From 9148699143b64cfabfaf9157ff8fb5b4adbd64e4 Mon Sep 17 00:00:00 2001
From: Thomas Leplus <thomasleplus@users.noreply.github.com>
Date: Sat, 14 Dec 2024 23:54:38 +0800
Subject: [PATCH 1/5] Create SBOMs

---
 pom.xml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/pom.xml b/pom.xml
index 4584037a..cb1618fa 100644
--- a/pom.xml
+++ b/pom.xml
@@ -345,6 +345,37 @@ limitations under the License.
         <artifactId>maven-checkstyle-plugin</artifactId>
         <version>3.6.0</version>
       </plugin>
+      <plugin>
+        <groupId>org.spdx</groupId>
+        <artifactId>spdx-maven-plugin</artifactId>
+        <version>0.7.4</version>
+        <executions>
+          <execution>
+            <id>build-spdx</id>
+            <goals>
+              <goal>createSPDX</goal>
+            </goals>
+          </execution>
+        </executions>
+        <configuration>
+          <excludedFilePatterns>
+            <excludedFilePattern>*.spdx</excludedFilePattern>
+          </excludedFilePatterns>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>org.cyclonedx</groupId>
+        <artifactId>cyclonedx-maven-plugin</artifactId>
+        <version>2.9.1</version>
+        <executions>
+          <execution>
+            <phase>package</phase>
+            <goals>
+              <goal>makeAggregateBom</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
       <plugin>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-maven</artifactId>

From 4e313c4984c47f303267e1611a38d0d0454b9063 Mon Sep 17 00:00:00 2001
From: Thomas Leplus <thomasleplus@users.noreply.github.com>
Date: Sat, 14 Dec 2024 23:57:06 +0800
Subject: [PATCH 2/5] Update pom.xml

---
 pom.xml | 56 ++++++++++++++++++++++++++++----------------------------
 1 file changed, 28 insertions(+), 28 deletions(-)

diff --git a/pom.xml b/pom.xml
index cb1618fa..65322f88 100644
--- a/pom.xml
+++ b/pom.xml
@@ -317,34 +317,6 @@ limitations under the License.
           <scmBranch>gh-pages</scmBranch>
         </configuration>
       </plugin>
-    </plugins>
-  </build>
-  <reporting>
-    <plugins>
-      <plugin>
-	<groupId>org.apache.maven.plugins</groupId>
-	<artifactId>maven-javadoc-plugin</artifactId>
-	<version>${maven.javadoc.version}</version>
-        <configuration>
-          <source>8</source>
-          <show>public</show>
-        </configuration>
-      </plugin>
-      <plugin>
-        <groupId>org.apache.maven.plugins</groupId>
-        <artifactId>maven-project-info-reports-plugin</artifactId>
-        <version>3.8.0</version>
-      </plugin>
-      <plugin>
-        <groupId>org.apache.maven.plugins</groupId>
-        <artifactId>maven-jxr-plugin</artifactId>
-        <version>3.6.0</version>
-      </plugin>
-      <plugin>
-        <groupId>org.apache.maven.plugins</groupId>
-        <artifactId>maven-checkstyle-plugin</artifactId>
-        <version>3.6.0</version>
-      </plugin>
       <plugin>
         <groupId>org.spdx</groupId>
         <artifactId>spdx-maven-plugin</artifactId>
@@ -376,6 +348,34 @@ limitations under the License.
           </execution>
         </executions>
       </plugin>
+    </plugins>
+  </build>
+  <reporting>
+    <plugins>
+      <plugin>
+	<groupId>org.apache.maven.plugins</groupId>
+	<artifactId>maven-javadoc-plugin</artifactId>
+	<version>${maven.javadoc.version}</version>
+        <configuration>
+          <source>8</source>
+          <show>public</show>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-project-info-reports-plugin</artifactId>
+        <version>3.8.0</version>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jxr-plugin</artifactId>
+        <version>3.6.0</version>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-checkstyle-plugin</artifactId>
+        <version>3.6.0</version>
+      </plugin>
       <plugin>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-maven</artifactId>

