New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AVRO-3700: Publish Java SBOM artifacts with CycloneDX #2046
Conversation
One question @dongjoon-hyun I am kind of new in the SBOM world but looking around it seems like there are like 3 big standards, any reason to choose the Cyclone one over SPDX (which seems to be the one being pushed by the Linux Foundation)? I am ok with merging this as it is, just curious. Better to have one that none :) I am also wondering what other Apache projects use. Just from a quick look it seems not even Log4j with all the mess of the last year is publishing their SBOM and there are not recommendations yet from the security group at the ASF |
Yes, among those three standards, Although this PR delivers |
For the second question, I also searched some references in ASF foundation, but I could not find any. So, I'm proposing and leading in the following way, @iemejia .
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Excellent initiative @dongjoon-hyun! For future ref if someone tumbles into this PR/ticket there is ongoing discussion at the ASF about a possible standard for SBOM so this might evolve/change in the future.
https://cwiki.apache.org/confluence/display/COMDEV/SBOM
Oh, thank you for that info. @iemejia |
What is the purpose of the change
This PR aims to publish SBOM artifacts.
Here is an article to give some context.
Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: CycloneDX, Software Identification (SWID) tag, Software Package Data Exchange® (SPDX).
This PR uses CycloneDX maven plugin, a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
Verifying this change
Manually verify with the following procedure.
avro-1.12.0-SNAPSHOT.jar
will haveavro-1.12.0-SNAPSHOT-cyclonedx.xml
andavro-1.12.0-SNAPSHOT-cyclonedx.json
BOM files.Documentation
This is a build-only change.