diff --git a/.github/linters/.gitleaks.toml b/.github/linters/.gitleaks.toml
new file mode 100644
index 000000000..6012aaeb6
--- /dev/null
+++ b/.github/linters/.gitleaks.toml
@@ -0,0 +1,5 @@
+title = "gitleaks config"
+[allowlist]
+files = [
+    "cyclonedx-lib/dependency_data/dependency_data.properties"
+]
diff --git a/.github/linters/suppressed-java.xml b/.github/linters/suppressed-java.xml
index b9c1a256e..0acb11e80 100644
--- a/.github/linters/suppressed-java.xml
+++ b/.github/linters/suppressed-java.xml
@@ -28,4 +28,5 @@
     <suppress files="." checks="LineLength" />
     <suppress files="." checks="Header" /> <!-- Disabled as we don't use headers in our project for the test files -->
     <suppress files="." checks="FileTabCharacter" /> <!-- Disabled as it generally doesn't matter if tabs are disabled or not -->
-</suppressions>
\ No newline at end of file
+    <suppress files="." checks="ParameterNumber" />
+</suppressions>
diff --git a/.github/workflows/testsbom.yml b/.github/workflows/testcyclonedx.yml
similarity index 52%
rename from .github/workflows/testsbom.yml
rename to .github/workflows/testcyclonedx.yml
index 073411098..f4f5703d9 100644
--- a/.github/workflows/testsbom.yml
+++ b/.github/workflows/testcyclonedx.yml
@@ -1,5 +1,5 @@
 # ********************************************************************************
-# Copyright (c) 2023 Contributors to the Eclipse Foundation
+# Copyright (c) 2023, 2024 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) with this work for additional
 # information regarding copyright ownership.
@@ -12,7 +12,7 @@
 # ********************************************************************************
 
 ---
-name: TestSBOM
+name: TestCycloneDX
 
 on:
   pull_request:
@@ -30,21 +30,21 @@ permissions:
   contents: read
 
 jobs:
-  test_sbom_gen:
-    name: gen_sbom
+  test_cyclonedx_gen:
+    name: gen_cyclonedx
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      # Build with jdk8 to ensure TemurinGenSBOM meets min compatibility
+      # Build with jdk8 to ensure TemurinGen* meets min compatibility
       - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
         id: setup-java
         with:
           java-version: 8
           distribution: 'temurin'
 
-      - name: Build TemurinGenSBOM.java
+      - name: Build TemurinGenSBOM.java and TemurinGenCDXA.java
         run: |
           ant -noinput -buildfile cyclonedx-lib/build.xml clean
           ant -noinput -buildfile cyclonedx-lib/build.xml build
@@ -52,8 +52,27 @@ jobs:
       - name: Run TemurinGenSBOM Unit test
         run: ant -noinput -buildfile cyclonedx-lib/build.xml run
 
+      - name: Run TemurinGenCDXA Unit test
+        run: ant -noinput -buildfile cyclonedx-lib/build.xml runCDXA
+
+      - name: Validate generated SBOM and CDXA documents using cyclonedx-cli validate
+        run: |
+          curl -L -O https://github.com/CycloneDX/cyclonedx-cli/releases/latest/download/cyclonedx-linux-x64
+          chmod +x cyclonedx-linux-x64
+          ./cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testSBOM.json --fail-on-errors --input-version v1_6
+          ./cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testSBOM.xml --fail-on-errors --input-version v1_6
+          ./cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testCDXA.json --fail-on-errors --input-version v1_6
+          ./cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testCDXA.xml --fail-on-errors --input-version v1_6
+
       - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         name: Collect and Archive TemurinGenSBOM Artifacts
         with:
           name: testSBOM
-          path: cyclonedx-lib/build/testSBOM.json
+          path: cyclonedx-lib/build/testSBOM.*
+
+      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        name: Collect and Archive TemurinGenCDXA Artifacts
+        with:
+          name: testCDXA
+          path: cyclonedx-lib/build/testCDXA.*
+
diff --git a/cyclonedx-lib/build.xml b/cyclonedx-lib/build.xml
index f026a2611..f4e11f65c 100644
--- a/cyclonedx-lib/build.xml
+++ b/cyclonedx-lib/build.xml
@@ -30,7 +30,7 @@
         <property file="dependency_data/dependency_data.properties"/>
 
         <!-- classpath for running application -->
-        <property name="classpath" value="build/jar/temurin-gen-sbom.jar:build/jar/cyclonedx-core-java.jar:build/jar/jackson-core.jar:build/jar/jackson-dataformat-xml.jar:build/jar/jackson-databind.jar:build/jar/jackson-annotations.jar:build/jar/json-schema-validator.jar:build/jar/commons-codec.jar:build/jar/commons-io.jar:build/jar/github-package-url.jar:build/jar/webpki.org-libext-1.00.jar:build/jar/temurin-sign-sbom.jar:build/jar/commons-collections4.jar"/>
+        <property name="classpath" value="build/jar/temurin-gen-sbom.jar:build/jar/temurin-gen-cdxa.jar:build/jar/cyclonedx-core-java.jar:build/jar/jackson-core.jar:build/jar/jackson-dataformat-xml.jar:build/jar/jackson-databind.jar:build/jar/jackson-annotations.jar:build/jar/json-schema-validator.jar:build/jar/commons-codec.jar:build/jar/commons-io.jar:build/jar/github-package-url.jar:build/jar/webpki.org-libext-1.00.jar:build/jar/temurin-sign-sbom.jar:build/jar/commons-collections4.jar:build/jar/commons-lang3.jar:build/jar/stax2-api.jar:build/jar/woodstox-core.jar"/>
 
         <target name="dep-checks">
                 <available file="build/jar/cyclonedx-core-java.jar" property="cyclonedx_available"/>
@@ -42,8 +42,11 @@
                 <available file="build/jar/commons-codec.jar" property="commons-codec_available"/>
                 <available file="build/jar/commons-io.jar" property="commons-io_available"/>
                 <available file="build/jar/commons-collections4.jar" property="commons-collections4_available"/>
+                <available file="build/jar/commons-lang3.jar" property="commons-lang3_available"/>
                 <available file="build/jar/github-package-url.jar" property="github-package-url_available"/>
                 <available file="build/webpki.org-libext-1.00.jar" property="openkeystore_available"/>
+                <available file="build/jar/stax2-api.jar" property="stax2-api_available"/>
+                <available file="build/jar/woodstox-core.jar" property="woodstox-core_available"/>
         </target>
 
         <target name="download-cyclonedx" unless="cyclonedx_available">
@@ -67,7 +70,7 @@
                 </move>
         </target>
 
-        <target name="build-sign-sbom" depends="dep-checks, clone-and-build-openkeystore, download-cyclonedx, download-jackson-core, download-jackson-dataformat-xml, download-jackson-databind, download-jackson-annotations, download-json-schema-validator, download-commons-codec, download-commons-io, download-commons-collections4, download-github-package-url, compile-sign-sbom, jar-sign-sbom">
+        <target name="build-sign-sbom" depends="dep-checks, clone-and-build-openkeystore, download-cyclonedx, download-jackson-core, download-jackson-dataformat-xml, download-jackson-databind, download-jackson-annotations, download-json-schema-validator, download-commons-codec, download-commons-io, download-commons-collections4, download-commons-lang3, download-stax2-api, download-woodstox-core, download-github-package-url, compile-sign-sbom, jar-sign-sbom">
                 <echo message="Building cyclonedx-lib TemurinSignSBOM"/>
         </target>
 
@@ -114,11 +117,23 @@
                 <get-component component="commons-collections4"/>
         </target>
 
+        <target name="download-commons-lang3" unless="commons-lang3_available">
+                <get-component component="commons-lang3"/>
+        </target>
+
         <target name="download-github-package-url" unless="github-package-url_available">
                 <get-component component="github-package-url"/>
         </target>
 
-	      <target name="build" depends="dep-checks, download-cyclonedx, download-jackson-core, download-jackson-dataformat-xml, download-jackson-databind, download-jackson-annotations, download-json-schema-validator, download-commons-codec, download-commons-io, download-commons-collections4, download-github-package-url, compile, jar">
+        <target name="download-stax2-api" unless="stax2-api_available">
+                <get-component component="stax2-api"/>
+        </target>
+
+        <target name="download-woodstox-core" unless="woodstox-core_available">
+                <get-component component="woodstox-core"/>
+        </target>
+
+	<target name="build" depends="dep-checks, download-cyclonedx, download-jackson-core, download-jackson-dataformat-xml, download-jackson-databind, download-jackson-annotations, download-json-schema-validator, download-commons-codec, download-commons-io, download-commons-collections4, download-commons-lang3, download-stax2-api, download-woodstox-core, download-github-package-url, compile, jar">
                 <echo message="Building cyclonedx-lib"/>
         </target>
 
@@ -134,11 +149,16 @@
 
         <target name="jar">
                 <mkdir dir="build/jar"/>
-                <jar destfile="build/jar/temurin-gen-sbom.jar" basedir="build/classes">
+                <jar destfile="build/jar/temurin-gen-sbom.jar" basedir="build/classes" includes="temurin/sbom/TemurinGenSBOM*,package-info*">
                         <manifest>
                                 <attribute name="Main-Class" value="temurin.sbom.TemurinGenSBOM"/>
                         </manifest>
                 </jar>
+                <jar destfile="build/jar/temurin-gen-cdxa.jar" basedir="build/classes" includes="temurin/sbom/TemurinGenCDXA*,package-info*">
+                        <manifest>
+                                <attribute name="Main-Class" value="temurin.sbom.TemurinGenCDXA"/>
+                        </manifest>
+                </jar>
         </target>
 
         <property name="testSBOMFile" location="build/testSBOM.json"/>
@@ -179,9 +199,70 @@
                 </java>
         </target>
 
