Open
Description
Since version 2.25.0, the aggregated SBOM generated for the log4j-bom artifact is not reproducible. Specifically, two variants of the SBOM are occasionally produced, differing only in the ordering of the jspecify dependency.
To ensure full reproducibility across releases, we need to identify the root cause of this nondeterministic behavior and propose a solution to resolve it.
Metadata
Metadata
Assignees
Labels
No labels
Type
Projects
Status
To triage