The master release doesn't deploy the CycloneDX files

[dmatej]

See

• https://repo1.maven.org/maven2/org/glassfish/main/common/glassfish-api/8.0.0-M6/ - CycloneDX files are there
• https://repo1.maven.org/maven2/org/glassfish/main/common/glassfish-api/7.0.15/ - Here they don't

Note that in #24997 is another change that might be related in the future. Also I am not sure what are standard rules for this, we should read some docs about it.

[avpinchuk]

One difference between 7.x and 8.x:

7.x:

glassfish/nucleus/parent/pom.xml

Line 27 in 1d3efd3

<version>1.0.8</version>

8.x:

glassfish/nucleus/parent/pom.xml

Line 27 in 59fdd9b

<version>1.0.9</version>

Therefore, the assembly of the GF8 gives us a lot of CycloneDX warnings.

[dmatej]

The fastest profile is used in the release process

• Because of the parent from Eclipse (1.0.8 vs 1.0.9) results differ between master and 8.0.
• The CycloneDX significantly slows down depeloper builds with fastest; developers usually don't care about CycloneDX.
• The target of fastest is to create all deployables asap, so here we have some controversy.

Also developers can have own profiles in settings.xml. Maybe there is a better place to disable the cyclone. Or we need another profile for the release process. However at some point it would be useful to have the OWASP check locally too, but that is different plugin.

Hmmm, they have different targets. Probably the CycloneDX could be executed really just for releases + explicitly.

• https://github.com/CycloneDX/cyclonedx-maven-plugin
• https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html

[dmatej]

Yet one idea - we can also push the cyclonedx plugin execution to the deploy phase (but it must be executed before the deploy plugin).

[pzygielo]

Maybe in release job, where fastest profile is activated, the sbom profile from parent could also be activated explicitly?