Open flemminglau opened 2 months ago
@flemminglau you are correct, this library has not been updated for later CDX libraries or versions after 1.4.
In addition updating the libraries, we'll also need to re-look at any mappings of the values.
Once we have the Java libraries for SPDX 3.0, I can update both CDX and SPDX to the latest - likely 2-3 weeks.
I am also interested in converting from CycloneDX 1.5 to SPDX.
Thanks @jlplenio for your interest - Just a quick update, I'm still working on the SPDX 3.0 libraries - taking longer than expected. Once that is done, I'll update this library with the latest SPDX and CDX versions.
I am a bit unsure as it is not very well defined in the sources but it seems we are linking w. cyclonedx.core.java 7.3.2 which is from Feb 2023.
I guess this means that we are at CycloneDX 1.4 level?
I have the issue right now that my SBOMs contain an components.externalReferences[].type="distribution-intake". Which I believe is new in 1.5.
That fails. In a quite in-elegant way.