Uploaded image for project: 'Log4j 2'
  1. Log4j 2
  2. LOG4J2-3354

Publish an SBOM with Log4j

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • Build
    • None

    Description

      Log4j should publish a software bill of materials (SBOM) on each release to enable end users to more easily discover the versions of both Log4j and related dependencies are in use in their software. Sonatype has a blog post explaining what SBOM is, and OWASP has a tool called CycloneDX which has a Maven plugin which we could potentially use for this.

      Open questions:

      • Do SBOM files get published to Maven Central as additional artifacts?
      • Do we add SBOM files to the source and binary archives?
      • Should the generated SBOM only include required dependencies? This last bit is less obvious since we're a library, so the end user can always override their full dependency tree when building their app.

      More options for generating an SBOM:

      More information about what an SBOM is, related standards, etc.: https://www.ntia.gov/SBOM

      Attachments

        Activity

          People

            Unassigned Unassigned
            mattsicker Matt Sicker
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated: