You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@avro.apache.org by "Ryan Skraba (Jira)" <ji...@apache.org> on 2023/05/25 18:42:00 UTC

[jira] [Updated] (AVRO-3700) Publish Java SBOM artifacts with CycloneDX

     [ https://issues.apache.org/jira/browse/AVRO-3700?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ryan Skraba updated AVRO-3700:
------------------------------
    Fix Version/s: 1.11.2

> Publish Java SBOM artifacts with CycloneDX
> ------------------------------------------
>
>                 Key: AVRO-3700
>                 URL: https://issues.apache.org/jira/browse/AVRO-3700
>             Project: Apache Avro
>          Issue Type: Sub-task
>          Components: build
>    Affects Versions: 1.12.0
>            Reporter: Dongjoon Hyun
>            Assignee: Dongjoon Hyun
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.12.0, 1.11.2
>
>          Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> h3. Why are the changes needed?
> Here is an article to give some context.
>  - [https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/]
> Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: [CycloneDX]([https://cyclonedx.org/]), [Software Identification (SWID) tag]([https://csrc.nist.gov/projects/Software-Identification-SWID]), [Software Package Data Exchange® (SPDX)]([https://spdx.dev/]).
> This PR uses [CycloneDX maven plugin]([https://github.com/CycloneDX/cyclonedx-maven-plugin]), a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)