This is an automated email from the ASF dual-hosted git repository. vy pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/logging-log4j-tools.git
commit cd5dc8ebff4f879cf206880448ac144127b2ab8c Author: Volkan Yazıcı <[email protected]> AuthorDate: Fri Oct 20 15:28:40 2023 +0200 Implement and document SBOM (apache/logging-log4j2#1707) --- src/changelog/.0.x.x/add-sbom.xml | 24 ++++++++++++++++++++++++ src/site/index.adoc | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/src/changelog/.0.x.x/add-sbom.xml b/src/changelog/.0.x.x/add-sbom.xml new file mode 100644 index 0000000..3a9235e --- /dev/null +++ b/src/changelog/.0.x.x/add-sbom.xml @@ -0,0 +1,24 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + ~ Licensed to the Apache Software Foundation (ASF) under one or more + ~ contributor license agreements. See the NOTICE file distributed with + ~ this work for additional information regarding copyright ownership. + ~ The ASF licenses this file to you under the Apache License, Version 2.0 + ~ (the "License"); you may not use this file except in compliance with + ~ the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> +<entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns="http://logging.apache.org/log4j/changelog"; + xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"; + type="added"> + <author id="github:vy"/> + <description format="asciidoc">Started generating CycloneDX SBOM with the recent update of `logging-parent` to version `10.2.0`</description> +</entry> diff --git a/src/site/index.adoc b/src/site/index.adoc index 50158af..73ff872 100644 --- a/src/site/index.adoc +++ b/src/site/index.adoc @@ -58,6 +58,38 @@ In accordance with the Apache Software Foundation's release https://infra.apache See xref:#release-instructions[the release instructions] for details. +[#maven-bom] +=== Maven Bill of Materials (BOM) + +To keep your {project-name} module versions aligned, a https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#bill-of-materials-bom-poms[Maven Bill of Materials (BOM) POM] is provided for your convenience. + +To use this with Maven, add the dependency listed below to your `pom.xml` file. +Note that the `<dependencyManagement>` nesting and the `<scope>import</scope>` instruction. +This will _import_ all modules bundled with the associated Log4j release to your `dependencyManagement`. +As a result, you don't have to specify versions of the imported modules (`log4j-changelog`, `log4j-changelog-maven-plugin`, etc.) while using them. + +.`pom.xml` snippet importing `log4j-tools-bom` +[source,subs="+attributes"] +---- +<dependencyManagement> + <dependencies> + <dependency> + <groupId>org.apache.logging.log4j</groupId> + <artifactId>log4j-tools-bom</artifactId> + <version>{project-version}</version> + <scope>import</scope> + <type>pom</type> + </dependency> + </dependencies> +</dependencyManagement> +---- + +[#cyclonedx-sbom] +=== CycloneDX Software Bill of Materials (SBOM) + +Starting with version `0.6.0`, {project-name} distributes https://cyclonedx.org/capabilities/sbom/[CyclenoDX Software Bill of Materials (SBOM)] along with each deployed artifact. +This is streamlined by `logging-parent`, see https://logging.apache.org/logging-parent/latest/#cyclonedx-sbom[its website] for details. + [#support] == Support
