[
https://issues.apache.org/jira/browse/DAFFODIL-2993?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17946493#comment-17946493
]
Steve Lawrence commented on DAFFODIL-2993:
------------------------------------------
Here is related information provided by the ASF Security team:
https://cwiki.apache.org/confluence/display/SECURITY/SBOM+Software+Bill+of+Materials
> Support SBOM/SPDX
> -----------------
>
> Key: DAFFODIL-2993
> URL: https://issues.apache.org/jira/browse/DAFFODIL-2993
> Project: Daffodil
> Issue Type: Improvement
> Components: Infrastructure
> Reporter: Steve Lawrence
> Priority: Major
>
> The EU Cyber Resilience Act and some US government agencies require software
> bill of materials (SBOM), some specifically wanting SPDX format. We should
> add support for generating an SBOM during the release process and releasing
> it along side release artifacts so it is already available for users.
> Depending on what is required, we may want to integrate changes into the
> daffodil release candidate action
> (https://github.com/apache/daffodil-infrastructure/tree/main/actions/release-candidate)
> so that SBOMs are automatically generated as part of the release process for
> the sbt plugin and vscode extension, in addition to daffodil.
> There have also been some discussions on various ASF mailing lists and JIRA's
> regarding SBOMS. We should dig around to see if ASF has already provided any
> guidance on best practices.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
