Provide SBOM creation and deployment for maven and the mostly used plugins #1
Replies: 2 comments 2 replies
-
|
There's already the cyclone DX maven plugin which creates an SBOM. However, it cannot be part of the default Maven lifecycle mapping, as it is a 3rd party plugin |
Beta Was this translation helpful? Give feedback.
-
|
Sure, But plugins do not create SBOMs. So this epic is not to allow application developers create SBOMs (cyclone DX maven plugin can be used here) but to create and publish SBOMs for each Maven core + Maven plugin release. |
Beta Was this translation helpful? Give feedback.
-
|
As far as I know the cyclone generates that? We need to check the details for that.. |
Beta Was this translation helpful? Give feedback.
-
|
Next to the discussed topics the CyclonDX SBOM plugin for maven need to add the versions of all used Maven Plugins to the SBOM. Otherwise the build tooling is not fully specified in the SBOM |
Beta Was this translation helpful? Give feedback.
-
Using SBOMs will be a de-facto security standard in the future. While such topics are often missed in OSS development by individual contributors we should use resources to define best practices workflows on how Maven and Maven plugins should create and publish SBOMs and implement that for the most critical plugins.
Beta Was this translation helpful? Give feedback.
All reactions