You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Support multiple repository URLs per Maven package
Update the Maven SBOM library to process all repository URLs found in
a component's external references instead of only the first match.
This aligns with SPDX and CycloneDX schemas which allow 0..N
external references per package.
Each Maven package listed in an SBOM must specify the repository URL that it comes from, and that URL must be present in the list of known and permitted Maven repositories. If no URL is specified, the package is assumed to come from Maven Central.
=== link:#maven_repos__policy_data_missing[Policy data validation]
24
24
25
+
Ensures the required allowed_maven_repositories list is provided.
25
26
27
+
*Solution*: Ensure that 'allowed_maven_repositories' is defined in the rule_data provided to the policy, and that it contains a list of authorized repository URLs.
Copy file name to clipboardExpand all lines: antora/docs/modules/ROOT/pages/release_policy.adoc
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -71,6 +71,7 @@ a| Include policy rules responsible for validating rule data.
71
71
72
72
Rules included:
73
73
74
+
* xref:packages/release_maven_repos.adoc#maven_repos__policy_data_missing[All maven artifacts have known repository URLs: Policy data validation]
74
75
* xref:packages/release_attestation_type.adoc#attestation_type__known_attestation_types_provided[Attestation type: Known attestation types provided]
75
76
* xref:packages/release_base_image_registries.adoc#base_image_registries__allowed_registries_provided[Base image checks: Allowed base image registry prefixes list was provided]
0 commit comments