Personally I think it's great we have PMCs asking for it :), and it's a great opportunity to start writing guidelines with the help of those projects who are eager to try.
I think we are still early in getting good guidelines - we are learning how to do it in different cases - and eventually yeah - we will likely produce some good guides. I think there are a few nuances and definitely different paths you can make for now - and maybe the JDO community can test those that we have now, explore what they find and report here if they (and how) manage to find their way. And we can use that discussion as a good learning project. I will also let others comment from their perspective and we can share our knowledge this way - because also, our knowledge is pretty distributed now. Arnout is putting the sboms from a number of ASF projects together and Herve recently added this PR with page summarising SBOM status for some of our project https://github.com/apache/security-site/pull/21/ which I do not think is published yet on "security.apache.org" - but you can see it here https://github.com/hboutemy/security-site/blob/87823ed212c6ce740fc2dceee774c97523575cdc/sboms/README.md As I understand - most Java project that use maven, can simply use cyclonedx-maven plugin https://github.com/CycloneDX/cyclonedx-maven-plugin and I guess basically that's how you start - and I think that's where JDO team can start. Airflow - being mostly a Python + some javascript project uses CDXGEN https://cyclonedx.github.io/cdxgen/. - which is another way of generating sboms (and they have a number of tutorials), but likely the maven route is simpler for those who already use maven. I personally do not know much about the maven plugin, so can't say more - but probably looking at the docs and looking at other - similar - projects in the list above and seeing how they are producing it, might be is a good start, and maybe the JDO team could ask their questions in the thread here after following the cyclonedx maven plugin docs and looking at the other list. That could likely give us a fantastic start on "what questions our projects can ask" and "what answers we can give" , "where they are completely lost" etc. - ultimately landing those as some guidelines /faqs after we try it with few other projects. JDO community - could you try to follow the path above and ask the questions in the thread so that we could build such "good guidelines" for others ? J. On Thu, Nov 7, 2024 at 12:55 AM Craig Russell <apache....@gmail.com> wrote: > Hi, > > The DB JDO project is interested in creating SBOMs for our releases. Is > there a good tutorial for the uninformed as to how to actually produce > SBOMs? > > I know that the security team is working on documenting existing SBOMs for > some projects. I looked at the security web site and it did not yield much > information how to get started. > > If this is the wrong list for this please let us know. > > Thanks, > Craig > > Craig L Russell > c...@apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org > For additional commands, e-mail: > security-discuss-h...@community.apache.org > >
