[ https://issues.apache.org/jira/browse/GROOVY-10993?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17854525#comment-17854525 ]
ASF GitHub Bot commented on GROOVY-10993: ----------------------------------------- paulk-asert opened a new pull request, #2092: URL: https://github.com/apache/groovy/pull/2092 This creates and publishes the cyclonedx sbom files but there are essentially empty ones for groovy-all, groovy-bom and groovy-binary. I don't know if that is a bug or feature. I.e. I don't know whether security scanning tools follow the transitive dependencies and merged to sbom data. If not we might have to do some aggregation like we do for groovy-all docs. > Consider adding CycloneDX SBOM files > ------------------------------------ > > Key: GROOVY-10993 > URL: https://issues.apache.org/jira/browse/GROOVY-10993 > Project: Groovy > Issue Type: Improvement > Reporter: Paul King > Assignee: Paul King > Priority: Major > > We should consider adding SBOM file(s) into our releases. SBOM files capture > dependency metadata somewhat like pom or bom files but focus on security. -- This message was sent by Atlassian Jira (v8.20.10#820010)