[
https://issues.apache.org/jira/browse/SOLR-16796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17854837#comment-17854837
]
ASF subversion and git services commented on SOLR-16796:
--------------------------------------------------------
Commit 3c8fda48d31cc6609de81655337e12b4fb4e2e8c in solr's branch
refs/heads/branch_9x from Houston Putman
[ https://gitbox.apache.org/repos/asf?p=solr.git;h=3c8fda48d31 ]
Revert "SOLR-16796: Add Maven SBOMs via cyclonedx (#1203)"
This reverts commit 392b6284a477008866c5419ca44caccd2c9c8a8a.
> Publish an SBOM for Solr maven artifacts
> ----------------------------------------
>
> Key: SOLR-16796
> URL: https://issues.apache.org/jira/browse/SOLR-16796
> Project: Solr
> Issue Type: Improvement
> Components: Build
> Reporter: Arnout Engelen
> Assignee: Houston Putman
> Priority: Minor
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> It would be nice if Solr published an 'SBOM' (Software Bill of Materials) for
> its artifacts. An SBOM gives an overview of the components included in the
> artifact, which can be useful for example for scanner software that looks for
> dependencies with potential security vulnerabilities.
> Such consumers of the SBOM should probably combine it with the VEX published
> for Solr ([https://solr.apache.org/security.html#vex)] to avoid getting
> reports for known false positives.
> Draft PR starting point for this is at
> [https://github.com/apache/solr/pull/1203]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
