Thanks Dick, I am totally unfamiliar with this. Is there somewhere to read about what this is all about?
Ralph > On Dec 20, 2021, at 7:18 AM, Dick Brooks <[email protected]> > wrote: > > Hello, > > This sort of suggestion would be better sent to our development mailing list > ([email protected] <mailto:[email protected]>). I’ll note that we > use Apache Maven for our build system, and a quick search shows that > <https://github.com/CycloneDX/cyclonedx-maven-plugin > <https://github.com/CycloneDX/cyclonedx-maven-plugin>> might be a useful > plugin to propose for generating the SBOM as part of our standard release > process. I do think it’s a good idea, but this topic should be discussed in > our public list and not on the private list. > -- > Matt Sicker > > > On Dec 19, 2021, at 12:48, Dick Brooks <[email protected] > <mailto:[email protected]>> wrote: > > I’ve created an SPDX SBOM for Log4j V 2.17.0-core along with a companion > baseline vulnerability disclosure report (VDR), based on NIST NVD search > results: > https://github.com/rjb4standards/REA-Products/tree/master/Log4jUseCase > <https://github.com/rjb4standards/REA-Products/tree/master/Log4jUseCase> > > Please read the README.md first to understand the limitations of this info. > > I encourage the Log4j team to consider updating the FixStatus and > AnalysisFindings elements for each reported CVE. I’m happy to assist in this > effort. > > Thanks, > > Dick Brooks > <image001.png> > Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products> ™ > http://www.reliableenergyanalytics.com > <http://www.reliableenergyanalytics.com/> > Email: [email protected] > <mailto:[email protected]> > Tel: +1 978-696-1788 > > > > Thanks, > > Dick Brooks > > Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products> ™ > http://www.reliableenergyanalytics.com > <http://www.reliableenergyanalytics.com/> > Email: [email protected] > <mailto:[email protected]> > Tel: +1 978-696-1788
