This is an automated email from the ASF dual-hosted git repository.
davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/main by this push:
new 630ea18971d5 chore: add SBOM generation documentation to user manual
630ea18971d5 is described below
commit 630ea18971d5a3b7429256950df444348a455f54
Author: Claus Ibsen <[email protected]>
AuthorDate: Mon Jun 22 20:13:12 2026 +0200
chore: add SBOM generation documentation to user manual
Co-Authored-By: Claude Opus 4.6 <[email protected]>
---
docs/user-manual/modules/ROOT/nav.adoc | 1 +
docs/user-manual/modules/ROOT/pages/sbom.adoc | 97 +++++++++++++++++++++++++++
2 files changed, 98 insertions(+)
diff --git a/docs/user-manual/modules/ROOT/nav.adoc
b/docs/user-manual/modules/ROOT/nav.adoc
index b3d74e9d0d06..44cf813f4ab6 100644
--- a/docs/user-manual/modules/ROOT/nav.adoc
+++ b/docs/user-manual/modules/ROOT/nav.adoc
@@ -37,6 +37,7 @@
** xref:rest-dsl.adoc[Working with REST and Rest DSL]
*** xref:rest-dsl-openapi.adoc[Rest DSL contract first]
** xref:writing-components.adoc[Writing Components]
+** xref:sbom.adoc[Generating SBOMs]
** xref:release-guide.adoc[Release guide]
*** xref:release-guide-website.adoc[Adding doc versions to the website]
** xref:improving-the-documentation.adoc[Improving the Documentation]
diff --git a/docs/user-manual/modules/ROOT/pages/sbom.adoc
b/docs/user-manual/modules/ROOT/pages/sbom.adoc
new file mode 100644
index 000000000000..c0289a86e534
--- /dev/null
+++ b/docs/user-manual/modules/ROOT/pages/sbom.adoc
@@ -0,0 +1,97 @@
+= Generating SBOMs
+
+A Software Bill of Materials (SBOM) is a machine-readable inventory of every
component in your software: direct
+dependencies, transitive dependencies, and their versions. SBOMs have become a
key building block in supply chain
+security, enabling automated vulnerability scanning and license compliance
analysis.
+
+With the EU Cyber Resilience Act (CRA) requiring SBOM delivery for software
sold in the EU, and US Executive
+Order 14028 making SBOMs a federal procurement expectation, many organizations
now treat SBOM generation
+as a hard requirement.
+
+== Camel releases ship with SBOMs
+
+Starting from Camel 4.0.3, every release ships with PGP-signed CycloneDX SBOMs
(JSON and XML) covering all
+Camel modules and their dependencies. These are available on the
+link:/download/[download page] alongside the release artifacts.
+
+== Generating SBOMs for your own applications
+
+To produce an SBOM for _your_ Camel application (as opposed to the framework
itself), choose the approach
+that matches your runtime.
+
+=== Camel CLI
+
+The Camel CLI has a built-in `sbom` command that generates an SBOM for your
integration project without
+any extra tooling.
+
+[source,bash]
+----
+camel sbom
+----
+
+This produces a `sbom.json` file in CycloneDX format by default.
+
+To use SPDX format instead:
+
+[source,bash]
+----
+camel sbom --sbom-format=spdx
+----
+
+To generate for a specific target runtime:
+
+[source,bash]
+----
+camel sbom --runtime=spring-boot
+----
+
+[source,bash]
+----
+camel sbom --runtime=quarkus
+----
+
+The output format can be switched between JSON and XML:
+
+[source,bash]
+----
+camel sbom --sbom-output-format=xml
+----
+
+See the xref:jbang-commands/camel-jbang-sbom.adoc[camel sbom command
reference] for all available options.
+
+=== Camel Spring Boot and Camel Quarkus (Maven projects)
+
+For Maven-based projects (Camel Spring Boot or Camel Quarkus), add the
+https://github.com/CycloneDX/cyclonedx-maven-plugin[CycloneDX Maven Plugin] to
your `pom.xml`:
+
+[source,xml]
+----
+<plugin>
+ <groupId>org.cyclonedx</groupId>
+ <artifactId>cyclonedx-maven-plugin</artifactId>
+ <version>2.9.1</version>
+ <executions>
+ <execution>
+ <phase>package</phase>
+ <goals>
+ <goal>makeBom</goal>
+ </goals>
+ </execution>
+ </executions>
+</plugin>
+----
+
+Running `mvn package` will then produce a CycloneDX SBOM alongside your
application artifact.
+
+This is a standard Maven plugin and works identically for both Camel Spring
Boot and Camel Quarkus projects.
+Nothing Camel-specific is required.
+
+TIP: Check https://github.com/CycloneDX/cyclonedx-maven-plugin[the plugin's
repository] for the latest
+version, and see the plugin documentation for options such as output format
(JSON or XML), output directory,
+and component scope filtering.
+
+== Analyzing SBOMs
+
+Once generated, an SBOM can be fed into vulnerability scanners and compliance
tools.
+For example, https://dependencytrack.org/[OWASP Dependency-Track] can ingest
CycloneDX SBOMs
+and continuously monitor for known CVEs across your dependency tree.