[
https://issues.apache.org/jira/browse/SOLR-16796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17854160#comment-17854160
]
Houston Putman commented on SOLR-16796:
---------------------------------------
There is also this issue:
[https://github.com/CycloneDX/cyclonedx-gradle-plugin/issues/432] that effects
us as well (cross-project dependencies are not included in the components
section)
> Publish an SBOM for Solr maven artifacts
> ----------------------------------------
>
> Key: SOLR-16796
> URL: https://issues.apache.org/jira/browse/SOLR-16796
> Project: Solr
> Issue Type: Improvement
> Components: Build
> Reporter: Arnout Engelen
> Assignee: Houston Putman
> Priority: Minor
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> It would be nice if Solr published an 'SBOM' (Software Bill of Materials) for
> its artifacts. An SBOM gives an overview of the components included in the
> artifact, which can be useful for example for scanner software that looks for
> dependencies with potential security vulnerabilities.
> Such consumers of the SBOM should probably combine it with the VEX published
> for Solr ([https://solr.apache.org/security.html#vex)] to avoid getting
> reports for known false positives.
> Draft PR starting point for this is at
> [https://github.com/apache/solr/pull/1203]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
