diff --git a/pom.xml b/pom.xml
index ba854c57..ed9e8252 100644
--- a/pom.xml
+++ b/pom.xml
@@ -206,6 +206,84 @@
$[project.groupId].$[subst;$[subst;$[project.artifactId];log4j-];[^A-Za-z0-9];.]
$[bnd-module-name];access=0
+
+ dfa35519-9734-4259-bba1-3e825cf4be06
+ https://logging.apache.org/security/urn:uuid:dfa35519-9734-4259-bba1-3e825cf4be06
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ urn:uuid:
+
+
+
+
+
+
+
+
+
+ vulnerability-assertion
+
+ urn:cdx:
+
+
+
+
+ vulnerability-assertion
+
+
+
+
+
+
+
+]]>
+
6.7.0.202309050840-r
@@ -477,6 +555,78 @@
makeAggregateBom
package
+
+ xml
+
+
+
+
+
+
+ com.github.genthaler
+ beanshell-maven-plugin
+
+
+ commons-codec
+ commons-codec
+ 1.16.0
+
+
+ xalan
+ serializer
+ 2.7.3
+
+
+ xalan
+ xalan
+ 2.7.3
+
+
+
+
+ process-sbom
+
+ run
+
+ package
+
+
+
@@ -1053,7 +1203,8 @@
import org.eclipse.jgit.lib.Repository;
import org.eclipse.jgit.storage.file.FileRepositoryBuilder;
- long timestampMillis = java.time.Instant.parse("${project.build.outputTimestamp}").toEpochMilli();
+ String outputTimestamp = project.getProperties().getProperty("project.build.outputTimestamp");
+ long timestampMillis = java.time.Instant.parse(outputTimestamp).toEpochMilli();
zip(String zipFileName, Map pathByFile) {
OutputStream outputStream = new FileOutputStream(zipFileName);
ZipOutputStream zipOutputStream = new ZipOutputStream(outputStream);
diff --git a/src/changelog/10.3.0/add-sbom-serialNumber-and-vex.xml b/src/changelog/10.3.0/add-sbom-serialNumber-and-vex.xml
new file mode 100644
index 00000000..276671e8
--- /dev/null
+++ b/src/changelog/10.3.0/add-sbom-serialNumber-and-vex.xml
@@ -0,0 +1,9 @@
+
+
+
+ Add XSLT transformation step to add a deterministic `serialNumber` and VDR links to the SBOM
+
+
diff --git a/src/site/_release-notes/_10.3.0.adoc b/src/site/_release-notes/_10.3.0.adoc
index 2322e9ff..1c17c03b 100644
--- a/src/site/_release-notes/_10.3.0.adoc
+++ b/src/site/_release-notes/_10.3.0.adoc
@@ -45,6 +45,7 @@ This minor release contains several small improvements.
* Add support to extend the `bnd-maven-plugin` configuration with `bnd-extra-config` property (https://github.com/apache/logging-log4j2/issues/1895[apache/logging-log4j2#1895])
* Add support to replace `project.build.outputTimestamp` Maven property in CI (https://github.com/apache/logging-parent/issues/50[50])
+* Add XSLT transformation step to add a deterministic `serialNumber` and VDR links to the SBOM
==== Changed