You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Matt Sicker (Jira)" <ji...@apache.org> on 2022/01/20 00:16:00 UTC
[jira] [Updated] (LOG4J2-3354) Publish an SBOM with Log4j
[ https://issues.apache.org/jira/browse/LOG4J2-3354?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matt Sicker updated LOG4J2-3354:
--------------------------------
Description:
Log4j should publish a software bill of materials (SBOM) on each release to enable end users to more easily discover the versions of both Log4j and related dependencies are in use in their software. [Sonatype has a blog post explaining what SBOM is|https://blog.sonatype.com/what-is-a-software-bill-of-materials], and OWASP has a tool called [CycloneDX|https://cyclonedx.org/] which has a [Maven plugin|https://github.com/CycloneDX/cyclonedx-maven-plugin] which we could potentially use for this.
Open questions:
* Do SBOM files get published to Maven Central as additional artifacts?
* Do we add SBOM files to the source and binary archives?
* Should the generated SBOM only include required dependencies? This last bit is less obvious since we're a library, so the end user can always override their full dependency tree when building their app.
More options for generating an SBOM:
* [https://github.com/opensbom-generator/spdx-sbom-generator]
* [https://dependencytrack.org|https://dependencytrack.org/] - integrates with CycloneDX (all OWASP tools)
More information about what an SBOM is, related standards, etc.: [https://www.ntia.gov/SBOM]
was:
Log4j should publish a software bill of materials (SBOM) on each release to enable end users to more easily discover the versions of both Log4j and related dependencies are in use in their software. [Sonatype has a blog post explaining what SBOM is|https://blog.sonatype.com/what-is-a-software-bill-of-materials], and OWASP has a tool called [CycloneDX|https://cyclonedx.org/] which has a [Maven plugin|https://github.com/CycloneDX/cyclonedx-maven-plugin] which we could potentially use for this.
Open questions:
* Do SBOM files get published to Maven Central as additional artifacts?
* Do we add SBOM files to the source and binary archives?
* Should the generated SBOM only include required dependencies? This last bit is less obvious since we're a library, so the end user can always override their full dependency tree when building their app.
More options for generating an SBOM:
* [https://github.com/opensbom-generator/spdx-sbom-generator]
* [https://dependencytrack.org|https://dependencytrack.org/] - integrates with CycloneDX (all OWASP tools)
> Publish an SBOM with Log4j
> --------------------------
>
> Key: LOG4J2-3354
> URL: https://issues.apache.org/jira/browse/LOG4J2-3354
> Project: Log4j 2
> Issue Type: New Feature
> Components: Build
> Reporter: Matt Sicker
> Priority: Major
>
> Log4j should publish a software bill of materials (SBOM) on each release to enable end users to more easily discover the versions of both Log4j and related dependencies are in use in their software. [Sonatype has a blog post explaining what SBOM is|https://blog.sonatype.com/what-is-a-software-bill-of-materials], and OWASP has a tool called [CycloneDX|https://cyclonedx.org/] which has a [Maven plugin|https://github.com/CycloneDX/cyclonedx-maven-plugin] which we could potentially use for this.
> Open questions:
> * Do SBOM files get published to Maven Central as additional artifacts?
> * Do we add SBOM files to the source and binary archives?
> * Should the generated SBOM only include required dependencies? This last bit is less obvious since we're a library, so the end user can always override their full dependency tree when building their app.
> More options for generating an SBOM:
> * [https://github.com/opensbom-generator/spdx-sbom-generator]
> * [https://dependencytrack.org|https://dependencytrack.org/] - integrates with CycloneDX (all OWASP tools)
> More information about what an SBOM is, related standards, etc.: [https://www.ntia.gov/SBOM]
--
This message was sent by Atlassian Jira
(v8.20.1#820001)