Create SBOM for JUnit #4654
Description
The SBOM generated on-demand by https://github.com/junit-team/junit5/dependency-graph/sbom lists 593 packages and 1404 relationships. It is compiled by using 3 "creators", listed below:
object {9}
spdxVersion : SPDX-2.3
dataLicense : CC0-1.0
SPDXID : SPDXRef-DOCUMENT
name : com.github.junit-team/junit5
documentNamespace : https://spdx.org/spdxdocs/protobom/0ec5bb10-a1bb-4481-be4b-0cb54875aacf
comment : Exact versions could not be resolved for some packages. For more information: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#dependencies-included.
creationInfo {2}
creators [3]
0 : Tool: protobom-v0.0.0-20250616135015-0166181cb123+dirty
1 : Tool: GitHub.com-Dependency-Graph
2 : Tool: GitHub Dependency Graph Gradle Plugin
created : 2025-06-17T13:35:59Z
packages [593]
relationships [1404]
Deliverables
- Investigate a way to prune the auto-generated SBOM
- Store pruned SBOM with each release