pnoltes opened a new issue, #823: URL: https://github.com/apache/celix/issues/823
# Intro To improve software supply-chain transparency and to better support downstream users, a **CI-driven SBOM and vulnerability scanning pipeline** would be very welcome. To complete this, the **release process should be updated** so that we publish a signed **SBOMs as part of a official release**. If feasible, it would also be valuable to **backport this approach** and create a **Celix 2.4.x release that includes an SBOM**. # Background The **EU Cyber Resilience Act (CRA)** has been introduced. While **open-source projects without a commercial service offering** are *not required* to: * Provide SBOMs * Fix vulnerabilities * Offer SLAs or continuous monitoring it is still beneficial for downstream users if we can offer **transparent dependency information**. Providing: * an SBOM (generated in CI and published with releases), and * an initial vulnerability scan # Scope This issue will be split into the following **four sub-issues**: * **Generate an SBOM** as part of the CI pipeline * **Add vulnerability scanning** based on the generated SBOM * **Update the release process** to include a **signed SBOM** alongside released source artifacts * **Backport the SBOM generation** and create a **Celix 2.4.x release including an SBOM** -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