+        <target name="runCDXA">
+                <property name="testCDXA_XMLFile" location="build/testCDXA.xml"/>
+                <property name="testCDXA_JSONFile" location="build/testCDXA.json"/>
+                <delete file="${testCDXA_XMLFile}"/>
+                <delete file="${testCDXA_JSONFile}"/>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenCDXA">
+                  <arg value="--verbose"/>
+                  <arg value="--createNewCDXA"/>
+                  <arg value="--attesting-org-name"/>
+                  <arg value="Acme Inc"/>
+                  <arg value="--predicate"/>
+                  <arg value="VERIFIED_REPRODUCIBLE_BUILD"/>
+                  <arg value="--target-name"/>
+                  <arg value="Temurin jdk-21.0.5+11 x64 Linux"/>
+                  <arg value="--target-url"/>
+                  <arg value="https://api.adoptium.net/v3/binary/version/jdk-21.0.5+11/linux/x64/jdk/hotspot/normal/eclipse"/>
+                  <arg value="--target-sha256-hash"/>
+                  <arg value="1234567890123456789012345678901234567890123456789012345678901234"/>
+                  <arg value="--affirmation-stmt"/>
+                  <arg value="Acme confirms a verified reproducible build"/>
+                  <arg value="--affirmation-website"/>
+                  <arg value="https://acme-inc.com"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testCDXA_XMLFile}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenCDXA">
+                  <arg value="--verbose"/>
+                  <arg value="--createNewCDXA"/>
+                  <arg value="--attesting-org-name"/>
+                  <arg value="Acme Inc"/>
+                  <arg value="--predicate"/>
+                  <arg value="VERIFIED_REPRODUCIBLE_BUILD"/>
+                  <arg value="--target-name"/>
+                  <arg value="Temurin jdk-21.0.5+11 x64 Linux"/>
+                  <arg value="--target-url"/>
+                  <arg value="https://api.adoptium.net/v3/binary/version/jdk-21.0.5+11/linux/x64/jdk/hotspot/normal/eclipse"/>
+                  <arg value="--target-sha256-hash"/>
+                  <arg value="1234567890123456789012345678901234567890123456789012345678901234"/>
+                  <arg value="--affirmation-stmt"/>
+                  <arg value="Acme confirms a verified reproducible build"/>
+                  <arg value="--affirmation-website"/>
+                  <arg value="https://acme-inc.com"/>
+                  <arg value="--jsonFile"/>
+                  <arg value="${testCDXA_JSONFile}"/>
+                </java>
+        </target>
+
         <target name="run">
                 <property name="testSBOMFile" location="build/testSBOM.json"/>
+                <property name="testSBOMFile_xml" location="build/testSBOM.xml"/>
                 <delete file="${testSBOMFile}"/>
+                <delete file="${testSBOMFile_xml}"/>
+
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--createNewSBOM"/>
+                  <arg value="--name"/>
+                  <arg value="Temurin"/>
+                  <arg value="--version"/>
+                  <arg value="jdk17+35"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+
                 <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
                   <arg value="--verbose"/>
                   <arg value="--createNewSBOM"/>
@@ -193,6 +274,7 @@
                   <arg value="${testSBOMFile}"/>
                 </java>
 