From 9da8d815c90f2d2bd6b23b5abc28d8c83fe261a4 Mon Sep 17 00:00:00 2001
From: Thomas Leplus <thomasleplus@users.noreply.github.com>
Date: Sun, 15 Dec 2024 00:24:14 +0800
Subject: [PATCH 3/5] Skip cyclonedx plugin with Java 8

---
 .github/workflows/maven.yml | 29 +++++++++++++++--------------
 pom.xml                     |  9 ++++-----
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
index fda1aa32..70939c2b 100644
--- a/.github/workflows/maven.yml
+++ b/.github/workflows/maven.yml
@@ -71,22 +71,23 @@ jobs:
         run: |
           if [ -z "${MAVEN_GPG_PASSPHRASE}" ]
           then
-            # Forcing dependency check version to a version compatible
-            # with Java 8 since version does not matter due to
-            # dependencyCheck.skip=true. But otherwise Maven initialization
-            # fails with error: "java.lang.TypeNotPresentException:
-            # Type org.owasp.dependencycheck.maven.CheckMojo not present".
-            # shellcheck disable=SC2086
-            ./mvnw ${MAVEN_CLI_OPTS} -DdependencyCheck.version=10.0.4 -DdependencyCheck.skip=true -Dgpg.skip=true verify
+            GPG_SKIP=true
           else
-            # Forcing dependency check version to a version compatible
-            # with Java 8 since version does not matter due to
-            # dependencyCheck.skip=true. But otherwise Maven initialization
-            # fails with error: "java.lang.TypeNotPresentException:
-            # Type org.owasp.dependencycheck.maven.CheckMojo not present".
-            # shellcheck disable=SC2086
-            ./mvnw ${MAVEN_CLI_OPTS} -DdependencyCheck.version=10.0.4 -DdependencyCheck.skip=true verify
+            GPG_SKIP=false
           fi
+          if [ "${{ matrix.java }}" = "8" ]
+          then
+            CYCLONEDX_SKIP=true
+          else
+            CYCLONEDX_SKIP=false
+          fi
+          # Forcing dependency check version to a version compatible
+          # with Java 8 since version does not matter due to
+          # dependencyCheck.skip=true. But otherwise Maven initialization
+          # fails with error: "java.lang.TypeNotPresentException:
+          # Type org.owasp.dependencycheck.maven.CheckMojo not present".
+          # shellcheck disable=SC2086
+          ./mvnw ${MAVEN_CLI_OPTS} -DdependencyCheck.version=10.0.4 -DdependencyCheck.skip=true -Dgpg.skip=${GPG_SKIP} -Dcyclonedx.skip=${CYCLONEDX_SKIP} verify
       - name: Publish site
         env:
           GITHUB_TOKEN: ${{ github.token }}
diff --git a/pom.xml b/pom.xml
index 65322f88..60be1146 100644
--- a/pom.xml
+++ b/pom.xml
@@ -84,6 +84,7 @@ limitations under the License.
     <dependencyCheck.version>11.1.1</dependencyCheck.version>
     <dependencyCheck.skip>false</dependencyCheck.skip>
     <dependencyCheck.threshold>7</dependencyCheck.threshold>
+    <cyclonedx.skip>false</cyclonedx.skip>
   </properties>
   <dependencies>
     <dependency>
@@ -329,16 +330,14 @@ limitations under the License.
             </goals>
           </execution>
         </executions>
-        <configuration>
-          <excludedFilePatterns>
-            <excludedFilePattern>*.spdx</excludedFilePattern>
-          </excludedFilePatterns>
-        </configuration>
       </plugin>
       <plugin>
         <groupId>org.cyclonedx</groupId>
         <artifactId>cyclonedx-maven-plugin</artifactId>
         <version>2.9.1</version>
+        <configuration>
+	  <skip>${cyclonedx.skip}</skip>
+        </configuration>
         <executions>
           <execution>
             <phase>package</phase>

From e1017c517e83df05b40ced73b3eae2c8f3ee4156 Mon Sep 17 00:00:00 2001
From: Thomas Leplus <thomasleplus@users.noreply.github.com>
Date: Sun, 15 Dec 2024 00:45:43 +0800
Subject: [PATCH 4/5] Remove CycloneDX, keep SPX only for now

