You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by vy...@apache.org on 2023/10/20 13:29:43 UTC
[logging-log4j-tools] 03/04: Implement and document SBOM (apache/logging-log4j2#1707)
This is an automated email from the ASF dual-hosted git repository.
vy pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/logging-log4j-tools.git
commit cd5dc8ebff4f879cf206880448ac144127b2ab8c
Author: Volkan Yazıcı <vo...@yazi.ci>
AuthorDate: Fri Oct 20 15:28:40 2023 +0200
Implement and document SBOM (apache/logging-log4j2#1707)
---
src/changelog/.0.x.x/add-sbom.xml | 24 ++++++++++++++++++++++++
src/site/index.adoc | 32 ++++++++++++++++++++++++++++++++
2 files changed, 56 insertions(+)
diff --git a/src/changelog/.0.x.x/add-sbom.xml b/src/changelog/.0.x.x/add-sbom.xml
new file mode 100644
index 0000000..3a9235e
--- /dev/null
+++ b/src/changelog/.0.x.x/add-sbom.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to you under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+<entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns="http://logging.apache.org/log4j/changelog"
+ xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
+ type="added">
+ <author id="github:vy"/>
+ <description format="asciidoc">Started generating CycloneDX SBOM with the recent update of `logging-parent` to version `10.2.0`</description>
+</entry>
diff --git a/src/site/index.adoc b/src/site/index.adoc
index 50158af..73ff872 100644
--- a/src/site/index.adoc
+++ b/src/site/index.adoc
@@ -58,6 +58,38 @@ In accordance with the Apache Software Foundation's release https://infra.apache
See xref:#release-instructions[the release instructions] for details.
+[#maven-bom]
+=== Maven Bill of Materials (BOM)
+
+To keep your {project-name} module versions aligned, a https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#bill-of-materials-bom-poms[Maven Bill of Materials (BOM) POM] is provided for your convenience.
+
+To use this with Maven, add the dependency listed below to your `pom.xml` file.
+Note that the `<dependencyManagement>` nesting and the `<scope>import</scope>` instruction.
+This will _import_ all modules bundled with the associated Log4j release to your `dependencyManagement`.
+As a result, you don't have to specify versions of the imported modules (`log4j-changelog`, `log4j-changelog-maven-plugin`, etc.) while using them.
+
+.`pom.xml` snippet importing `log4j-tools-bom`
+[source,subs="+attributes"]
+----
+<dependencyManagement>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-tools-bom</artifactId>
+ <version>{project-version}</version>
+ <scope>import</scope>
+ <type>pom</type>
+ </dependency>
+ </dependencies>
+</dependencyManagement>
+----
+
+[#cyclonedx-sbom]
+=== CycloneDX Software Bill of Materials (SBOM)
+
+Starting with version `0.6.0`, {project-name} distributes https://cyclonedx.org/capabilities/sbom/[CyclenoDX Software Bill of Materials (SBOM)] along with each deployed artifact.
+This is streamlined by `logging-parent`, see https://logging.apache.org/logging-parent/latest/#cyclonedx-sbom[its website] for details.
+
[#support]
== Support