+                <!-- JSON tests -->
                 <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
                   <arg value="--verbose"/>
                   <arg value="--addComponent"/>
@@ -333,7 +415,7 @@
                   <arg value="--name"/>
                   <arg value="configure_arguments"/>
                   <arg value="--value"/>
-                  <arg value="Runnable configure script is not present\nGenerating runnable configure script at /home/jenkins/workspace/build-scripts/jobs/jdk17/jdk17-linux-x64-hotspot/workspace/build/src/build/.configure-support/generated-configure.sh\nUsing autoconf at /usr/local/bin/autoconf [autoconf (GNU Autoconf) 2.69]\nconfigure: Configuration created at Tue Sep 14 22:13:19 UTC 2021.\nchecking for basename... /bin/basename\nchecking for dirname... /usr/bin/dirname\nchecking for file... /usr/bin/file\nchecking for ldd... /usr/bin/ldd\nchecking for bash... /bin/bash\nchecking for cat... /bin/cat\nchecking for chmod... /bin/chmod\nchecking for cp... /bin/cp\nchecking for cut... /usr/bin/cut\nchecking for date... /bin/date\nchecking for gdiff... [not found]\nchecking for diff... /usr/bin/diff\nchecking for echo... echo [builtin]\nchecking for expr... /usr/bin/expr\nchecking for find... /usr/bin/find\nchecking for gunzip... /usr/bin/gunzip\nchecking for pigz... /usr/bin/pigz\nchecking for head... /usr/bin/head\nchecking for ln... /bin/ln\nchecking for ls... /bin/ls\nchecking for gmkdir... [not found]\nchecking for mkdir... /bin/mkdir\nchecking for mktemp... /bin/mktemp\nchecking for mv... /bin/mv\nchecking for gawk... /usr/bin/gawk\nchecking for printf... printf [builtin]\nchecking for rm... /bin/rm\nchecking for rmdir... /bin/rmdir\nchecking for sh... /bin/sh\nchecking for sort... /bin/sort\nchecking for tail... /usr/bin/tail\nchecking for gtar... /bin/gtar\nchecking for tee... /usr/bin/tee\nchecking for touch... /bin/touch\nchecking for tr... /usr/bin/tr\nchecking for uname... /bin/uname\nchecking for wc... /usr/bin/wc\nchecking for xargs... /usr/bin/xargs\nchecking for grep that handles long lines and -e... /bin/grep\nchecking for egrep... /bin/grep -E\nchecking for fgrep... /bin/grep -F\nchecking for a sed that does not truncate output... /bin/sed\nchecking for df... /bin/df\nchecking for nice... /bin/nice\nchecking for greadlink... [not found]\nchecking for readlink... /usr/bin/readlink\nchecking for cygpath... [not found]\nchecking for wslpath... [not found]\nchecking for lsb_release... [not found]\nchecking for cmd.exe... [not found]\nchecking for cmp... /usr/bin/cmp\nchecking for uniq... /usr/bin/uniq\nchecking build system type... x86_64-unknown-linux-gnu\nchecking host system type... x86_64-unknown-linux-gnu\nchecking target system type... x86_64-unknown-linux-gnu\nchecking openjdk-build os-cpu... linux-x86_64\nchecking openjdk-build C library... gnu\nchecking openjdk-target os-cpu... linux-x86_64\nchecking openjdk-target C library... gnu\nchecking compilation type... native\nchecking for top-level directory... /home/jenkins/workspace/build-scripts/jobs/jdk17/jdk17-linux-x64-hotspot/workspace/build/src\nchecking if custom source is suppressed (openjdk-only)... disabled, default\nchecking for --enable-debug... disabled, default\nchecking which debug level to use... release\nchecking which variants of the JVM to build... server\nchecking if absolute paths should be allowed in the build output... no, release build\nchecking for sysroot... \nchecking for toolchain path... \nchecking for extra path... \nchecking where to store configuration... in default location\nchecking what configuration name to use... linux-x86_64-server-release\nchecking for zypper... [not found]\nchecking for apt-get... [not found]\nchecking for yum... /usr/bin/yum\nchecking for pandoc... [not found]\nchecking for gmake... /usr/local/bin/gmake\nconfigure: Testing potential make at /usr/local/bin/gmake, found using gmake in PATH\nconfigure: Using GNU make at /usr/local/bin/gmake (version: GNU Make 4.1)\nchecking if make --output-sync is supported... yes\nchecking for output-sync value... none\nchecking if find supports -delete... yes\nchecking what type of tar was found... gnu\nchecking that grep (/bin/grep) -Fx handles empty lines in the pattern list correctly... yes\nchecking for unzip... /usr/bin/unzip\nchecking for zip... /usr/bin/zip\nchecking for greadelf... [not found]\nchecking for readelf... /usr/local/gcc/bin/readelf\nchecking for dot... [not found]\nchecking for hg... /usr/bin/hg\nchecking for git... /usr/local/bin/git\nchecking for stat... /usr/bin/stat\nchecking for time... time [builtin]\nchecking for flock... /usr/bin/flock\nchecking for dtrace... /usr/bin/dtrace\nchecking for gpatch... [not found]\nchecking for patch... [not found]\nchecking for ulimit... ulimit [builtin]\nchecking bash version... 4.1.2\nchecking if bash supports pipefail... yes\nchecking if bash supports errexit (-e)... yes\nchecking for pkg-config... /usr/bin/pkg-config\nchecking pkg-config is at least version 0.9.0... yes\nchecking for default LOG value... \nchecking if packaged modules are kept... enabled, default\nchecking for version string... 17+35\nconfigure: Found potential Boot JDK using configure arguments\nchecking for Boot JDK... /usr/lib/jvm/jdk-16\nchecking Boot JDK version... openjdk version \16.0.2\ 2021-07-20 OpenJDK Runtime Environment Temurin-16.0.2+7 (build 16.0.2+7) OpenJDK 64-Bit Server VM Temurin-16.0.2+7 (build 16.0.2+7, mixed mode, sharing)\nchecking for java [Boot JDK]... $BOOT_JDK/bin/java\nchecking for javac [Boot JDK]... $BOOT_JDK/bin/javac\nchecking for javadoc [Boot JDK]... $BOOT_JDK/bin/javadoc\nchecking for jar [Boot JDK]... $BOOT_JDK/bin/jar\nchecking if Boot JDK is 32 or 64 bits... 64\nchecking for local Boot JDK Class Data Sharing (CDS)... yes, created\nchecking for Build JDK... yes, will use output dir\nchecking for docs-reference JDK... no, using interim javadoc for the docs-reference targets\nchecking if we should build headless-only (no GUI)... disabled, default\nchecking if linker should clean out unused code (linktime-gc)... disabled, default\nchecking for graphviz dot... no, cannot generate full docs\nchecking for pandoc... no, cannot generate full docs\nchecking for --enable-full-docs... disabled, from default 'auto'\nchecking for cacerts file... /home/jenkins/workspace/build-scripts/jobs/jdk17/jdk17-linux-x64-hotspot/sbin/../security/cacerts\nchecking for --enable-unlimited-crypto... enabled, default\nchecking for jni library path... default\nchecking if static build is available... no\nchecking if static build is enabled... disabled, default\nconfigure: Using default toolchain gcc (GNU Compiler Collection)\nconfigure: Will use user supplied compiler CC=/usr/local/gcc/bin/gcc-7.5\nchecking resolved symbolic links for CC... no symlink\nconfigure: Using gcc C compiler version 7.5.0 [gcc-7.5 (GCC) 7.5.0]\nchecking whether the C compiler works... yes\nchecking for C compiler default output file name... a.out\nchecking for suffix of executables... \nchecking whether we are cross compiling... no\nchecking for suffix of object files... o\nchecking whether we are using the GNU C compiler... yes\nchecking whether /usr/local/gcc/bin/gcc-7.5 accepts -g... yes\nchecking for /usr/local/gcc/bin/gcc-7.5 option to accept ISO C89... none needed\nconfigure: Will use user supplied compiler CXX=/usr/local/gcc/bin/g++-7.5\nchecking resolved symbolic links for CXX... no symlink\nconfigure: Using gcc C++ compiler version 7.5.0 [g++-7.5 (GCC) 7.5.0]\nchecking whether we are using the GNU C++ compiler... yes\nchecking whether /usr/local/gcc/bin/g++-7.5 accepts -g... yes\nchecking how to run the C preprocessor... /usr/local/gcc/bin/gcc-7.5 -E\nchecking how to run the C++ preprocessor... /usr/local/gcc/bin/g++-7.5 -E\nconfigure: Using gcc linker version 2.28 [GNU ld (GNU Binutils) 2.28]\nchecking for ar... /usr/local/gcc/bin/ar\nchecking for strip... /usr/local/gcc/bin/strip\nchecking for nm... /usr/local/gcc/bin/nm\nchecking for gobjcopy... [not found]\nchecking for objcopy... /usr/local/gcc/bin/objcopy\nchecking for gobjdump... [not found]\nchecking for objdump... /usr/local/gcc/bin/objdump\nchecking for c++filt... /usr/local/gcc/bin/c++filt\nchecking for jtreg... [not found]\nchecking for jtreg test harness... no, not found\nchecking for jmh (Java Microbenchmark Harness)... no, disabled\nchecking for jib... no\nchecking if @file is supported by gcc... yes\nchecking if CC supports \-m64\... yes\nchecking if CXX supports \-m64\... yes\nchecking if both CC and CXX support \-m64\... yes\nchecking for ANSI C header files... yes\nchecking for sys/types.h... yes\nchecking for sys/stat.h... yes\nchecking for stdlib.h... yes\nchecking for string.h... yes\nchecking for memory.h... yes\nchecking for strings.h... yes\nchecking for inttypes.h... yes\nchecking for stdint.h... yes\nchecking for unistd.h... yes\nchecking stdio.h usability... yes\nchecking stdio.h presence... yes\nchecking for stdio.h... yes\nchecking size of int *... 8\nchecking for target address size... 64 bits\nchecking whether byte ordering is bigendian... no\nchecking what source date to use... determined at build time, from 'updated'\nchecking for --enable-reproducible-build... disabled, default\nchecking for --enable-warnings-as-errors... disabled, from command line\nchecking if CC supports \-Xassembler -mrelax-relocations=no\... yes\nchecking if CXX supports \-Xassembler -mrelax-relocations=no\... yes\nchecking if both CC and CXX support \-Xassembler -mrelax-relocations=no\... yes\nchecking if TARGET is x86... no\nchecking if CC supports \-fno-delete-null-pointer-checks\... yes\nchecking if CXX supports \-fno-delete-null-pointer-checks\... yes\nchecking if both CC and CXX support \-fno-delete-null-pointer-checks\.. yes\nchecking if CC supports \-fno-lifetime-dse\.. yes\nchecking if CXX supports \-fno-lifetime-dse\... yes\nchecking if both CC and CXX support \-fno-lifetime-dse\... yes\nchecking if CC supports \-fmacro-prefix-map=/home/jenkins/workspace/build-scripts/jobs/jdk17/jdk17-linux-x64-hotspot/workspace/build/src/=... no\nchecking if CXX supports \-fmacro-prefix-map=/home/jenkins/workspace/build-scripts/jobs/jdk17/jdk17-linux-x64-hotspot/workspace/build/src/=\... no\nchecking if both CC and CXX support \-fmacro-prefix-map=/home/jenkins/workspace/build-scripts/jobs/jdk17/jdk17-linux-x64-hotspot/workspace/build/src/=\... no\nchecking how to prevent absolute paths in output... using relative paths\nchecking if CC supports \-ffp-contract=off\... yes\nchecking if CXX supports \-ffp-contract=off\.. yes\nchecking if both CC and CXX support \-ffp-contract=off\... yes\nchecking if BUILD is x86... no\nchecking if BUILD_CC supports \-fno-delete-null-pointer-checks\... yes\nchecking if BUILD_CXX supports -fno-delete-null-pointer-checks\... yes\nchecking if both BUILD_CC and BUILD_CXX support -fno-delete-null-pointer-checks\... yes\nchecking if BUILD_CC supports \-fno-lifetime-dse\... yes\nchecking if BUILD_CXX supports \-fno-lifetime-dse\... yes\nchecking if both BUILD_CC and BUILD_CXX support \-fno-lifetime-dse\... yes\nchecking if BUILD_CC supports \-fmacro-prefix-map=/home/jenkins/workspace/build-scripts/jobs/jdk17/jdk17-linux-x64-hotspot/workspace/build/src/=\... no\nchecking if BUILD_CXX supports \-fmacro-prefix-map=/home/jenkins/workspace/build-scripts/jobs/jdk17/jdk17-linux-x64-hotspot/workspace/build/src/=\... no\nchecking if both BUILD_CC and BUILD_CXX support \-fmacro-prefix-map=/home/jenkins/workspace/build-scripts/jobs/jdk17/jdk17-linux-x64-hotspot/workspace/build/src/=\... no\nchecking how to prevent absolute paths in output... using relative paths\nchecking if BUILD_CC supports \-ffp-contract=off\... yes\nchecking if BUILD_CXX supports \-ffp-contract=off\... yes\nchecking if both BUILD_CC and BUILD_CXX support \-ffp-contract=off\... yes\nchecking what type of native debug symbols to use... external\nchecking if we should add external native debug symbols to the shipped bundles... no\nchecking if native coverage is available... yes\nchecking for --enable-native-coverage... disabled, default\nchecking if AddressSanitizer (asan) is available... yes\nchecking for --enable-asan... disabled, default\nchecking if static link of stdc++ is possible... yes\nchecking how to link with libstdc++... static\nchecking for X... libraries , headers \nchecking for gethostbyname... yes\nchecking for connect... yes\nchecking for remove... yes\nchecking for shmat... yes\nchecking for IceConnectionNumber in -lICE... yes\nchecking for X11/extensions/shape.h... yes\nchecking for X11/extensions/Xrender.h... yes\nchecking for X11/extensions/XTest.h... yes\nchecking for X11/Intrinsic.h... yes\nchecking for X11/extensions/Xrandr.h... yes\nchecking cups/cups.h usability... yes\nchecking cups/cups.h presence... yes\nchecking for cups/cups.h... yes\nchecking cups/ppd.h usability... yes\nchecking cups/ppd.h presence... yes\nchecking for cups/ppd.h... yes\nchecking fontconfig/fontconfig.h usability... yes\nchecking fontconfig/fontconfig.h presence... yes\nchecking for fontconfig/fontconfig.h... yes\nchecking for FREETYPE... yes\nchecking for freetype... yes (using pkg-config)\nUsing freetype: system\nchecking for ALSA... yes\nchecking for --enable-libffi-bundling... disabled, default\nchecking for which libjpeg to use... bundled\nchecking for which giflib to use... bundled\nchecking for PNG... yes\nchecking for which libpng to use... bundled\nchecking for compress in -lz... yes\nchecking for which zlib to use... system\nchecking for system zlib functionality... ok\nchecking for which lcms to use... bundled\nchecking for which harfbuzz to use... bundled\nchecking for cos in -lm... yes\nchecking for dlopen in -ldl... yes\nchecking for JVM features enabled by the user... 'dtrace'\nchecking for JVM features disabled by the user... none\nchecking if platform is supported by CDS... yes\nchecking if JVM feature 'cds' is available... yes\nchecking for dtrace tool... /usr/bin/dtrace\nchecking sys/sdt.h usability... yes\nchecking sys/sdt.h presence... yes\nchecking for sys/sdt.h... yes\nchecking if JVM feature 'dtrace' is available... yes\nchecking if platform is supported by JFR... yes\nchecking if JVM feature 'jfr' is available... yes\nchecking if platform is supported by JVMCI... yes\nchecking if JVM feature 'jvmci' is available... yes\nchecking if platform is supported by Shenandoah... yes\nchecking if JVM feature 'shenandoahgc' is available... yes\nchecking if static-build is enabled in configure... no, use --enable-static-build to enable static build.\nchecking if JVM feature 'static-build' is available... no\nchecking if platform is supported by ZGC... yes\nchecking if JVM feature 'zgc' is available... yes\nconfigure: Default JVM features explicitly enabled for 'server': 'dtrace'\nchecking JVM features to use for variant 'server'... 'cds compiler1 compiler2 dtrace epsilongc g1gc jfr jni-check jvmci jvmti management nmt parallelgc serialgc services shenandoahgc vm-structs zgc'\nchecking if the jtreg failure handler is available... no (jtreg not present)\nchecking if the jtreg failure handler should be built... disabled, from default 'auto'\nchecking if the CDS classlist generation should be enabled... enabled, from default 'auto'\nchecking if any translations should be excluded... no\nchecking if static man pages should be copied... enabled, default\nchecking if CDS archive is available... yes\nchecking if a default CDS archive should be generated... enabled, from default 'auto'\nchecking if CDS archive is available... yes\nchecking if compatible cds region alignment enabled... disabled, default\nchecking for number of cores... 48\nchecking for memory size... 63980 MB\nchecking for appropriate number of jobs to run in parallel... 48\nchecking whether to use javac server... enabled, default\nchecking flags for boot jdk java command ...  -Duser.language=en -Duser.country=US  -XX:+UnlockDiagnosticVMOptions -XX:-VerifySharedSpaces -XX:SharedArchiveFile=/home/jenkins/workspace/build-scripts/jobs/jdk17/jdk17-linux-x64-hotspot/workspace/build/src/build/linux-x86_64-server-release/configure-support/classes.jsa -Xshare:auto \nchecking flags for boot jdk java command for big workloads...  -Xms64M -Xmx1600M\nchecking flags for bootcycle boot jdk java command for big workloads... -Xms64M -Xmx1600M\nchecking flags for boot jdk java command for small workloads...  -XX:+UseSerialGC -Xms32M -Xmx512M -XX:TieredStopAtLevel=1\nchecking for --enable-icecc... disabled, default\nchecking if precompiled headers are available... yes\nchecking for --enable-precompiled-headers... enabled, from default 'auto'\nchecking for ccache... /usr/local/gcc/bin/ccache\nchecking if ccache is available... yes\nchecking if ccache is enabled... enabled, from command line\nchecking if C-compiler supports ccache precompiled headers... yes\nchecking if build directory is on local disk... yes\nconfigure: creating /home/jenkins/workspace/build-scripts/jobs/jdk17/jdk17-linux-x64-hotspot/workspace/build/src/build/linux-x86_64-server-release/configure-support/config.status\nconfig.status: creating /home/jenkins/workspace/build-scripts/jobs/jdk17/jdk17-linux-x64-hotspot/workspace/build/src/build/linux-x86_64-server-release/spec.gmk\nconfig.status: creating /home/jenkins/workspace/build-scripts/jobs/jdk17/jdk17-linux-x64-hotspot/workspace/build/src/build/linux-x86_64-server-release/bootcycle-spec.gmk\nconfig.status: creating /home/jenkins/workspace/build-scripts/jobs/jdk17/jdk17-linux-x64-hotspot/workspace/build/src/build/linux-x86_64-server-release/buildjdk-spec.gmk\nconfig.status: creating /home/jenkins/workspace/build-scripts/jobs/jdk17/jdk17-linux-x64-hotspot/workspace/build/src/build/linux-x86_64-server-release/compare.sh\nconfig.status: creating /home/jenkins/workspace/build-scripts/jobs/jdk17/jdk17-linux-x64-hotspot/workspace/build/src/build/linux-x86_64-server-release/Makefile\n\n====================================================\nA new configuration has been successfully created in\n/home/jenkins/workspace/build-scripts/jobs/jdk17/jdk17-linux-x64-hotspot/workspace/build/src/build/linux-x86_64-server-release\nusing configure arguments '--verbose --with-vendor-name='Eclipse Adoptium' --with-vendor-url=https://adoptium.net/ --with-vendor-bug-url=https://github.com/adoptium/adoptium-support/issues --with-vendor-vm-bug-url=https://github.com/adoptium/adoptium-support/issues --without-version-opt --without-version-pre --with-version-build=35 --with-vendor-version-string=Temurin-17+35 --with-boot-jdk=/usr/lib/jvm/jdk-16 --with-debug-level=release --with-native-debug-symbols=external --with-jvm-variants=server --with-cacerts-file=/home/jenkins/workspace/build-scripts/jobs/jdk17/jdk17-linux-x64-hotspot/sbin/../security/cacerts --disable-warnings-as-errors --enable-ccache --enable-dtrace'.\n\nConfiguration summary:\n* Name:           linux-x86_64-server-release\n* Debug level:    release\n* HS debug level: product\n* JVM variants:   server\n* JVM features:   server: 'cds compiler1 compiler2 dtrace epsilongc g1gc jfr jni-check jvmci jvmti management nmt parallelgc serialgc services shenandoahgc vm-structs zgc' \n* OpenJDK target: OS: linux, CPU architecture: x86, address length: 64\n* Version string: 17+35 (17)\n\nTools summary:\n* Boot JDK:       openjdk version \16.0.2\ 2021-07-20 OpenJDK Runtime Environment Temurin-16.0.2+7 (build 16.0.2+7) OpenJDK 64-Bit Server VM Temurin-16.0.2+7 (build 16.0.2+7, mixed mode, sharing) (at /usr/lib/jvm/jdk-16)\n* Toolchain:      gcc (GNU Compiler Collection)\n* C Compiler:     Version 7.5.0 (at /usr/local/gcc/bin/gcc-7.5)\n* C++ Compiler:   Version 7.5.0 (at /usr/local/gcc/bin/g++-7.5)\n\nBuild performance summary:\n* Cores to use:   48\n* Memory limit:   63980 MB\n* ccache status:  Active (ccache version 3.4.2)\n\n"/>
+                  <arg value="CONFIGURE_ARGUMENTS..."/>
                   <arg value="--jsonFile"/>
                   <arg value="${testSBOMFile}"/>
                 </java>
@@ -353,7 +435,7 @@
                   <arg value="--name"/>
                   <arg value="openjdk_built_config"/>
                   <arg value="--value"/>
-                  <arg value="# ============================\n# OPENJDK BUILD CONFIGURATION:\n# ============================\nBUILD_CONFIG[ADOPT_PATCHES]=\true\\nBUILD_CONFIG[ASSEMBLE_EXPLODED_IMAGE]=\false\\nBUILD_CONFIG[BRANCH]=\dev\\nBUILD_CONFIG[BUILD_FULL_NAME]=\linux-x86_64--server-release\\nBUILD_CONFIG[BUILD_VARIANT]=\hotspot\\nBUILD_CONFIG[CLEAN_DOCKER_BUILD]=\false\/>\nBUILD_CONFIG[CLEAN_GIT_REPO]=\true\nBUILD_CONFIG[CLEAN_LIBS]=\false\\nBUILD_CONFIG[CONTAINER_NAME]=\openjdk_container\\nBUILD_CONFIG[COPY_MACOSX_FREE_FONT_LIB_FOR_JDK_FLAG]=\false\\nBUILD_CONFIG[COPY_MACOSX_FREE_FONT_LIB_FOR_JRE_FLAG]=\false\\nBUILD_CONFIG[CREATE_DEBUG_IMAGE]=\true\\nBUILD_CONFIG[CREATE_SOURCE_ARCHIVE]=\false\\nBUILD_CONFIG[CROSSCOMPILE]=\false\\nBUILD_CONFIG[CUSTOM_CACERTS]=\true\\nBUILD_CONFIG[DEBUG_DOCKER]=\false\\nBUILD_CONFIG[DEBUG_IMAGE_PATH]=\debug-image\\nBUILD_CONFIG[DISABLE_ADOPT_BRANCH_SAFETY]=\false\\nBUILD_CONFIG[CONTAINER_AS_ROOT]=\docker\\nBUILD_CONFIG[DOCKER_FILE_PATH]=\\nBUILD_CONFIG[DOCKER_SOURCE_VOLUME_NAME]=\openjdk-source-volume-jdk17-hotspot\\nBUILD_CONFIG[FREETYPE]=\false\\nBUILD_CONFIG[FREETYPE_DIRECTORY]=\\nBUILD_CONFIG[FREETYPE_FONT_BUILD_TYPE_PARAM]=\\nBUILD_CONFIG[FREETYPE_FONT_VERSION]=\2.9.1\\nBUILD_CONFIG[GRADLE_USER_HOME_DIR]=\\nBUILD_CONFIG[JDK_BOOT_DIR]=\/usr/lib/jvm/jdk-16\              \nBUILD_CONFIG[JDK_PATH]=\jdk\\nBUILD_CONFIG[JRE_PATH]=\jre\\nBUILD_CONFIG[JVM_VARIANT]=\server\\nBUILD_CONFIG[KEEP_CONTAINER]=\false\\nBUILD_CONFIG[MACOSX_CODESIGN_IDENTITY]=\\nBUILD_CONFIG[MAKE_ARGS_FOR_ANY_PLATFORM]=\product-images legacy-jre-image\\nBUILD_CONFIG[MAKE_COMMAND_NAME]=\make\\nBUILD_CONFIG[MAKE_EXPLODED]=\false\\nBUILD_CONFIG[NUM_PROCESSORS]=\1\\nBUILD_CONFIG[OPENJDK_BUILD_NUMBER]=\\nBUILD_CONFIG[OPENJDK_BUILD_REPO_BRANCH]=\master\\nBUILD_CONFIG[OPENJDK_BUILD_REPO_URI]=\https://github.com/adoptium/temurin-build.git\\nBUILD_CONFIG[OPENJDK_CORE_VERSION]=\jdk17\\nBUILD_CONFIG[OPENJDK_FEATURE_NUMBER]=\17\\nBUILD_CONFIG[OPENJDK_FOREST_NAME]=\jdk17\\nBUILD_CONFIG[OPENJDK_SOURCE_DIR]=\src\nBUILD_CONFIG[OPENJDK_UPDATE_VERSION]=\\nBUILD_CONFIG[OS_ARCHITECTURE]=\x86_64\\nBUILD_CONFIG[OS_FULL_VERSION]=\Linux 5.8.0-34-generic : CentOS release 6.10 (Final)\\nBUILD_CONFIG[OS_KERNEL_NAME]=\linux\\nBUILD_CONFIG[PATCHES]=\\nBUILD_CONFIG[RELEASE]=\true\\nBUILD_CONFIG[REPOSITORY]=\https://github.com/adoptium/jdk17\\nBUILD_CONFIG[REUSE_CONTAINER]=\true\\nBUILD_CONFIG[SHALLOW_CLONE_OPTION]=\\nBUILD_CONFIG[SIGN]=\false\\nBUILD_CONFIG[TAG]=\jdk-17+35_adopt\\nBUILD_CONFIG[TARGET_DIR]=\target/\\nBUILD_CONFIG[TARGET_FILE_NAME]=\OpenJDK17-jdk_x64_linux_hotspot_17_35.tar.gz\\nBUILD_CONFIG[TEST_IMAGE_PATH]=\test\\nBUILD_CONFIG[TMP_CONTAINER_NAME]=\openjdk-copy-src\\nBUILD_CONFIG[TMP_SPACE_BUILD]=\false\\nBUILD_CONFIG[USER_SUPPLIED_CONFIGURE_ARGS]=\ --disable-warnings-as-errors --enable-ccache --enable-dtrace\\nBUILD_CONFIG[USER_SUPPLIED_MAKE_ARGS]=\\nBUILD_CONFIG[CONTAINER_COMMAND]=\false\\nBUILD_CONFIG[USE_JEP319_CERTS]=\true\\nBUILD_CONFIG[USE_SSH]=\false\\nBUILD_CONFIG[VENDOR]=\Eclipse Adoptium\\nBUILD_CONFIG[WORKING_DIR]=\./build/\\nBUILD_CONFIG[WORKSPACE_DIR]=\/home/jenkins/workspace/build-scripts/jobs/jdk17/jdk17-linux-x64-hotspot/workspace\"/>
+                  <arg value="OPENJDK_BUILT_CONFIG..."/>
                   <arg value="--jsonFile"/>
                   <arg value="${testSBOMFile}"/>
                 </java>
@@ -417,7 +499,7 @@
                   <arg value="--url"/>
                   <arg value="https://github.com/adoptium/jdk17/commit/a5afad28437"/>
                   <arg value="--hashes"/>
-                  <arg value="HASHES"/>
+                  <arg value="1234567890123456789012345678901234567890123456789012345678901234"/>
                   <arg value="--comment"/>
                   <arg value="openjdk_source"/>
                   <arg value="--jsonFile"/>
@@ -429,7 +511,7 @@
                   <arg value="--url"/>
                   <arg value="https://ftp.osuosl.org/pub/blfs/conglomeration/alsa-lib/alsa-lib-1.1.6.tar.bz2"/>
                   <arg value="--hashes"/>
-                  <arg value="HASHES"/>
+                  <arg value="1234567890123456789012345678901234567890123456789012345678901234"/>
                   <arg value="--comment"/>
                   <arg value="dependency_version_alsa"/>
                   <arg value="--jsonFile"/>
@@ -476,6 +558,289 @@
                   <arg value="${testSBOMFile}"/>
                 </java>
 
