[
https://issues.apache.org/jira/browse/SOLR-16796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17903064#comment-17903064
]
Houston Putman commented on SOLR-16796:
---------------------------------------
[~der_eismann] unfortunately, the issues persist. I need to create more issues
for their repository. But basically even though we are allowed to override the
name for the sbom artifact, that name is not used when the sbom is used as a
dependency of another sbom. It's kind of a mess.
> Publish an SBOM for Solr maven artifacts
> ----------------------------------------
>
> Key: SOLR-16796
> URL: https://issues.apache.org/jira/browse/SOLR-16796
> Project: Solr
> Issue Type: Improvement
> Components: Build
> Reporter: Arnout Engelen
> Assignee: Houston Putman
> Priority: Minor
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> It would be nice if Solr published an 'SBOM' (Software Bill of Materials) for
> its artifacts. An SBOM gives an overview of the components included in the
> artifact, which can be useful for example for scanner software that looks for
> dependencies with potential security vulnerabilities.
> Such consumers of the SBOM should probably combine it with the VEX published
> for Solr ([https://solr.apache.org/security.html#vex)] to avoid getting
> reports for known false positives.
> Draft PR starting point for this is at
> [https://github.com/apache/solr/pull/1203]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
