[jira] [Updated] (SOLR-16796) Publish an SBOM for Solr artifacts

Thu, 11 May 2023 03:39:05 -0700 


     [ 
https://issues.apache.org/jira/browse/SOLR-16796?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Arnout Engelen updated SOLR-16796:
----------------------------------
    Description: 
It would be nice if Solr published an 'SBOM' (Software Bill of Materials) for 
its artifacts. An SBOM gives an overview of the components included in the 
artifact, which can be useful for example for scanner software that looks for 
dependencies with potential security vulnerabilities.

Such consumers of the SBOM should probably combine it with the VEX published 
for Solr ([https://solr.apache.org/security.html#vex)] to avoid getting reports 
for known false positives.

Draft PR starting point for this is at 
[https://github.com/apache/solr/pull/1203]

  was:
It would be nice if Solr published an 'SBOM' (Software Bill of Materials) for 
its artifacts. An SBOM gives an overview of the components included in the 
artifact, which can be useful for example for scanner software that looks for 
dependencies with potential security vulnerabilities.

Such consumers of the SBOM should probably combine it with the VEX published 
for Solr ([https://solr.apache.org/security.html#vex)] to avoid getting reports 
for known false positives.


> Publish an SBOM for Solr artifacts
> ----------------------------------
>
>                 Key: SOLR-16796
>                 URL: https://issues.apache.org/jira/browse/SOLR-16796
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Build
>            Reporter: Arnout Engelen
>            Priority: Minor
>
> It would be nice if Solr published an 'SBOM' (Software Bill of Materials) for 
> its artifacts. An SBOM gives an overview of the components included in the 
> artifact, which can be useful for example for scanner software that looks for 
> dependencies with potential security vulnerabilities.
> Such consumers of the SBOM should probably combine it with the VEX published 
> for Solr ([https://solr.apache.org/security.html#vex)] to avoid getting 
> reports for known false positives.
> Draft PR starting point for this is at 
> [https://github.com/apache/solr/pull/1203]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to