+                <!-- XML tests -->
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponent"/>
+                  <arg value="--compName"/>
+                  <arg value="JDK-info"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponentProp"/>
+                  <arg value="--compName"/>
+                  <arg value="JDK-info"/>
+                  <arg value="--name"/>
+                  <arg value="OS"/>
+                  <arg value="--value"/>
+                  <arg value="Linux"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                  <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponentProp"/>
+                  <arg value="--compName"/>
+                  <arg value="JDK-info"/>
+                  <arg value="--name"/>
+                  <arg value="arch"/>
+                  <arg value="--value"/>
+                  <arg value="x64"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                  <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponentProp"/>
+                  <arg value="--compName"/>
+                  <arg value="JDK-info"/>
+                  <arg value="--name"/>
+                  <arg value="variant"/>
+                  <arg value="--value"/>
+                  <arg value="hotspot"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponentProp"/>
+                  <arg value="--compName"/>
+                  <arg value="JDK-info"/>
+                  <arg value="--name"/>
+                  <arg value="binary-type"/>
+                  <arg value="--value"/>
+                  <arg value="jdk"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+               <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponent"/>
+                  <arg value="--compName"/>
+                  <arg value="Temurin Build"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponentProp"/>
+                  <arg value="--compName"/>
+                  <arg value="Temurin Build"/>
+                  <arg value="--name"/>
+                  <arg value="buildRef"/>
+                  <arg value="--value"/>
+                  <arg value="https://github.com/adoptium/temurin-build/commit/c3a40"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponentProp"/>
+                  <arg value="--compName"/>
+                  <arg value="Temurin Build"/>
+                  <arg value="--name"/>
+                  <arg value="ScmRef"/>
+                  <arg value="--value"/>
+                  <arg value="jdk-17+35_adopt"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponent"/>
+                  <arg value="--compName"/>
+                  <arg value="make-arguments"/>
+                  <arg value="--description"/>
+                  <arg value="temurin build make arguments"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponentProp"/>
+                  <arg value="--compName"/>
+                  <arg value="make-arguments"/>
+                  <arg value="--name"/>
+                  <arg value="makejdk_any_platform_args"/>
+                  <arg value="--value"/>
+                  <arg value="--clean-git-repo --jdk-boot-dir /usr/lib/jvm/jdk-16 --configure-args  --disable-warnings-as-errors --enable-ccache --enable-dtrace --target-file-name OpenJDK17-jdk_x64_linux_hotspot_17_35.tar.gz --release --clean-libs --tag jdk-17+35_adopt --skip-freetype --use-jep319-certs --create-debug-image --build-variant hotspot jdk17"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponentProp"/>
+                  <arg value="--compName"/>
+                  <arg value="make-arguments"/>
+                  <arg value="--name"/>
+                  <arg value="make_command_args"/>
+                  <arg value="--value"/>
+                  <arg value="make product-images legacy-jre-image   test-image"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponent"/>
+                  <arg value="--compName"/>
+                  <arg value="configure_arguments"/>
+                  <arg value="--description"/>
+                  <arg value="temurin build configure arguments"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponentProp"/>
+                  <arg value="--compName"/>
+                  <arg value="configure_arguments"/>
+                  <arg value="--name"/>
+                  <arg value="configure_arguments"/>
+                  <arg value="--value"/>
+                  <arg value="CONFIGURE_ARGUMENTS..."/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponent"/>
+                  <arg value="--compName"/>
+                  <arg value="Temurin build scripts/source"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponentProp"/>
+                  <arg value="--compName"/>
+                  <arg value="Temurin build scripts/source"/>
+                  <arg value="--name"/>
+                  <arg value="openjdk_built_config"/>
+                  <arg value="--value"/>
+                  <arg value="OPENJDK_BUILT_CONFIG..."/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponentProp"/>
+                  <arg value="--compName"/>
+                  <arg value="Temurin build scripts/source"/>
+                  <arg value="--name"/>
+                  <arg value="openjdk-source"/>
+                  <arg value="--value"/>
+                  <arg value="https://github.com/adoptium/jdk17/commit/a5afad28437"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponent"/>
+                  <arg value="--compName"/>
+                  <arg value="docker container built"/>
+                  <arg value="--description"/>
+                  <arg value="If built within a docker container, SHA digest of the image it was built from"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponentProp"/>
+                  <arg value="--compName"/>
+                  <arg value="docker container built"/>
+                  <arg value="--name"/>
+                  <arg value="build_env_docker_image_digest"/>
+                  <arg value="--value"/>
+                  <arg value="[adoptopenjdk/centos6_build_image@sha256:e9fa19de1a830399a91044a277a6cca7bbd915322187825bfd4cfa752917adab]\n"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponent"/>
+                  <arg value="--compName"/>
+                  <arg value="Built binary java-version string"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addComponentProp"/>
+                  <arg value="--compName"/>
+                  <arg value="Built binary java-version string"/>
+                  <arg value="--name"/>
+                  <arg value="full_version_output"/>
+                  <arg value="--value"/>
+                  <arg value="openjdk version: 17 2021-09-14\nOpenJDK Runtime Environment Temurin-17+35 (build 17+35)\nOpenJDK 64-Bit Server VM Temurin-17+35 (build 17+35, mixed mode, sharing)\n"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addExternalReference"/>
+                  <arg value="--url"/>
+                  <arg value="https://github.com/adoptium/jdk17/commit/a5afad28437"/>
+                  <arg value="--hashes"/>
+                  <arg value="1234567890123456789012345678901234567890123456789012345678901234"/>
+                  <arg value="--comment"/>
+                  <arg value="openjdk_source"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addExternalReference"/>
+                  <arg value="--url"/>
+                  <arg value="https://ftp.osuosl.org/pub/blfs/conglomeration/alsa-lib/alsa-lib-1.1.6.tar.bz2"/>
+                  <arg value="--hashes"/>
+                  <arg value="1234567890123456789012345678901234567890123456789012345678901234"/>
+                  <arg value="--comment"/>
+                  <arg value="dependency_version_alsa"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addMetadata"/>
+                  <arg value="--metadataName"/>
+                  <arg value="Eclipse Adoptium"/>
+                  <arg value="--xmlFile"/>
+                 <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addFormulation"/>
+                  <arg value="--formulaName"/>
+                  <arg value="MyFormula"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addFormulationComp"/>
+                  <arg value="--formulaName"/>
+                  <arg value="MyFormula"/>
+                  <arg value="--name"/>
+                  <arg value="CycloneDX SHAs"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
+                <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
+                  <arg value="--verbose"/>
+                  <arg value="--addFormulationCompProp"/>
+                  <arg value="--formulaName"/>
+                  <arg value="MyFormula"/>
+                  <arg value="--compName"/>
+                  <arg value="CycloneDX SHAs"/>
+                  <arg value="--name"/>
+                  <arg value="CycloneDX core lib"/>
+                  <arg value="--value"/>
+                  <arg value="sha123"/>
+                  <arg value="--xmlFile"/>
+                  <arg value="${testSBOMFile_xml}"/>
+                </java>
         </target>
 
