[ https://issues.apache.org/jira/browse/LOG4J2-3354?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17479761#comment-17479761 ]
Gary D. Gregory commented on LOG4J2-3354: ----------------------------------------- What is the difference with the BOM POM we already publish? > Publish an SBOM with Log4j > -------------------------- > > Key: LOG4J2-3354 > URL: https://issues.apache.org/jira/browse/LOG4J2-3354 > Project: Log4j 2 > Issue Type: New Feature > Components: Build > Reporter: Matt Sicker > Priority: Major > > Log4j should publish a software bill of materials (SBOM) on each release to > enable end users to more easily discover the versions of both Log4j and > related dependencies are in use in their software. [Sonatype has a blog post > explaining what SBOM > is|https://blog.sonatype.com/what-is-a-software-bill-of-materials], and OWASP > has a tool called [CycloneDX|https://cyclonedx.org/] which has a [Maven > plugin|https://github.com/CycloneDX/cyclonedx-maven-plugin] which we could > potentially use for this. > Open questions: > * Do SBOM files get published to Maven Central as additional artifacts? > * Do we add SBOM files to the source and binary archives? > * Should the generated SBOM only include required dependencies? This last > bit is less obvious since we're a library, so the end user can always > override their full dependency tree when building their app. > More options for generating an SBOM: > * [https://github.com/opensbom-generator/spdx-sbom-generator] > * [https://dependencytrack.org|https://dependencytrack.org/] - integrates > with CycloneDX (all OWASP tools) > * > [https://github.com/AevaOnline/supply-chain-synthesis/blob/main/documents/list-projects.md] > - larger list of relevant supply chain security tooling > More information about what an SBOM is, related standards, etc.: > [https://www.ntia.gov/SBOM] -- This message was sent by Atlassian Jira (v8.20.1#820001)