[
https://issues.apache.org/jira/browse/DAFFODIL-2993?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Steve Lawrence reassigned DAFFODIL-2993:
----------------------------------------
Assignee: Olabusayo Kilo (was: Olabusayo Kilo)
> Support SBOM/SPDX
> -----------------
>
> Key: DAFFODIL-2993
> URL: https://issues.apache.org/jira/browse/DAFFODIL-2993
> Project: Daffodil
> Issue Type: Improvement
> Components: Infrastructure
> Reporter: Steve Lawrence
> Assignee: Olabusayo Kilo
> Priority: Major
> Fix For: 4.1.0
>
>
> The EU Cyber Resilience Act and some US government agencies require software
> bill of materials (SBOM), some specifically wanting SPDX format. We should
> add support for generating an SBOM during the release process and releasing
> it along side release artifacts so it is already available for users.
> Depending on what is required, we may want to integrate changes into the
> daffodil release candidate action
> (https://github.com/apache/daffodil-infrastructure/tree/main/actions/release-candidate)
> so that SBOMs are automatically generated as part of the release process for
> the sbt plugin and vscode extension, in addition to daffodil.
> There have also been some discussions on various ASF mailing lists and JIRA's
> regarding SBOMS. We should dig around to see if ASF has already provided any
> guidance on best practices.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