 	<macrodef name="get-component" description="Obtain the given component from the local cache if available or download, and verify its checksum.">
diff --git a/cyclonedx-lib/dependency_data/dependency_data.properties b/cyclonedx-lib/dependency_data/dependency_data.properties
index 4b5607d50..cb2d15487 100644
--- a/cyclonedx-lib/dependency_data/dependency_data.properties
+++ b/cyclonedx-lib/dependency_data/dependency_data.properties
@@ -21,11 +21,14 @@ commons-codec.jar=commons-codec-${commons-codec.version}.jar
 commons-collections4.version=4.4
 commons-collections4.sha256=1df8b9430b5c8ed143d7815e403e33ef5371b2400aadbe9bda0883762e0846d1
 commons-collections4.jar=commons-collections4-${commons-collections4.version}.jar
+commons-lang3.version=3.17.0
+commons-lang3.sha256=6ee731df5c8e5a2976a1ca023b6bb320ea8d3539fbe64c8a1d5cb765127c33b4
+commons-lang3.jar=commons-lang3-${commons-lang3.version}.jar
 commons-io.version=2.16.1
 commons-io.sha256=f41f7baacd716896447ace9758621f62c1c6b0a91d89acee488da26fc477c84f
 commons-io.jar=commons-io-${commons-io.version}.jar
-cyclonedx-core-java.version=9.0.5
-cyclonedx-core-java.sha256=9474c73a81d9be6206367d357a3449e03e70c69bc672d82be04f15806ef170fa
+cyclonedx-core-java.version=9.1.0
+cyclonedx-core-java.sha256=a911ee5e5ebdabc2b2c08d08f9c92c673c21965ee1b982f40fc166d80f1eb088
 cyclonedx-core-java.jar=cyclonedx-core-java-${cyclonedx-core-java.version}.jar
 github-package-url.version=1.5.0
 github-package-url.sha256=e45551727707acc0c56ac62d56964332ea0f138d6cc3656d988b9369150f5247
@@ -45,10 +48,17 @@ jackson-dataformat-xml.jar=jackson-dataformat-xml-${jackson-dataformat-xml.versi
 json-schema-validator.version=1.5.1
 json-schema-validator.sha256=de015f79d4a63d22c002bad76bb30c039cafa205465eef8770e2c6b85880ded7
 json-schema-validator.jar=json-schema-validator-${json-schema-validator.version}.jar
+stax2-api.version=4.2.2
+stax2-api.sha256=a61c48d553efad78bc01fffc4ac528bebbae64cbaec170b2a5e39cf61eb51abe
+stax2-api.jar=stax2-api-${stax2-api.version}.jar
+woodstox-core.version=7.1.0
+woodstox-core.sha256=81266920a1cdc47306a8a2b4726c99ec89b3fbf31c2470e4f5e477d9d857ca9f
+woodstox-core.jar=woodstox-core-${woodstox-core.version}.jar
 
