when a dependency has some invalid transitive dependencies it can make the entire process fail the example pom tries to download things from a defunct netbeans repo and fails generating a bom (any good dependencies adden wont end up in the bom.json/xml) I would expect the pluging to emit ...
in the same gav, there are both the initial .jar and one shaded one, like https://repo1.maven.org/maven2/org/apache/maven/wagon/wagon-http/3.5.3/ on this case, what should THE sbom contain to describe the 2 different jars? Even though those are in the same gav, shouldn't we tre...
//repo.gradle.org/gradle/libs-releases-local</url> <releases> <enabled>true</enabled> </releases> <snapshots> <enabled>false</enabled> </snapshots> </repository> </repositories> <profiles> <profile> <id>release</id> <activation> <activeByDefault>false</activeByDefault> </activation> <...
I believe we expect the default repository of Maven to be https://repo.maven.apache.org/maven2 . However, in many enterprise cases, the default repository will be their internal repositories (Nexus or JFrog) used by their build tool. @stevespringett, @pombredanne please correct me if I ...