You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Arnout Engelen (Jira)" <ji...@apache.org> on 2023/05/11 10:39:00 UTC

[jira] [Updated] (SOLR-16796) Publish an SBOM for Solr artifacts

     [ https://issues.apache.org/jira/browse/SOLR-16796?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Arnout Engelen updated SOLR-16796:
----------------------------------
    Description: 
It would be nice if Solr published an 'SBOM' (Software Bill of Materials) for its artifacts. An SBOM gives an overview of the components included in the artifact, which can be useful for example for scanner software that looks for dependencies with potential security vulnerabilities.

Such consumers of the SBOM should probably combine it with the VEX published for Solr ([https://solr.apache.org/security.html#vex)] to avoid getting reports for known false positives.

Draft PR starting point for this is at [https://github.com/apache/solr/pull/1203]

  was:
It would be nice if Solr published an 'SBOM' (Software Bill of Materials) for its artifacts. An SBOM gives an overview of the components included in the artifact, which can be useful for example for scanner software that looks for dependencies with potential security vulnerabilities.

Such consumers of the SBOM should probably combine it with the VEX published for Solr ([https://solr.apache.org/security.html#vex)] to avoid getting reports for known false positives.


> Publish an SBOM for Solr artifacts
> ----------------------------------
>
>                 Key: SOLR-16796
>                 URL: https://issues.apache.org/jira/browse/SOLR-16796
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Build
>            Reporter: Arnout Engelen
>            Priority: Minor
>
> It would be nice if Solr published an 'SBOM' (Software Bill of Materials) for its artifacts. An SBOM gives an overview of the components included in the artifact, which can be useful for example for scanner software that looks for dependencies with potential security vulnerabilities.
> Such consumers of the SBOM should probably combine it with the VEX published for Solr ([https://solr.apache.org/security.html#vex)] to avoid getting reports for known false positives.
> Draft PR starting point for this is at [https://github.com/apache/solr/pull/1203]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org