jdaugherty opened a new pull request, #15087: URL: https://github.com/apache/grails-core/pull/15087
With the recent [compromises of NPM](https://www.sonatype.com/blog/ongoing-npm-software-supply-chain-attack-exposes-new-risks), it's important we publish an SBOM. This change generates sboms per the recommended [standard](https://cyclonedx.org/). The files will not be published individually at this time (publish plugin needs enhancements). Instead, the files will be published inside of the binary jar files at META-INF/sbom.json. Other notes on this PR: * As part of testing the cyclonedx gradle plugin, there are some quality issues with the plugin. It does not support the latest best practices for gradle. There is a 3.x version upcoming, but it's still alpha and has other issues (you can't set the component type). * I discovered we were generating jar files with just license / ASF policy files, so I've stopped generating those files as of this change (grails-dependencies-*,etc) * I'm not creating an aggregate sbom for the Grails framework. Right now, an individual sbom for every project will be generated. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@grails.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
