[
https://issues.apache.org/jira/browse/LOG4J2-3354?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17480336#comment-17480336
]
Matt Sicker commented on LOG4J2-3354:
-------------------------------------
Something like this in the parent pom might work, though I get an error when
trying to run "mvn clean install", but not when I run "mvn install".
{code}
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>2.5.3</version>
<inherited>false</inherited>
<configuration>
<includeProvidedScope>false</includeProvidedScope>
<includeRuntimeScope>false</includeRuntimeScope>
<excludeArtifactId>
<artifactId>log4j-api-java9</artifactId>
<artifactId>log4j-core-its</artifactId>
<artifactId>log4j-core-java9</artifactId>
<artifactId>log4j-distribution</artifactId>
<artifactId>log4j-osgi</artifactId>
<artifactId>log4j-samples</artifactId>
<artifactId>log4j-samples-flume-common</artifactId>
<artifactId>log4j-samples-flume-remote</artifactId>
<artifactId>log4j-samples-flume-embedded</artifactId>
<artifactId>log4j-samples-configuration</artifactId>
<artifactId>log4j-samples-loggerProperties</artifactId>
<artifactId>log4j-spring-cloud-config-samples</artifactId>
<artifactId>log4j-spring-cloud-config-sample-server</artifactId>
</excludeArtifactId>
</configuration>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
</execution>
</executions>
</plugin>
{code}
> Publish an SBOM with Log4j
> --------------------------
>
> Key: LOG4J2-3354
> URL: https://issues.apache.org/jira/browse/LOG4J2-3354
> Project: Log4j 2
> Issue Type: New Feature
> Components: Build
> Reporter: Matt Sicker
> Priority: Major
>
> Log4j should publish a software bill of materials (SBOM) on each release to
> enable end users to more easily discover the versions of both Log4j and
> related dependencies are in use in their software. [Sonatype has a blog post
> explaining what SBOM
> is|https://blog.sonatype.com/what-is-a-software-bill-of-materials], and OWASP
> has a tool called [CycloneDX|https://cyclonedx.org/] which has a [Maven
> plugin|https://github.com/CycloneDX/cyclonedx-maven-plugin] which we could
> potentially use for this.
> Open questions:
> * Do SBOM files get published to Maven Central as additional artifacts?
> * Do we add SBOM files to the source and binary archives?
> * Should the generated SBOM only include required dependencies? This last
> bit is less obvious since we're a library, so the end user can always
> override their full dependency tree when building their app.
> More options for generating an SBOM:
> * [https://github.com/opensbom-generator/spdx-sbom-generator]
> * [https://dependencytrack.org|https://dependencytrack.org/] - integrates
> with CycloneDX (all OWASP tools)
> *
> [https://github.com/AevaOnline/supply-chain-synthesis/blob/main/documents/list-projects.md]
> - larger list of relevant supply chain security tooling
> More information about what an SBOM is, related standards, etc.:
> [https://www.ntia.gov/SBOM]
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
