Security Best Practices: CycloneDX Maven Plugin for generating SBOMs #1360
Comments
|
The plugin is known to not work well for Tycho / Eclipse projects and the maintainer are not planning to add support here, so I don't expect much value here for m2e or any Eclipse Project unless major partsa re moved to plain maven dependencies: |
|
Hi @laeubi , Thanks, for the feed back, I am having a look into the issue pointed out as well as I have already updated the PR providing the outcome requested for the last commit. I feel that regardless the cyclonedx may not suit for Tycho / Eclipse for this project provides a helpful information about all dependencies from security point of view, what do you think? Kind Regards, |
|
I think cyclone should at least support Another question would be who is supposed to read that data? As m2e is mostly used inside Eclipse adding that data (should it become part of the jar?) seems a bit superfluous if there is no plan for Eclipse/P2 to read that data and do anything useful with it, and if used by maven these tools might have no idea about the |
ghost
mentioned this issue
|
Try adding |
|
Hi, Closed the PR #1361 due to currently we don't have a solution for tycho based builds. I am wondering if you prefer to keep this ticket open until we have a solution. Do you prefer to leave opened? Thanks, |
Hi,
As part of the ongoing effort to improve the security of the project from the Security Team of the Eclipse Foundation, we are adding the CycloneDX Maven Plugin to the project's POM file.
This plugin will help to generate a Software Bill of Materials (SBOM), which will provide greater visibility into the project's dependencies and enhance the overall security.
We welcome any feedback or questions about this update, so please don't hesitate to reach out if there are any concerns or if there's anything we can help with.
Thanks.
Kind Regards,
Francisco Perez
The text was updated successfully, but these errors were encountered: