Hi Piotr, thanks for opening that issue. That's a great idea and would be useful to have going forward.
And Martin, what you describe can be described using SBOMs as well, so it's a good fit. Cheers, Lars On Tue, May 14, 2024 at 1:15 AM Martin Desruisseaux <martin.desruisse...@geomatys.com> wrote: > > Le 2024-05-13 à 22 h 52, Piotr P. Karwasz a écrit : > > > If the CycloneDX Maven plugin learns to use those SBOMs as metadata > > source instead of POM files, your problem should be solved. > > > I'm not familiar with CycloneDX, but I think that if any SBOM is used > with a shaded artifact, then the metadata should said that the > dependencies have been transformed that way. For modular dependencies, > shading the artifact has major impacts: it breaks modules encapsulation, > potentially creating security holes that did not existed in the original > libraries. For non-modular dependencies, the impacts are typically > smaller, but not necessarily null. For example, a library could perform > security checks based on package names, and those checks may become > invalid if the packages have been renamed. It does not mean that SBOM > are useless, but I think that shading is a very significant > transformation that should be declared in the metadata, and not give the > impression that the dependencies are in their original form. > > Martin > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
