sbp commented on issue #87: URL: https://github.com/apache/tooling-trusted-releases/issues/87#issuecomment-3422636265
The follow up issues are #248 (vulnerabilities scanner), #249 (license scanner), and #250 (attestations proof of concept). The present issue originally raised the following points: 1. Decide what which formats to encourage and when. 2. SBOMs made during the build are preferred. 3. Attestations like a Dashboard scorecard based on Policies around Source code control. 4. Distribution to a channel? Our responses to these are that we're focusing on CycloneDX JSON almost exclusively in these early rounds of development, and may go so far as to consider further formats only where there is an expressed need; that we do not produce SBOMs on ATR itself, but that still remains a stretch goal where a particular ecosystem is amenable to _post hoc_ SBOM generation; that we defer attestations; and that we're currently only recording external distributions manually. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
