[
https://issues.apache.org/jira/browse/SOLR-16796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17854836#comment-17854836
]
ASF subversion and git services commented on SOLR-16796:
--------------------------------------------------------
Commit 1f584ae712babe3383184eba526b6d2347516596 in solr's branch
refs/heads/main from Houston Putman
[ https://gitbox.apache.org/repos/asf?p=solr.git;h=1f584ae712b ]
Revert "SOLR-16796: Add Maven SBOMs via cyclonedx (#1203)"
This reverts commit a42c605fb916439222a086356f368f02cf80304a.
> Publish an SBOM for Solr maven artifacts
> ----------------------------------------
>
> Key: SOLR-16796
> URL: https://issues.apache.org/jira/browse/SOLR-16796
> Project: Solr
> Issue Type: Improvement
> Components: Build
> Reporter: Arnout Engelen
> Assignee: Houston Putman
> Priority: Minor
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> It would be nice if Solr published an 'SBOM' (Software Bill of Materials) for
> its artifacts. An SBOM gives an overview of the components included in the
> artifact, which can be useful for example for scanner software that looks for
> dependencies with potential security vulnerabilities.
> Such consumers of the SBOM should probably combine it with the VEX published
> for Solr ([https://solr.apache.org/security.html#vex)] to avoid getting
> reports for known false positives.
> Draft PR starting point for this is at
> [https://github.com/apache/solr/pull/1203]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
