[
https://issues.apache.org/jira/browse/SOLR-16796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17853745#comment-17853745
]
ASF subversion and git services commented on SOLR-16796:
--------------------------------------------------------
Commit 392b6284a477008866c5419ca44caccd2c9c8a8a in solr's branch
refs/heads/branch_9x from Arnout Engelen
[ https://gitbox.apache.org/repos/asf?p=solr.git;h=392b6284a47 ]
SOLR-16796: Add Maven SBOMs via cyclonedx (#1203)
Co-authored-by: Kevin Risden <[email protected]>
Co-authored-by: Houston Putman <[email protected]>
(cherry picked from commit a42c605fb916439222a086356f368f02cf80304a)
> Publish an SBOM for Solr maven artifacts
> ----------------------------------------
>
> Key: SOLR-16796
> URL: https://issues.apache.org/jira/browse/SOLR-16796
> Project: Solr
> Issue Type: Improvement
> Components: Build
> Reporter: Arnout Engelen
> Assignee: Houston Putman
> Priority: Minor
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> It would be nice if Solr published an 'SBOM' (Software Bill of Materials) for
> its artifacts. An SBOM gives an overview of the components included in the
> artifact, which can be useful for example for scanner software that looks for
> dependencies with potential security vulnerabilities.
> Such consumers of the SBOM should probably combine it with the VEX published
> for Solr ([https://solr.apache.org/security.html#vex)] to avoid getting
> reports for known false positives.
> Draft PR starting point for this is at
> [https://github.com/apache/solr/pull/1203]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
