launcher" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-launcher" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-launcher" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-launcher" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-netrexx" type="pom" ext="pom"/>
     <artifact name="ant-netrexx" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-netrexx" type="jar" ext="jar"/>
     <artifact name="ant-netrexx" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-netrexx" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-netrexx" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-netrexx" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-netrexx" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-netrexx" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-netrexx" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-swing" type="pom" ext="pom"/>
     <artifact name="ant-swing" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-swing" type="jar" ext="jar"/>
     <artifact name="ant-swing" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-swing" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-swing" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-swing" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-swing" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-swing" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-swing" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-testutil" type="pom" ext="pom"/>
     <artifact name="ant-testutil" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-testutil" type="jar" ext="jar"/>
     <artifact name="ant-testutil" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-testutil" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-testutil" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-testutil" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-testutil" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-testutil" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-testutil" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
     <artifact name="ant-xz" type="pom" ext="pom"/>
     <artifact name="ant-xz" type="pom.asc" ext="pom.asc"/>
     <artifact name="ant-xz" type="jar" ext="jar"/>
     <artifact name="ant-xz" type="jar.asc" ext="jar.asc"/>
     <artifact name="ant-xz" type="source" ext="jar" e:classifier="sources"/>
     <artifact name="ant-xz" type="source.asc" ext="jar.asc" e:classifier="sources"/>
+    <artifact name="ant-xz" type="cyclonedx.json" ext="json" e:classifier="cyclonedx"/>
+    <artifact name="ant-xz" type="cyclonedx.json.asc" ext="json.asc" e:classifier="cyclonedx"/>
+    <artifact name="ant-xz" type="cyclonedx.xml" ext="xml" e:classifier="cyclonedx"/>
+    <artifact name="ant-xz" type="cyclonedx.xml.asc" ext="xml.asc" e:classifier="cyclonedx"/>
   </publications>
   <dependencies/>
 </ivy-module>

From 341256ec333b49f8f482967e2cceedbf37a5a218 Mon Sep 17 00:00:00 2001
From: Stefan Bodewig <bodewig@apache.org>
Date: Mon, 25 May 2026 13:07:42 +0200
Subject: [PATCH 9/9] use gitbox instead of github vor VCS links

---
 build.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.xml b/build.xml
index b12ad93ee8..3d31f3adf8 100644
--- a/build.xml
+++ b/build.xml
@@ -2264,7 +2264,7 @@ ${antunit.reports}
           url="https://www.apache.org/security/"/>
       <externalReference
           type="VCS"
-          url="https://github.com/apache/ant"/>
+          url="https://gitbox.apache.org/repos/asf/ant.git"/>
       <externalReference
           type="BUILD_SYSTEM"
           url="https://ci-builds.apache.org/job/Ant/"/>