---
 .github/workflows/maven.yml |  8 +-------
 pom.xml                     | 17 -----------------
 2 files changed, 1 insertion(+), 24 deletions(-)

diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
index 70939c2b..7facd594 100644
--- a/.github/workflows/maven.yml
+++ b/.github/workflows/maven.yml
@@ -75,19 +75,13 @@ jobs:
           else
             GPG_SKIP=false
           fi
-          if [ "${{ matrix.java }}" = "8" ]
-          then
-            CYCLONEDX_SKIP=true
-          else
-            CYCLONEDX_SKIP=false
-          fi
           # Forcing dependency check version to a version compatible
           # with Java 8 since version does not matter due to
           # dependencyCheck.skip=true. But otherwise Maven initialization
           # fails with error: "java.lang.TypeNotPresentException:
           # Type org.owasp.dependencycheck.maven.CheckMojo not present".
           # shellcheck disable=SC2086
-          ./mvnw ${MAVEN_CLI_OPTS} -DdependencyCheck.version=10.0.4 -DdependencyCheck.skip=true -Dgpg.skip=${GPG_SKIP} -Dcyclonedx.skip=${CYCLONEDX_SKIP} verify
+          ./mvnw ${MAVEN_CLI_OPTS} -DdependencyCheck.version=10.0.4 -DdependencyCheck.skip=true -Dgpg.skip=${GPG_SKIP} verify
       - name: Publish site
         env:
           GITHUB_TOKEN: ${{ github.token }}
diff --git a/pom.xml b/pom.xml
index 60be1146..ed56befb 100644
--- a/pom.xml
+++ b/pom.xml
@@ -84,7 +84,6 @@ limitations under the License.
     <dependencyCheck.version>11.1.1</dependencyCheck.version>
     <dependencyCheck.skip>false</dependencyCheck.skip>
     <dependencyCheck.threshold>7</dependencyCheck.threshold>
-    <cyclonedx.skip>false</cyclonedx.skip>
   </properties>
   <dependencies>
     <dependency>
@@ -331,22 +330,6 @@ limitations under the License.
           </execution>
         </executions>
       </plugin>
-      <plugin>
-        <groupId>org.cyclonedx</groupId>
-        <artifactId>cyclonedx-maven-plugin</artifactId>
-        <version>2.9.1</version>
-        <configuration>
-	  <skip>${cyclonedx.skip}</skip>
-        </configuration>
-        <executions>
-          <execution>
-            <phase>package</phase>
-            <goals>
-              <goal>makeAggregateBom</goal>
-            </goals>
-          </execution>
-        </executions>
-      </plugin>
     </plugins>
   </build>
   <reporting>

From 20f87cbb71679d9d6c8228cc04d679c962f2ca2e Mon Sep 17 00:00:00 2001
From: Thomas Leplus <thomasleplus@users.noreply.github.com>
Date: Sun, 15 Dec 2024 00:50:06 +0800
Subject: [PATCH 5/5] Keep CycloneDX, remove SPDX

---
 pom.xml | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/pom.xml b/pom.xml
index ed56befb..be04ff7e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -84,6 +84,7 @@ limitations under the License.
     <dependencyCheck.version>11.1.1</dependencyCheck.version>
     <dependencyCheck.skip>false</dependencyCheck.skip>
     <dependencyCheck.threshold>7</dependencyCheck.threshold>
+    <cyclonedx.skip>false</cyclonedx.skip>
   </properties>
   <dependencies>
     <dependency>
@@ -318,14 +319,17 @@ limitations under the License.
         </configuration>
       </plugin>
       <plugin>
-        <groupId>org.spdx</groupId>
-        <artifactId>spdx-maven-plugin</artifactId>
-        <version>0.7.4</version>
+        <groupId>org.cyclonedx</groupId>
+        <artifactId>cyclonedx-maven-plugin</artifactId>
+        <version>2.9.1</version>
+        <configuration>
+	  <skip>${cyclonedx.skip}</skip>
+        </configuration>
         <executions>
           <execution>
-            <id>build-spdx</id>
+            <phase>package</phase>
             <goals>
-              <goal>createSPDX</goal>
+              <goal>makeAggregateBom</goal>
             </goals>
           </execution>
         </executions>