 # Download URLs
 commons-codec.url=${maven.central.repo}/commons-codec/commons-codec/${commons-codec.version}/${commons-codec.jar}
 commons-collections4.url=${maven.central.repo}/org/apache/commons/commons-collections4/${commons-collections4.version}/${commons-collections4.jar}
+commons-lang3.url=${maven.central.repo}/org/apache/commons/commons-lang3/${commons-lang3.version}/${commons-lang3.jar}
 commons-io.url=${maven.central.repo}/commons-io/commons-io/${commons-io.version}/${commons-io.jar}
 cyclonedx-core-java.url=${maven.central.repo}/org/cyclonedx/cyclonedx-core-java/${cyclonedx-core-java.version}/${cyclonedx-core-java.jar}
 github-package-url.url=${maven.central.repo}/com/github/package-url/packageurl-java/${github-package-url.version}/${github-package-url.jar}
@@ -57,4 +67,6 @@ jackson-core.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-core/$
 jackson-databind.url=${maven.central.repo}/com/fasterxml/jackson/core/jackson-databind/${jackson-databind.version}/${jackson-databind.jar}
 jackson-dataformat-xml.url=${maven.central.repo}/com/fasterxml/jackson/dataformat/jackson-dataformat-xml/${jackson-dataformat-xml.version}/${jackson-dataformat-xml.jar}
 json-schema-validator.url=${maven.central.repo}/com/networknt/json-schema-validator/${json-schema-validator.version}/${json-schema-validator.jar}
+stax2-api.url=${maven.central.repo}/org/codehaus/woodstox/stax2-api/${stax2-api.version}/${stax2-api.jar}
+woodstox-core.url=${maven.central.repo}/com/fasterxml/woodstox/woodstox-core/${woodstox-core.version}/${woodstox-core.jar}
 
diff --git a/cyclonedx-lib/sign_src/TemurinSignSBOM.java b/cyclonedx-lib/sign_src/TemurinSignSBOM.java
index 14784fc76..d9d35f105 100644
--- a/cyclonedx-lib/sign_src/TemurinSignSBOM.java
+++ b/cyclonedx-lib/sign_src/TemurinSignSBOM.java
@@ -60,7 +60,7 @@ private TemurinSignSBOM() {
      * @param args Arguments for sbom operation.
      */
     public static void main(final String[] args) {
-        String cmd = null;
+        String cmd = "";
         String privateKeyFile = null;
         String publicKeyFile = null;
         String fileName = null;
@@ -95,6 +95,8 @@ public static void main(final String[] args) {
         } else if (cmd.equals("verifySignature")) {
             success = verifySignature(fileName, publicKeyFile); // set success to the result of verifySignature
             System.out.println("Signature verification result: " + (success ? "Valid" : "Invalid"));
+        } else {
+            System.out.println("Please enter a command.");
         }
 
