Hi Arnout, Wow, great job! Until recently I had to upload SBOMs to Dependency Track manually. I suppose you have some sort of script for that?
On Mon, 19 Feb 2024 at 15:20, Arnout Engelen <enge...@apache.org> wrote: > More and more Apache projects are producing SBOMs as part of their release > process. Challenges producing and consuming SBOMs are definitely on-topic > for this list, and ideally we can consolidate that knowledge on the wiki[0] The first challenge that comes to mind is what version of our transitive dependencies should libraries specify in their SBOMs. I stress out the case of libraries, because for applications it is easier: they list the libraries they embed in their distribution. I am a big fan of Maven's dependency management, so whenever our direct dependency `foo` depends on a vulnerable `bar-1.0.0`, I bump the version of `bar` in the dependency management section of my project to `1.0.1` and the problem is solved! My test suite will run using `bar-1.0.1`, my SBOM will contain `bar-1.0.1` and Dependency Track will not complain. However this is just a trick: users of my library will still have `bar-1.0.0` on their classpath, unless they also bump the version of `bar` or the `foo` project releases a version that depends on `bar-1.0.1`. There is also another solution in Maven: I could add `bar` as a direct dependency of my project and bump its version to `1.0.1`. This way users can also benefit from the version bump, but this adds additional maintenance work: Dependabot will track new versions of `bar` and the list of project dependencies becomes long and messy. What do you think we should do in this case? > If you know of any other projects to include, would like help setting up > SBOM publishing for your project, contribute 'nightly' SBOM snapshots, or > discuss other things SBOM, I'm all ears! It would be nice to integrate Dependency Track into our release process. If the process of uploading SBOMs to Dependency Track is simplified, I could: * compile a snapshot, * check if there are dependency alerts (Dependabot gives us alerts for direct dependencies, but not the transitive ones), * bump the vulnerable transitive dependency versions (if possible), * prepare a release candidate. Piotr --------------------------------------------------------------------- To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org For additional commands, e-mail: security-discuss-h...@community.apache.org
