Details
-
Improvement
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: [CycloneDX](https://cyclonedx.org/), [Software Identification (SWID) tag](https://csrc.nist.gov/projects/Software-Identification-SWID), [Software Package Data Exchange® (SPDX)](https://spdx.dev/).
Avro should cover this for all the artifacts we publish. The ASF does not yet have a preferred standard. If they choose one we will keep that one.
https://cwiki.apache.org/confluence/display/COMDEV/SBOM
Attachments
1.
|
Publish Java SBOM artifacts with CycloneDX | Resolved | Dongjoon Hyun |
|