You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by GitBox <gi...@apache.org> on 2022/07/14 02:54:12 UTC

[GitHub] [commons-parent] stevespringett commented on pull request #122: Added SBOM generation

stevespringett commented on PR #122:
URL: https://github.com/apache/commons-parent/pull/122#issuecomment-1183926594

   I've tested with commons-lang and commons-collections, both of which are single module projects. I just tested with commons-vfs and it appears to work as expected. Commons VFS is a multi-module project. As a result, every module will have a dedicated bom in each modules target directory.
   
   If the commons project uses the Maven release plugin, then you can expect the CycloneDX BOMs to be attached as part of the release process and published to Maven Central. 
   
   For example:
   https://repo1.maven.org/maven2/io/dropwizard/dropwizard-core/2.1.1/
   
   This is really the ultimate goal: For every commons project to start publishing boms to Central upon release.
   
   As @darkma773r pointed out, SBOMs are used primarily for Cybersecurity use cases - but license and other use cases are possible. Tools exist that allow consumers to analyze SBOMs to identity potential risk.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org