Hi Volkan,
On Wed, 18 Oct 2023 at 21:55, Volkan Yazıcı <[email protected]> wrote:
> * Added support for auto-generating CycloneDX Software Bill of Materials
> (SBOM)
Looking at the generated `bom.json`, it gives a strange URL for the
distribution:
{
"type" : "distribution",
"url" :
"https://repository.apache.org/service/local/staging/deploy/maven2";
},
This is a private URL for staging a release. I would expect this key to contain:
https://repository.apache.org/content/repositories/releases/
We probably also need to fill in other keys in the SBOM:
https://cyclonedx.org/docs/1.5/json/#externalReferences_items_type
(I use the version 1.5 schema, since it is commented, while 1.4 isn't).
The keys that would be useful to fill IMHO are:
* `advisories`, pointing to a common page with all the CVE we
published against all our products,
* `release-notes`, `documentation` and `support`,
* `license` (for completeness, it is already defined elsewhere),
* `security-contact`, `vulnerability-assertion` and
`exploitability-statement`. The latter could use the exploitability
assessments we provide in Github (twice, for Dependabot and OSV
scanner):
https://github.com/apache/logging-log4j2/blob/2.x/log4j-parent/osv-scanner.toml
* `static-analisys-report`: both CodeQL and Scorecard can produce a
SARIF file. The latter even uploads it somewhere.
Piotr
