[
https://issues.apache.org/jira/browse/GROOVY-10993?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17854525#comment-17854525
]
ASF GitHub Bot commented on GROOVY-10993:
-----------------------------------------
paulk-asert opened a new pull request, #2092:
URL: https://github.com/apache/groovy/pull/2092
This creates and publishes the cyclonedx sbom files but there are
essentially empty ones for groovy-all, groovy-bom and groovy-binary. I don't
know if that is a bug or feature. I.e. I don't know whether security scanning
tools follow the transitive dependencies and merged to sbom data. If not we
might have to do some aggregation like we do for groovy-all docs.
> Consider adding CycloneDX SBOM files
> ------------------------------------
>
> Key: GROOVY-10993
> URL: https://issues.apache.org/jira/browse/GROOVY-10993
> Project: Groovy
> Issue Type: Improvement
> Reporter: Paul King
> Assignee: Paul King
> Priority: Major
>
> We should consider adding SBOM file(s) into our releases. SBOM files capture
> dependency metadata somewhat like pom or bom files but focus on security.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
