Found this: https://github.com/spdx/spdx-maven-plugin
Gary
On Sun, Jul 17, 2022, 13:26 Dominik Psenner wrote:
> SBOMs appear to be the solution, allowing introspection and thus provide a
> way for building automated tools that can answer tough questions, i.e.
> regarding IT security. As of the
SBOMs appear to be the solution, allowing introspection and thus provide a
way for building automated tools that can answer tough questions, i.e.
regarding IT security. As of the format, I would stick with the ISO
standard: SPDX.
--
Sent from my phone. Typos are a kind gift to anyone who happens
Hello,
The Apache Commons project recently received a PR [1] for our parent
POM that includes the generation of software bill of materials (SBOM)
artifacts during the build. During the following discussion [2] on our
dev mailing list, it was suggested that this mailing list would be the
Mark Thomas wrote on Sun, 17 Jul 2022 11:14 +00:00:
> - I strongly disagree with recommendation 8 that public disclosure
>should be concurrent with public fixes. I think that significantly
>increases risks to end users.
>
> In OSS there is always going to be a period of time between the
On Sun, 17 Jul 2022 at 12:14, Mark Thomas wrote:
> On 15/07/2022 07:47, Mark J Cox wrote:
> > Hi all;
> >
> > Yesterday the newly-formed CSRB published their report on the Log4j
> > vulnerability and response. Full PDF at
> >
>
On 15/07/2022 07:47, Mark J Cox wrote:
Hi all;
Yesterday the newly-formed CSRB published their report on the Log4j
vulnerability and response. Full PDF at
https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf
Several ASF people, myself included, talked