[jira] [Commented] (LOG4J2-3354) Publish an SBOM with Log4j

Thu, 20 Jan 2022 22:07:21 -0800 


    [ 
https://issues.apache.org/jira/browse/LOG4J2-3354?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17479848#comment-17479848
 ] 

Ralph Goers commented on LOG4J2-3354:
-------------------------------------

The BOM POM is a convenience for our users to get all the Log4j artifacts into 
a dependencyManagement so they are all versioned correctly as part of their 
Maven builds.

An SBOM contains the list of dependencies a project has. Read the Links above 
for more info.

 

> Publish an SBOM with Log4j
> --------------------------
>
>                 Key: LOG4J2-3354
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3354
>             Project: Log4j 2
>          Issue Type: New Feature
>          Components: Build
>            Reporter: Matt Sicker
>            Priority: Major
>
> Log4j should publish a software bill of materials (SBOM) on each release to 
> enable end users to more easily discover the versions of both Log4j and 
> related dependencies are in use in their software. [Sonatype has a blog post 
> explaining what SBOM 
> is|https://blog.sonatype.com/what-is-a-software-bill-of-materials], and OWASP 
> has a tool called [CycloneDX|https://cyclonedx.org/] which has a [Maven 
> plugin|https://github.com/CycloneDX/cyclonedx-maven-plugin] which we could 
> potentially use for this.
> Open questions:
>  * Do SBOM files get published to Maven Central as additional artifacts?
>  * Do we add SBOM files to the source and binary archives?
>  * Should the generated SBOM only include required dependencies? This last 
> bit is less obvious since we're a library, so the end user can always 
> override their full dependency tree when building their app.
> More options for generating an SBOM:
>  * [https://github.com/opensbom-generator/spdx-sbom-generator]
>  * [https://dependencytrack.org|https://dependencytrack.org/] - integrates 
> with CycloneDX (all OWASP tools)
>  * 
> [https://github.com/AevaOnline/supply-chain-synthesis/blob/main/documents/list-projects.md]
>  - larger list of relevant supply chain security tooling
> More information about what an SBOM is, related standards, etc.: 
> [https://www.ntia.gov/SBOM]



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to