On Sun, Jul 17, 2022 at 11:00 AM sebb <seb...@gmail.com> wrote: > > On Sun, 17 Jul 2022 at 15:45, Matt Juntunen <matt.a.juntu...@gmail.com> wrote: > > > > Hello all, > > > > Steve Springett recently created a PR [1] for commons-parent that > > introduces the generation of software bill of materials (SBOM) > > artifacts into the build process. First of all, thank you, Steve. > > Secondly, I believe this is an important topic that should be > > addressed by our community. SBOMs contain metadata that can be used in > > application security contexts and software supply chain analysis. They > > seem to be becoming increasingly important as the software industry > > places a greater emphasis on cybersecurity. I have a small amount of > > experience with these types of files from my day job. My team will > > soon begin generating them for all of our projects in order to allow > > automated tools to better track CVEs and report to our customers on > > the security of our applications. The questions I believe we need to > > answer as a community are: > > > > 1. Do we want to include SBOMs in our Maven build artifacts? > > 2. If so, what format do we want to use? > > > > In regard to the first question, I believe that we would need a good > > reason to *not* include these (or similar) artifacts. It's a simple > > service we can provide to help our users maintain good cybersecurity > > practices. As the provider of a number of hugely popular open-source > > libraries, I would love to see us take the lead on ensuring the > > security of the Java ecosystem. > > > > For question two, there are a few SBOM standards out there, notably > > SPDX [2] and CycloneDX [3] (which is what Steve included in his PR). I > > am not well versed in the exact differences between the formats, but > > CycloneDX seems to have better Java support and a large number of > > useful tools, such as the Maven plugin used in Steve's PR. > > > > If we can agree on answers to the two questions above, then we can > > move forward and start discussing details. Thank you all for your > > time. > > SBOMs presumably apply to all ASF software, so it seems to me it would > be sensible to address this at ASF level. > It would be silly for each project to generate the data differently, > even if only slightly. > Once a format is settled upon, I would expect it to be implemented via > the Apache POM, rather than by every Maven Java project. > > I think the mailing list for this is probably > security-disc...@community.apache.org: > https://lists.apache.org/list.html?security-disc...@community.apache.org
I agree with Sebb. Note that the CycloneDX plugin does not work correctly for multi-module Maven projects. See the PR for my results. Gary > > > Regards, > > Matt J > > > > [1] https://github.com/apache/commons-parent/pull/122 > > [2] https://spdx.dev/ > > [3] https://cyclonedx.org/ > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
