Hello all, Steve Springett recently created a PR [1] for commons-parent that introduces the generation of software bill of materials (SBOM) artifacts into the build process. First of all, thank you, Steve. Secondly, I believe this is an important topic that should be addressed by our community. SBOMs contain metadata that can be used in application security contexts and software supply chain analysis. They seem to be becoming increasingly important as the software industry places a greater emphasis on cybersecurity. I have a small amount of experience with these types of files from my day job. My team will soon begin generating them for all of our projects in order to allow automated tools to better track CVEs and report to our customers on the security of our applications. The questions I believe we need to answer as a community are:
1. Do we want to include SBOMs in our Maven build artifacts? 2. If so, what format do we want to use? In regard to the first question, I believe that we would need a good reason to *not* include these (or similar) artifacts. It's a simple service we can provide to help our users maintain good cybersecurity practices. As the provider of a number of hugely popular open-source libraries, I would love to see us take the lead on ensuring the security of the Java ecosystem. For question two, there are a few SBOM standards out there, notably SPDX [2] and CycloneDX [3] (which is what Steve included in his PR). I am not well versed in the exact differences between the formats, but CycloneDX seems to have better Java support and a large number of useful tools, such as the Maven plugin used in Steve's PR. If we can agree on answers to the two questions above, then we can move forward and start discussing details. Thank you all for your time. Regards, Matt J [1] https://github.com/apache/commons-parent/pull/122 [2] https://spdx.dev/ [3] https://cyclonedx.org/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
