Hi Lars, On Mon, 13 May 2024 at 17:46, Lars Francke <lars.fran...@gmail.com> wrote: > The problem is that SBOM tools have no realistic chance to gather that > information if all they have is a final artifact and the POMs that > were published as is the case here.
An increasing number of Maven artifacts publish CycloneDX SBOMs alongside their artifacts. If the CycloneDX Maven plugin learns to use those SBOMs as metadata source instead of POM files, your problem should be solved. I have opened a feature request[1] for that purpose. Piotr [1] https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/497 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
