Hi Gary, On Tue, 20 Sept 2022 at 12:59, Gary Gregory <garydgreg...@gmail.com> wrote:
> > Maybe you had a random failure or were not running from the command > line. Some VFS tests won't run properly from IDEs because they depend > on the old VFS testing framework still in place that relies on some > JUnit 3 patterns. > The failed tests are trying to connect to a local FTP server. It could be due to an issue with firewall configuration on my macbook preventing them from starting. Or perhaps just a flaky test. I'll run it again later to check. I can also try a different Maven and JDK. > WRT SBOMS like CycloneDX and multi-module projects, I think we need to > live with the growing pains for now. > On Tue, 20 Sept 2022 at 13:09, Gary Gregory <garydgreg...@gmail.com> wrote: > Alex, I just saw you posted this last message. This will need more tweaking over time it seems. It's not clear to me if we can have a commons-parent that works generically for both single and multi-module projects for CycloneDX and/or SPDX. IIUC to release the projects I tested I would simply have to update the <outputName> property for CycloneDX back to the default. The installed BOM for each module will then contain information from the entire project reactor. This will at least contain information on the true dependencies for the module. I am not sure what effect having the extra redundant information will have for users of this feature. It is a pity that the documentation for CycloneDX is basically absent. Some of the settings are not entirely self-documenting. I think this should be reported as a bug to CycloneDX. I will look into that. It should require a simple project with 2 modules, each with different dependencies. IIUC the default config for the plugin will create a bom for each module with too much information when installed. Alex
