You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@avro.apache.org by "Ryan Skraba (Jira)" <ji...@apache.org> on 2023/05/25 18:42:00 UTC
[jira] [Updated] (AVRO-3700) Publish Java SBOM artifacts with CycloneDX
[ https://issues.apache.org/jira/browse/AVRO-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ryan Skraba updated AVRO-3700:
------------------------------
Fix Version/s: 1.11.2
> Publish Java SBOM artifacts with CycloneDX
> ------------------------------------------
>
> Key: AVRO-3700
> URL: https://issues.apache.org/jira/browse/AVRO-3700
> Project: Apache Avro
> Issue Type: Sub-task
> Components: build
> Affects Versions: 1.12.0
> Reporter: Dongjoon Hyun
> Assignee: Dongjoon Hyun
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.12.0, 1.11.2
>
> Time Spent: 1h 50m
> Remaining Estimate: 0h
>
> h3. Why are the changes needed?
> Here is an article to give some context.
> - [https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/]
> Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: [CycloneDX]([https://cyclonedx.org/]), [Software Identification (SWID) tag]([https://csrc.nist.gov/projects/Software-Identification-SWID]), [Software Package Data Exchange® (SPDX)]([https://spdx.dev/]).
> This PR uses [CycloneDX maven plugin]([https://github.com/CycloneDX/cyclonedx-maven-plugin]), a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)