Discuss distribution management URL

[stevespringett]

This came about as a result of #239 which has since been reverted.

BOM requires url to download component, pom.dM.repository is for publication (e.g. OSSRH for Maven Central)

For example, commons-compress 1.12 BOM point distribution to https://repository.apache.org/service/local/staging/deploy/maven2 which is the staging area to publish to Maven Central from Apache Software Foundation

For the overwhelming majority of artifacts deployed to Central, the distribution URL will be that of Maven Central. I think ASF (and possibly a few others) are unique in that they have dedicated staging environments. We cannot cripple this functionality for the majority of artifacts for the benefit of a few.

Perhaps we can include a workaround. A few possibilities include:

• Replace https://repository.apache.org/service/local/staging/deploy/maven with https://repo1.maven.org/maven2.
• When https://repository.apache.org/service/local/staging/deploy/maven is encountered, add an additional CycloneDX distribution entry to https://repo1.maven.org/maven2 resulting in BOTH being present. This is technically more accurate.
• Create a configuration that would allow users to override the distribution base URL for the artifacts created from a project, or a specific GAV.

Let's discuss @hboutemy as the solution needs to be able to work for everyone.

[hboutemy]

For the overwhelming majority of artifacts deployed to Central, the distribution URL will be that of Maven Central

in fact, pom.distributionManagement.repository.url does not contain the url to download from Maven Central, but to publish to it: https://central.sonatype.org/publish/publish-guide/#releasing-to-central
Precise url is different for Apache projects, but usual project use OSSRH url = https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/

I don't think this distributionManagement url is useful for BOM consumer

If you want to provide download url, you'll need a configuration in CycloneDX Maven plugin to define the base download URL, eventually with Maven Central download as default value

[hboutemy]

looking at new external reference types from CycloneDX 1.5 spec https://cyclonedx.org/docs/1.5/json/#metadata_component_externalReferences_items_type

@stevespringett it looks like pom.distributionManagement.repository.url corresponds to the new distribution-intake type = "The location where a component was published to. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary"?

[stevespringett]

Yes, that is correct @hboutemy

[hboutemy]

thank you: I'll update the plugin for CDX 1.5