Handling Multiple Identifiers for Uber JARs and Maven Hash Lookup Results

[Vishnu-2810]

For most components we can generate a unique identifier, but in the case of uber/fat JARs, a single JAR may contain multiple groupId, artifactId, and version (GAV) coordinates. These should all be listed individually in the SBOM.
What is the recommended way to handle this scenario?

Additionally, when querying Maven Central using a SHA-1 hash such as:

https://search.maven.org/solrsearch/select?q=1:da39a3ee5e6b4b0d3255bfef95601890afd80709&wt=xml

the response sometimes includes multiple possible GAV matches.
How should this be interpreted, and what is the best practice for selecting the correct GAV entry for SBOM generation?

@jkowalleck @stevespringett Kindly share you thoughts on this

[stevespringett]

What is the recommended way to handle this scenario?

Component assemblies.
https://cyclonedx.org/use-cases/component-assemblies/

In this case, the parent component will be the uber jar, and the nested components will represent all the bundled GAVs in the uber jar.