On Sun, 17 Jul 2022 at 15:45, Matt Juntunen <matt.a.juntu...@gmail.com> wrote: > > Hello all, > > Steve Springett recently created a PR [1] for commons-parent that > introduces the generation of software bill of materials (SBOM) > artifacts into the build process. First of all, thank you, Steve. > Secondly, I believe this is an important topic that should be > addressed by our community. SBOMs contain metadata that can be used in > application security contexts and software supply chain analysis. They > seem to be becoming increasingly important as the software industry > places a greater emphasis on cybersecurity. I have a small amount of > experience with these types of files from my day job. My team will > soon begin generating them for all of our projects in order to allow > automated tools to better track CVEs and report to our customers on > the security of our applications. The questions I believe we need to > answer as a community are: > > 1. Do we want to include SBOMs in our Maven build artifacts? > 2. If so, what format do we want to use? > > In regard to the first question, I believe that we would need a good > reason to *not* include these (or similar) artifacts. It's a simple > service we can provide to help our users maintain good cybersecurity > practices. As the provider of a number of hugely popular open-source > libraries, I would love to see us take the lead on ensuring the > security of the Java ecosystem. > > For question two, there are a few SBOM standards out there, notably > SPDX [2] and CycloneDX [3] (which is what Steve included in his PR). I > am not well versed in the exact differences between the formats, but > CycloneDX seems to have better Java support and a large number of > useful tools, such as the Maven plugin used in Steve's PR. > > If we can agree on answers to the two questions above, then we can > move forward and start discussing details. Thank you all for your > time.
SBOMs presumably apply to all ASF software, so it seems to me it would be sensible to address this at ASF level. It would be silly for each project to generate the data differently, even if only slightly. Once a format is settled upon, I would expect it to be implemented via the Apache POM, rather than by every Maven Java project. I think the mailing list for this is probably security-disc...@community.apache.org: https://lists.apache.org/list.html?security-disc...@community.apache.org > Regards, > Matt J > > [1] https://github.com/apache/commons-parent/pull/122 > [2] https://spdx.dev/ > [3] https://cyclonedx.org/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
