Houston Putman created SOLR-17328: ------------------------------------- Summary: Publish SBOMs for Solr binary artifacts Key: SOLR-17328 URL: https://issues.apache.org/jira/browse/SOLR-17328 Project: Solr Issue Type: Bug Security Level: Public (Default Security Level. Issues are Public) Reporter: Houston Putman
As mentioned in SOLR-16796, SBOMs (Software Bills of Material) are useful for organizations running software at a large scale. SOLR-16796 originally focused on SBOMs for Solr in general, and was repurposed to just incorporate Maven artifacts, so this ticket completes the entire goal. (SBOMs for all of Solr's artifacts) Since Solr produces a full and slim tgz, an SBOM would have to be produced for each. And cyclonedx would be the standard used, since that is the standard used for the maven SBOMs. I'm not sure how it would work in the gradle workflow of Solr, but something like [syft|https://github.com/anchore/syft] would be useful to auto-generate an sbom for a tgz in case the cyclonedx gradle plugin is not configurable enough to handle the task. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org