Major Description
Log4j should publish a software bill of materials (SBOM) on each release to enable end users to more easily discover the versions of both Log4j and related dependencies are in use in their software. Sonatype has a blog post explaining what SBOM is, and OWASP has a tool called CycloneDX which has a Maven plugin which we could potentially use for this.
Open questions:
- Do SBOM files get published to Maven Central as additional artifacts?
- Do we add SBOM files to the source and binary archives?
- Should the generated SBOM only include required dependencies? This last bit is less obvious since we're a library, so the end user can always override their full dependency tree when building their app.
More options for generating an SBOM:
- https://github.com/opensbom-generator/spdx-sbom-generator
- https://dependencytrack.org - integrates with CycloneDX (all OWASP tools)
- https://github.com/AevaOnline/supply-chain-synthesis/blob/main/documents/list-projects.md - larger list of relevant supply chain security tooling
More information about what an SBOM is, related standards, etc.: https://www.ntia.gov/SBOM