[ https://issues.apache.org/jira/browse/SOLR-16796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17902996#comment-17902996 ]
Philipp Trulson commented on SOLR-16796: ---------------------------------------- [~houston] both issues were closed and released, time for a second try? Would love to see this working! > Publish an SBOM for Solr maven artifacts > ---------------------------------------- > > Key: SOLR-16796 > URL: https://issues.apache.org/jira/browse/SOLR-16796 > Project: Solr > Issue Type: Improvement > Components: Build > Reporter: Arnout Engelen > Assignee: Houston Putman > Priority: Minor > Time Spent: 1h 20m > Remaining Estimate: 0h > > It would be nice if Solr published an 'SBOM' (Software Bill of Materials) for > its artifacts. An SBOM gives an overview of the components included in the > artifact, which can be useful for example for scanner software that looks for > dependencies with potential security vulnerabilities. > Such consumers of the SBOM should probably combine it with the VEX published > for Solr ([https://solr.apache.org/security.html#vex)] to avoid getting > reports for known false positives. > Draft PR starting point for this is at > [https://github.com/apache/solr/pull/1203] -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org