         // Set success to true only when the operation is completed successfully.
diff --git a/cyclonedx-lib/src/temurin/sbom/TemurinGenCDXA.java b/cyclonedx-lib/src/temurin/sbom/TemurinGenCDXA.java
new file mode 100644
index 000000000..a1f02c0f1
--- /dev/null
+++ b/cyclonedx-lib/src/temurin/sbom/TemurinGenCDXA.java
@@ -0,0 +1,336 @@
+/*
+ * ********************************************************************************
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation
+ *
+ * See the NOTICE file(s) with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made
+ * available under the terms of the Apache Software License 2.0
+ * which is available at https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ********************************************************************************
+ */
+
+package temurin.sbom;
+
+import org.cyclonedx.exception.GeneratorException;
+import org.cyclonedx.generators.json.BomJsonGenerator;
+import org.cyclonedx.generators.xml.BomXmlGenerator;
+import org.cyclonedx.model.Bom;
+import org.cyclonedx.model.Component;
+import org.cyclonedx.model.ExternalReference;
+import org.cyclonedx.model.Hash;
+import org.cyclonedx.model.OrganizationalEntity;
+import org.cyclonedx.model.attestation.Declarations;
+import org.cyclonedx.model.attestation.Assessor;
+import org.cyclonedx.model.attestation.Attestation;
+import org.cyclonedx.model.attestation.AttestationMap;
+import org.cyclonedx.model.attestation.Claim;
+import org.cyclonedx.model.attestation.affirmation.Affirmation;
+import org.cyclonedx.model.attestation.affirmation.Signatory;
+import org.cyclonedx.model.attestation.Targets;
+import org.cyclonedx.parsers.JsonParser;
+import org.cyclonedx.parsers.XmlParser;
+import org.cyclonedx.Version;
+import java.io.FileReader;
+import java.io.FileWriter;
+import java.util.List;
+import java.util.LinkedList;
+import java.util.UUID;
+
+/**
+ * Command line tool to construct a CycloneDX CDXA.
+ */
+public final class TemurinGenCDXA {
+
+    private static boolean verbose = false;
+    private static boolean useJson = false;
+
+    // Valid predicates
+    enum CDXAPredicate {
+                           VERIFIED_REPRODUCIBLE_BUILD
+                       };
+
+    private TemurinGenCDXA() {
+    }
+
+    /**
+     * Main entry.
+     * @param args Arguments for operation.
+     */
+    public static void main(final String[] args) {
+        String cmd = "";
+        String fileName = null;
+        String attestingOrgName = null;
+        String predicate = null;
+        String targetName = null;
+        String targetUrl = null;
+        String targetHash = null;
+        String affirmationStmt = null;
+        String affirmationWebsite = null;
+        boolean thirdParty = true;
+
+        for (int i = 0; i < args.length; i++) {
+            if (args[i].equals("--jsonFile")) {
+                fileName = args[++i];
+                useJson = true;
+            } else if (args[i].equals("--xmlFile")) {
+                fileName = args[++i];
+                useJson = false;
+            } else if (args[i].equals("--attesting-org-name")) {
+                attestingOrgName = args[++i];
+            } else if (args[i].equals("--predicate")) {
+                predicate = args[++i];
+            } else if (args[i].equals("--target-name")) {
+                targetName = args[++i];
+            } else if (args[i].equals("--target-url")) {
+                targetUrl = args[++i];
+            } else if (args[i].equals("--target-sha256-hash")) {
+                targetHash = args[++i];
+            } else if (args[i].equals("--affirmation-stmt")) {
+                affirmationStmt = args[++i];
+            } else if (args[i].equals("--affirmation-website")) {
+                affirmationWebsite = args[++i];
+            } else if (args[i].equals("--not-third-party")) {
+                thirdParty = false;
+            } else if (args[i].equals("--createNewCDXA")) {
+                cmd = "createCDXA";
+            } else if (args[i].equals("--verbose")) {
+                verbose = true;
+            }
+        }
+
+        switch (cmd) {
+            case "createCDXA":  // Create a new CDXA json file
+                Bom bom = createCdxa(fileName, attestingOrgName, predicate, targetName, targetUrl, targetHash, affirmationStmt, affirmationWebsite, thirdParty);
+                if (bom != null) {
+                    writeFile(bom, fileName);
+                } else {
+                    System.exit(1);
+                }
+                break;
+
+            default:
+                System.out.println("Please enter a command.");
+                System.exit(1);
+        }
+    }
+
+    static Bom createCdxa(final String fileName, final String attestingOrgName, final String predicate,
+                          final String targetName, final String targetUrl, final String targetHash,
+                          final String affirmationStmt, final String affirmationWebsite, final boolean thirdParty) {
+        // Validate inputs
+        boolean validInput = true;
+        if (fileName == null) {
+            System.out.println("--xmlFile|--jsonFile not specified");
+            validInput = false;
+         }
+        if (attestingOrgName == null) {
+            System.out.println("--attesting-org-name not specified");
+            validInput = false;
+        }
+        if (predicate == null) {
+            System.out.println("--predicate not specified"); validInput = false;
+        } else {
+            boolean validPred = false;
+            for (CDXAPredicate validPredicate : CDXAPredicate.values()) {
+                if (validPredicate.name().equals(predicate)) {
+                    validPred = true;
+                    break;
+                }
+            }
+            if (!validPred) {
+                System.out.println("--predicate " + predicate + " not a valid value");
+                validInput = false;
+            }
+        }
+        if (targetName == null) {
+            System.out.println("--target-name not specified");
+            validInput = false;
+        }
+        if (targetUrl == null) {
+            System.out.println("--target-url not specified");
+            validInput = false;
+        }
+        if (targetHash == null) {
+            System.out.println("--target-sha256-hash not specified");
+            validInput = false;
+        }
+        if (affirmationStmt == null) {
+            System.out.println("--affirmation-stmt not specified");
+            validInput = false;
+        }
+        if (affirmationWebsite == null) {
+            System.out.println("--affirmation-website not specified");
+            validInput = false;
+        }
+        if (!validInput) {
+            return null;
+        }
+
+        Declarations   declarations = new Declarations();
+        Assessor       assessor     = new Assessor();
+        Claim          claim        = new Claim();
+        Targets        targets      = new Targets();
+        Affirmation    affirmation  = new Affirmation();
+        Signatory      signatory    = new Signatory();
+        Attestation    attestation  = new Attestation();
+        AttestationMap attestationMap = new AttestationMap();
+
+        final String targetJdkBomRef  = "target-jdk-1";
+        final String assessorBomRef   = "assessor-1";
+        final String claimBomRef      = "claim-1";
+
+        // External reference to the target JDK
+        ExternalReference extRef = new ExternalReference();
+        Hash hash1 = new Hash(Hash.Algorithm.SHA_256, targetHash);
+        extRef.addHash(hash1);
+        extRef.setUrl(targetUrl);
+        extRef.setType(ExternalReference.Type.DISTRIBUTION);
+
+        // Target JDK Component
+        Component targetJDK = new Component();
+        targetJDK.setType(Component.Type.APPLICATION);
+        targetJDK.setName(targetName);
+        targetJDK.addExternalReference(extRef);
+        targetJDK.setBomRef(targetJdkBomRef);
+        List<Component> components = new LinkedList<Component>();
+        components.add(targetJDK);
+        targets.setComponents(components);
+        declarations.setTargets(targets);
+
+        // Assessor
+        assessor.setThirdParty(thirdParty);
+        OrganizationalEntity org = new OrganizationalEntity();
+        org.setName(attestingOrgName);
+        assessor.setOrganization(org);
+        assessor.setBomRef(assessorBomRef);
+        List<Assessor> assessors = new LinkedList<Assessor>();
+        assessors.add(assessor);
+        declarations.setAssessors(assessors);
+
+        // Claim
+        claim.setPredicate(predicate);
+        claim.setTarget(targetJDK.getBomRef());
+        claim.setBomRef(claimBomRef);
+        List<Claim> claims = new LinkedList<Claim>();
+        claims.add(claim);
+        declarations.setClaims(claims);
+
+        // Affirmation
+        affirmation.setStatement(affirmationStmt);
+        signatory.setOrganization(org);
+        ExternalReference orgExtRef = new ExternalReference();
+        orgExtRef.setUrl(affirmationWebsite);
+        orgExtRef.setType(ExternalReference.Type.WEBSITE);
+        signatory.setExternalReference(orgExtRef);
+        List<Signatory> signatories = new LinkedList<Signatory>();
+        signatories.add(signatory);
+        affirmation.setSignatories(signatories);
+        declarations.setAffirmation(affirmation);
+
+        // Construct the Attestation
+        attestation.setSummary("Eclipse Temurin Attestation");
+        attestation.setAssessor(assessor.getBomRef());
+        List<String> claimsList = new LinkedList<String>();
+        claimsList.add(claim.getBomRef());
+        attestationMap.setClaims(claimsList);
+        List<AttestationMap> attestationMaps = new LinkedList<AttestationMap>();
+        attestationMaps.add(attestationMap);
+        attestation.setMap(attestationMaps);
+        List<Attestation> attestations = new LinkedList<Attestation>();
+        attestations.add(attestation);
+        declarations.setAttestations(attestations);
+
+        // Create CDXA Bom
+        Bom cdxa = new Bom();
+        cdxa.setSerialNumber("urn:uuid:" + UUID.randomUUID());
+        cdxa.setDeclarations(declarations);
+
+        return cdxa;
+    }
+
+    static String generateBomJson(final Bom bom) throws GeneratorException {
+        // Use schema v16: https://cyclonedx.org/schema/bom-1.6.schema.json
+        BomJsonGenerator bomGen = new BomJsonGenerator(bom, Version.VERSION_16);
+        String json = bomGen.toJsonString();
+        return json;
+    }
+
+    static String generateBomXml(final Bom bom) throws GeneratorException {
+        BomXmlGenerator bomGen = new BomXmlGenerator(bom, Version.VERSION_16);
+        String xml = bomGen.toXmlString();
+        return xml;
+    }
+
+    // Writes the BOM object to the specified type of file
+    static void writeFile(final Bom bom, final String fileName) {
+        if (useJson) {
+            writeJSONfile(bom, fileName);
+        } else {
+            writeXMLfile(bom, fileName);
+        }
+    }
+
+    // Writes the BOM object to the specified JSON file.
+    static void writeJSONfile(final Bom bom, final String fileName) {
+        FileWriter file;
+        try {
+            String json = generateBomJson(bom);
+
+            file = new FileWriter(fileName);
+            file.write(json);
+            file.close();
+        } catch (Exception e) {
+            e.printStackTrace();
+            System.exit(1);
+        }
+    }
+
+    // Writes the BOM object to the specified XML file.
+    static void writeXMLfile(final Bom bom, final String fileName) {
+        FileWriter file;
+        try {
+            String xml = generateBomXml(bom);
+
+            file = new FileWriter(fileName);
+            file.write(xml);
+            file.close();
+        } catch (Exception e) {
+            e.printStackTrace();
+            System.exit(1);
+        }
+    }
+
+    // Returns a parsed BOM object from the specified file.
+    static Bom readJSONfile(final String fileName) {
+        Bom bom = null;
+        try {
+            FileReader reader = new FileReader(fileName);
+            JsonParser parser = new JsonParser();
+            bom = parser.parse(reader);
+        } catch (Exception e) {
+            e.printStackTrace();
+            System.exit(1);
+        } finally {
+           return bom;
+        }
+    }
+
+    // Returns a parsed BOM object from the specified file.
+    static Bom readXMLfile(final String fileName) {
+        Bom bom = null;
+        try {
+            FileReader reader = new FileReader(fileName);
+            XmlParser parser = new XmlParser();
+            bom = parser.parse(reader);
+        } catch (Exception e) {
+            e.printStackTrace();
+            System.exit(1);
+        } finally {
+           return bom;
+        }
+    }
+}
diff --git a/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java b/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java
index 639ed6737..4533a9c37 100644
--- a/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java
+++ b/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java
@@ -17,9 +17,9 @@
 
 import org.cyclonedx.exception.GeneratorException;
 import org.cyclonedx.generators.json.BomJsonGenerator;
+import org.cyclonedx.generators.xml.BomXmlGenerator;
 import org.cyclonedx.model.Bom;
 import org.cyclonedx.model.Component;
-import org.cyclonedx.model.ExternalReference;
 import org.cyclonedx.model.formulation.Formula;
 import org.cyclonedx.model.Hash;
 import org.cyclonedx.model.Metadata;
@@ -28,12 +28,14 @@
 import org.cyclonedx.model.Property;
 import org.cyclonedx.model.Tool;
 import org.cyclonedx.parsers.JsonParser;
+import org.cyclonedx.parsers.XmlParser;
 import org.cyclonedx.Version;
 import java.io.FileReader;
 import java.io.FileWriter;
 import java.util.Collections;
 import java.util.List;
 import java.util.LinkedList;
+import java.util.UUID;
 
 /**
  * Command line tool to construct a CycloneDX SBOM.
@@ -41,6 +43,7 @@
 public final class TemurinGenSBOM {
 
     private static boolean verbose = false;
+    private static boolean useJson = false;
 
     private TemurinGenSBOM() {
     }
@@ -50,7 +53,7 @@ private TemurinGenSBOM() {
      * @param args Arguments for sbom operation.
      */
     public static void main(final String[] args) {
-        String cmd = null;
+        String cmd = "";
         String comment = null;
         String compName = null;
         String formulaName = null;
@@ -67,6 +70,10 @@ public static void main(final String[] args) {
         for (int i = 0; i < args.length; i++) {
             if (args[i].equals("--jsonFile")) {
                 fileName = args[++i];
+                useJson = true;
+            } else if (args[i].equals("--xmlFile")) {
+                fileName = args[++i];
+                useJson = false;
             } else if (args[i].equals("--version")) {
                 version = args[++i];
             } else if (args[i].equals("--name")) {
@@ -120,69 +127,60 @@ public static void main(final String[] args) {
             }
         }
         switch (cmd) {
-            case "createNewSBOM":                                    // Creates JSON file
+            case "createNewSBOM":                                    // Creates new SBOM
                 Bom bom = createBom();
-                writeJSONfile(bom, fileName);
+                writeFile(bom, fileName);
                 break;
 
             case "addMetadata":                                      // Adds Metadata --> name
                 bom = addMetadata(fileName);
-                writeJSONfile(bom, fileName);
+                writeFile(bom, fileName);
                 break;
 
             case "addMetadataComponent":                             // Adds Metadata --> Component --> name
                 bom = addMetadataComponent(fileName, name, type, version, description);
-                writeJSONfile(bom, fileName);
+                writeFile(bom, fileName);
                 break;
 
             case "addMetadataProperty":                              // Adds MetaData --> Property --> name-value:
                 bom = addMetadataProperty(fileName, name, value);
-                writeJSONfile(bom, fileName);
+                writeFile(bom, fileName);
                 break;
 
             case "addFormulation":                                   // Adds Formulation --> name
                 bom = addFormulation(fileName, formulaName);
-                writeJSONfile(bom, fileName);
+                writeFile(bom, fileName);
                 break;
 
             case "addFormulationComp":                               // Adds Formulation --> Component--> name
                 bom = addFormulationComp(fileName, formulaName, name, type);
-                writeJSONfile(bom, fileName);
+                writeFile(bom, fileName);
                 break;
             case "addFormulationCompProp":                           // Adds Formulation --> Component -> name-value:
                 bom = addFormulationCompProp(fileName, formulaName, compName, name, value);
-                writeJSONfile(bom, fileName);
+                writeFile(bom, fileName);
                 break;
 
             case "addMetadataTools":
                 bom = addMetadataTools(fileName, tool, version);
-                writeJSONfile(bom, fileName);
+                writeFile(bom, fileName);
                 break;
 
             case "addComponent":                                     // Adds Components --> Component --> name
                 bom = addComponent(fileName, compName, version, description);
-                writeJSONfile(bom, fileName);
+                writeFile(bom, fileName);
                 break;
 
             case "addComponentHash":                                 // Adds Components --> Component --> hash
                 bom = addComponentHash(fileName, compName, hash);
-                writeJSONfile(bom, fileName);
+                writeFile(bom, fileName);
                 break;
 
             case "addComponentProp":                                 // Adds Components --> Component --> name-value pairs
                 bom = addComponentProperty(fileName, compName, name, value);
-                writeJSONfile(bom, fileName);
-                break;
-
-            case "addExternalReference":                             // Adds external Reference
-                bom = addExternalReference(fileName, hash, url, comment);
-                writeJSONfile(bom, fileName);
+                writeFile(bom, fileName);
                 break;
 
