Steve Lawrence created DAFFODIL-2993:
----------------------------------------
Summary: Support SBOM/SPDX
Key: DAFFODIL-2993
URL: https://issues.apache.org/jira/browse/DAFFODIL-2993
Project: Daffodil
Issue Type: Improvement
Components: Infrastructure
Reporter: Steve Lawrence
The EU Cyber Resilience Act and some US government agencies require software
bill of materials (SBOM), some specifically wanting SPDX format. We should add
support for generating an SBOM during the release process and releasing it
along side release artifacts so it is already available for users.
Depending on what is required, we may want to integrate changes into the
daffodil release candidate action
(https://github.com/apache/daffodil-infrastructure/tree/main/actions/release-candidate)
so that SBOMs are automatically generated as part of the release process for
the sbt plugin and vscode extension, in addition to daffodil.
There have also been some discussions on various ASF mailing lists and JIRA's
regarding SBOMS. We should dig around to see if ASF has already provided any
guidance on best practices.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
