Details
-
Improvement
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
None
-
None
-
None
Description
It would be nice if Solr published an 'SBOM' (Software Bill of Materials) for its artifacts. An SBOM gives an overview of the components included in the artifact, which can be useful for example for scanner software that looks for dependencies with potential security vulnerabilities.
Such consumers of the SBOM should probably combine it with the VEX published for Solr (https://solr.apache.org/security.html#vex) to avoid getting reports for known false positives.
Draft PR starting point for this is at https://github.com/apache/solr/pull/1203
Attachments
Issue Links
- split to
-
SOLR-17328 Publish SBOMs for Solr binary artifacts
- Open
- links to