Houston Putman created SOLR-17328:
-------------------------------------
Summary: Publish SBOMs for Solr binary artifacts
Key: SOLR-17328
URL: https://issues.apache.org/jira/browse/SOLR-17328
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Reporter: Houston Putman
As mentioned in SOLR-16796, SBOMs (Software Bills of Material) are useful for
organizations running software at a large scale.
SOLR-16796 originally focused on SBOMs for Solr in general, and was repurposed
to just incorporate Maven artifacts, so this ticket completes the entire goal.
(SBOMs for all of Solr's artifacts)
Since Solr produces a full and slim tgz, an SBOM would have to be produced for
each. And cyclonedx would be the standard used, since that is the standard used
for the maven SBOMs.
I'm not sure how it would work in the gradle workflow of Solr, but something
like [syft|https://github.com/anchore/syft] would be useful to auto-generate an
sbom for a tgz in case the cyclonedx gradle plugin is not configurable enough
to handle the task.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
