Andrew, You're right, SBOMs have gotten a lot of attention [1]. While it appears vendors are going to be most on the hook to provide SBOMs, having the insights available at project and library level will be impacting library selection more and more.
You can easily get bill of materials information for Royale using Lift if you'd like. Here are some example runs for (forks of) asjs [2] and compiler [3]. Notice the export button to get CycloneDX files out which could be used as the first draft. Cheers, Thomas Disclaimer: while I've interacted with Apache projects for a while, I am working for a vendor of SBOM, vulnerability, and dependency tracking tooling. The linked Lift tool is used by some Apache projects for nightly SBOM scans (+ emails on security issues) and by a few more via the sonatype-lift github application. The team is happy to help with any questions or issues but whatever tool you pick I encourage you to move forward. [1] https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ [2] https://lift.sonatype.com/results/github.com/TomMD/royale-asjs/01G9FJ47NMQJF9TEVME6S2GJSV?tab=dependencies [3] https://lift.sonatype.com/results/github.com/tommd/royale-compiler/01G9FH4M6DVZZMEPF5DJGXEE6S?tab=dependencies On Tue, Aug 2, 2022 at 6:26 AM Andrew Wetmore <cottag...@gmail.com> wrote: > Hi, all. > > I was reading today about SBOM [1] ('a kind of nutrition label to reduce > software supply chain risk') and wondered whether it would be very > difficult to add such a document to the Royale release assets. It seems to > be an impending requirement (or 'desirement') for released software, and I > can't imagine it would be too hard to put one together for our product. > > If this seems like a good idea, I would be happy to create a draft and get > others to improve it. > > [1] > > https://develop.secure.software/sbom-facts-know-whats-in-software-fend-off-supply-chain-attacks > > -- > Andrew Wetmore > > Editor, Moose House Publications > Editor-Writer, The Apache Software Foundation >