-            case "addComponentExternalReference":                    // Adds external Reference to component
-                bom = addComponentExternalReference(fileName, hash, url, comment);
-                writeJSONfile(bom, fileName);
-                break;
             default:
                 System.out.println("Please enter a command.");
         }
@@ -194,12 +192,13 @@ public static void main(final String[] args) {
      */
     static Bom createBom() {
         Bom bom = new Bom();
+        bom.setSerialNumber("urn:uuid:" + UUID.randomUUID());
         return bom;
     }
 
     // Method to store Metadata --> name.
     static Bom addMetadata(final String fileName) {
-        Bom bom = readJSONfile(fileName);
+        Bom bom = readFile(fileName);
         Metadata meta = new Metadata();
         OrganizationalEntity org = new OrganizationalEntity();
         org.setName("Eclipse Foundation");
@@ -213,7 +212,7 @@ static Bom addMetadata(final String fileName) {
     }
 
     static Bom addMetadataComponent(final String fileName, final String name, final String type, final String version, final String description) {
-        Bom bom = readJSONfile(fileName);
+        Bom bom = readFile(fileName);
         Metadata meta = new Metadata();
         Component comp = new Component();
         Component.Type compType = Component.Type.FRAMEWORK;
@@ -235,7 +234,7 @@ static Bom addMetadataComponent(final String fileName, final String name, final
 
     // Method to store Metadata --> Properties List --> name-values.
     static Bom addMetadataProperty(final String fileName, final String name, final String value) {
-        Bom bom = readJSONfile(fileName);
+        Bom bom = readFile(fileName);
         Metadata meta = new Metadata();
         Property prop1 = new Property();
         meta = bom.getMetadata();
@@ -247,7 +246,7 @@ static Bom addMetadataProperty(final String fileName, final String name, final S
     }
 
     static Bom addMetadataTools(final String fileName, final String toolName, final String version) {
-        Bom bom = readJSONfile(fileName);
+        Bom bom = readFile(fileName);
         Metadata meta = new Metadata();
         Tool tool = new Tool();
         meta = bom.getMetadata();
@@ -260,7 +259,7 @@ static Bom addMetadataTools(final String fileName, final String toolName, final
 
     // Method to store Component --> name & single name-value pair.
     static Bom addComponent(final String fileName, final String compName, final String version, final String description) {
-        Bom bom = readJSONfile(fileName);
+        Bom bom = readFile(fileName);
         Component comp = new Component();
         comp.setName(compName);
         comp.setVersion(version);
@@ -274,7 +273,7 @@ static Bom addComponent(final String fileName, final String compName, final Stri
     }
 
     static Bom addComponentHash(final String fileName, final String compName, final String hash) {
-        Bom bom = readJSONfile(fileName);
+        Bom bom = readFile(fileName);
         List<Component> componentArrayList = bom.getComponents();
         for (Component item : componentArrayList) {
             if (item.getName().equals(compName)) {
@@ -287,7 +286,7 @@ static Bom addComponentHash(final String fileName, final String compName, final
 
     // Method to add Component --> Property --> name-value pairs.
     static Bom addComponentProperty(final String fileName, final String compName, final String name, final String value) {
-        Bom bom = readJSONfile(fileName);
+        Bom bom = readFile(fileName);
         List<Component> componentArrayList = bom.getComponents();
         for (Component item : componentArrayList) {
             if (item.getName().equals(compName)) {
@@ -300,36 +299,8 @@ static Bom addComponentProperty(final String fileName, final String compName, fi
         return bom;
     }
 
-    // Method to store externalReferences: dependency_version_alsa.
-    static Bom addExternalReference(final String fileName, final String hash, final String url, final String comment) {
-        Bom bom = readJSONfile(fileName);
-        ExternalReference extRef = new ExternalReference();
-        Hash hash1 = new Hash(Hash.Algorithm.SHA3_256, hash);
-        extRef.setType(ExternalReference.Type.BUILD_SYSTEM); //required
-        extRef.setUrl(url); // required must be a valid URL with protocol
-        extRef.setComment(comment);
-        extRef.addHash(hash1);
-        bom.addExternalReference(extRef);
-        return bom;
-    }
-
-    // Method to store externalReferences to store: openjdk_source.
-    static Bom addComponentExternalReference(final String fileName, final String hash, final String url, final String comment) {
-        Bom bom = readJSONfile(fileName);
-        ExternalReference extRef = new ExternalReference();
-        Hash hash1 = new Hash(Hash.Algorithm.SHA3_256, hash);
-        Component comp = new Component();
-        extRef.addHash(hash1);
-        extRef.setUrl(url);
-        extRef.setComment(comment); //"openjdk_source"
-        extRef.setType(ExternalReference.Type.BUILD_SYSTEM);
-        comp.addExternalReference(extRef);
-        bom.addComponent(comp);
-        return bom;
-    }
-
     static Bom addFormulation(final String fileName, final String name) {
-        Bom bom = readJSONfile(fileName);
+        Bom bom = readFile(fileName);
         List<Formula> formulation = bom.getFormulation();
         if (formulation == null) {
             formulation = new LinkedList<Formula>();
@@ -343,7 +314,7 @@ static Bom addFormulation(final String fileName, final String name) {
     }
 
    static Bom addFormulationComp(final String fileName, final String formulaName, final String name, final String type) {
-        Bom bom = readJSONfile(fileName);
+        Bom bom = readFile(fileName);
         if (formulaName == null) {
            System.out.println("addFormulationComp: formulaName is null");
            return bom;
@@ -376,7 +347,7 @@ static Bom addFormulationComp(final String fileName, final String formulaName, f
     }
 
     static Bom addFormulationCompProp(final String fileName, final String formulaName, final String componentName, final String name, final String value) {
-        Bom bom = readJSONfile(fileName);
+        Bom bom = readFile(fileName);
         boolean foundFormula = false;
         boolean foundComponent = false;
         List<Formula> formulation = bom.getFormulation();
@@ -417,6 +388,32 @@ static String generateBomJson(final Bom bom) throws GeneratorException {
         return json;
     }
 
+    static String generateBomXml(final Bom bom) throws GeneratorException {
+        BomXmlGenerator bomGen = new BomXmlGenerator(bom, Version.VERSION_16);
+        String xml = bomGen.toXmlString();
+        return xml;
+    }
+
+    // Writes the BOM object to the specified type of file
+    static void writeFile(final Bom bom, final String fileName) {
+        if (useJson) {
+            writeJSONfile(bom, fileName);
+        } else {
+            writeXMLfile(bom, fileName);
+        }
+    }
+
+    // Read the BOM object from the specified type of file
+    static Bom readFile(final String fileName) {
+        Bom bom;
+        if (useJson) {
+            bom = readJSONfile(fileName);
+        } else {
+            bom = readXMLfile(fileName);
+        }
+        return bom;
+    }
+
     // Writes the BOM object to the specified file.
     static void writeJSONfile(final Bom bom, final String fileName) {
         FileWriter file;
@@ -432,6 +429,21 @@ static void writeJSONfile(final Bom bom, final String fileName) {
         }
     }
 
+    // Writes the BOM object to the specified XML file.
+    static void writeXMLfile(final Bom bom, final String fileName) {
+        FileWriter file;
+        try {
+            String xml = generateBomXml(bom);
+
+            file = new FileWriter(fileName);
+            file.write(xml);
+            file.close();
+        } catch (Exception e) {
+            e.printStackTrace();
+            System.exit(1);
+        }
+    }
+
     // Returns a parsed BOM object from the specified file.
     static Bom readJSONfile(final String fileName) {
         Bom bom = null;
@@ -446,4 +458,19 @@ static Bom readJSONfile(final String fileName) {
            return bom;
         }
     }
+
+    // Returns a parsed BOM object from the specified file.
+    static Bom readXMLfile(final String fileName) {
+        Bom bom = null;
+        try {
+            FileReader reader = new FileReader(fileName);
+            XmlParser parser = new XmlParser();
+            bom = parser.parse(reader);
+        } catch (Exception e) {
+            e.printStackTrace();
+            System.exit(1);
+        } finally {
+           return bom;
+        }
+    }
 }
diff --git a/sbin/common/sbom.sh b/sbin/common/sbom.sh
index 945389b68..7fd7869aa 100755
--- a/sbin/common/sbom.sh
+++ b/sbin/common/sbom.sh
@@ -205,18 +205,3 @@ addSBOMComponentPropertyFromFile() {
   fi
 }
 
-# Function not in use
-# Ref: https://cyclonedx.org/docs/1.4/json/#externalReferences
-addExternalReference() {
-  local javaHome="${1}"
-  local classpath="${2}"
-  local jsonFile="${3}"
-  local url="${4}" # required
-  local comment="${5}"
-  local hash="${6}"
-  if [ -z "${hash}" ]; then
-    "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addExternalReference --jsonFile "${jsonFile}" --url "${url}" --comment "${comment}" --hash "${hash}"
-  else
-    "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addExternalReference --jsonFile "${jsonFile}" --url "${url}" --comment "${comment}"
-  fi
-}