This is an automated email from the ASF dual-hosted git repository.
davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git
The following commit(s) were added to refs/heads/main by this push:
new 0dc99e15 chore: add SBOM mentions to download and security pages
0dc99e15 is described below
commit 0dc99e15ad6a64c09306a0eb9aeae81dab2811ef
Author: Claus Ibsen <[email protected]>
AuthorDate: Mon Jun 22 20:16:59 2026 +0200
chore: add SBOM mentions to download and security pages
Co-Authored-By: Claude Opus 4.6 <[email protected]>
---
content/download/_index.md | 7 +++++++
content/security/_index.md | 6 ++++++
2 files changed, 13 insertions(+)
diff --git a/content/download/_index.md b/content/download/_index.md
index d007e733..2714794b 100644
--- a/content/download/_index.md
+++ b/content/download/_index.md
@@ -16,6 +16,13 @@ Here you will only find the supported releases, older
unsupported releases can b
{{< downloads >}}
+## SBOMs
+
+Every release since 4.0.3 includes PGP-signed CycloneDX SBOMs (JSON and XML)
listed alongside the source
+download above. These machine-readable inventories list every dependency in
the release and can be fed into
+tools like [OWASP Dependency-Track](https://dependencytrack.org/) for
automated vulnerability scanning.
+To generate an SBOM for your own Camel application, see the [Generating
SBOMs](/manual/sbom.html) guide.
+
## Keys
You can verify your download by following these
[procedures](http://www.apache.org/info/verification.html) and using these
[KEYS](https://www.apache.org/dist/camel/KEYS).
diff --git a/content/security/_index.md b/content/security/_index.md
index 29fb77d7..210e4d9e 100644
--- a/content/security/_index.md
+++ b/content/security/_index.md
@@ -20,6 +20,12 @@ The Camel subprojects — Camel Quarkus, Camel Spring Boot,
Camel Karaf, Camel K
Kafka Connector and Camel K — inherit the same trust model; report scope for
them is governed
by the same document unless a subproject publishes its own security model.
+## Software Bill of Materials (SBOM)
+
+Every Camel release since 4.0.3 ships with PGP-signed CycloneDX SBOMs that
list all dependencies,
+enabling supply chain risk analysis alongside the CVE advisories below.
+See [Generating SBOMs](/manual/sbom.html) for details.
+
## Reporting new security problems with Apache Camel
The Apache Software Foundation takes a very active stance in eliminating
security problems.