On 6/14/2023 5:53 PM, Gary Gregory wrote:
I am wondering if you've looked at the CycloneDx and SPDX Maven plugins?
These two seem to be the most used ATM for SBOMs.
Gary
I had never heard of these plugins or of SBOMs. I did a quick bit of
research; according to [How to create SBOMs in Java with Maven and
Gradle](https://snyk.io/blog/create-sboms-java-maven-gradle/):
> But be careful to not confuse an SBOM with Maven's Bill Of Materials
(BOM). In Maven, a BOM is a special kind of POM file where we can
centralize dependencies for an application. In most cases, these
dependencies work well together and should be used as a set, like we see
in BOMs used in Spring.
> An SBOM is something you create next to your application, so any user
or client has a uniform way to find out what your application is using
under the hood.
So an SBOM seems to be different than the Maven BOM I was talking about,
with a different purpose. But thanks for the pointer—always nice to
learn about new things.
Garret
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
