Just as an FYI in case it's not know already: I'm sure this is not the only initiative but at OWASP/CycloneDX we're working on a project for distribution of SBOMs: https://github.com/CycloneDX/transparency-exchange-api I'm not sure if _this_ or another project/standard will be the "winner" going forward but I'm fairly certain _something_ will evolve in the next few years to distribute and collect SBOMs.
On Tue, Oct 22, 2024 at 12:06 PM Gary Gregory <garydgreg...@gmail.com> wrote: > > Hi all, > > For the real deal, would we publish SBOMs next to the JARs, for example in > https://dist.apache.org/repos/dist/release/commons/io/binaries/ ? With > files names that have a version or not? > > Gary > > On Tue, Oct 22, 2024, 5:10 AM Piotr P. Karwasz <piotr.karw...@gmail.com> > wrote: > > > Hi Arnout, > > > > On Mon, 21 Oct 2024 at 15:34, Arnout Engelen <enge...@apache.org> wrote: > > > During a recent discussion elsewhere we figured it might be nice to > > collect > > > the SBOMs currently published by Apache projects in a single place to > > > facilitate experimentation. I've put those at > > > https://github.com/apache/security-site/tree/sboms/sboms for now. As you > > > can see there's already a fair number of ASF projects publishing SBOMs, > > and > > > I'm sure I've missed some - LMK. > > > > Nice job! > > > > What kind of SBOMs should we upload to the repo and how should we > > structure the folders? > > > > In Log4j (and probably other library Java projects), we have two kinds > > of SBOMs, depending on the CycloneDX Maven Plugin goal we use[1]: > > > > * "normal" source SBOMs: these are generated for each binary component > > (e.g. `log4j-api` or `log4j-core`) and list all the dependencies of > > those components. > > * "aggregate" SBOMs: these are basically a composition of all the > > "normal" source SBOMs that are released together. The "dependencies" > > of the main component in the aggregate SBOM are the different Maven > > modules of a multi-module Maven build. > > > > I think that the second kind is what we want, since they give all the > > information in one place. Each PMC could structure its folders > > according to the structure adopted on `downloads.apache.org`. E.g. for > > Logging services I could upload the SBOMs as: > > > > * logging/log4j/2.24.1/apache-log4j-2.24.1-cyclonedx.xml > > * logging/log4j-scala/13.1.0/apache-log4j-scala-13.1.0-cyclonedx.xml > > * etc. > > > > What do you think? > > > > Piotr > > > > [1] > > https://github.com/CycloneDX/cyclonedx-maven-plugin?tab=readme-ov-file#goals > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org > > For additional commands, e-mail: > > security-discuss-h...@community.apache.org > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org For additional commands, e-mail: security-discuss-h...@community.apache.org
