Hello,
This sort of suggestion would be better sent to our development mailing list ([email protected] <mailto:[email protected]> ). I'll note that we use Apache Maven for our build system, and a quick search shows that <https://github.com/CycloneDX/cyclonedx-maven-plugin> might be a useful plugin to propose for generating the SBOM as part of our standard release process. I do think it's a good idea, but this topic should be discussed in our public list and not on the private list. -- Matt Sicker On Dec 19, 2021, at 12:48, Dick Brooks <[email protected] <mailto:[email protected]> > wrote: I've created an SPDX SBOM for Log4j V 2.17.0-core along with a companion baseline vulnerability disclosure report (VDR), based on NIST NVD search results: <https://github.com/rjb4standards/REA-Products/tree/master/Log4jUseCase> https://github.com/rjb4standards/REA-Products/tree/master/Log4jUseCase Please read the README.md first to understand the limitations of this info. I encourage the Log4j team to consider updating the FixStatus and AnalysisFindings elements for each reported CVE. I'm happy to assist in this effort. Thanks, Dick Brooks <image001.png> <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! T <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 Thanks, Dick Brooks <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! T <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788
