[AVRO-3700] Publish Java SBOM artifacts with CycloneDX - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Sub-task
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.12.0
Fix Version/s: 1.12.0, 1.11.2
Component/s: build
Labels:
- pull-request-available

Description

Why are the changes needed?

Here is an article to give some context.

https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/

Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: [CycloneDX](https://cyclonedx.org/), [Software Identification (SWID) tag](https://csrc.nist.gov/projects/Software-Identification-SWID), [Software Package Data Exchange® (SPDX)](https://spdx.dev/).

This PR uses [CycloneDX maven plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin), a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

Attachments

Issue Links

relates to

FLINK-30578 Publish SBOM artifacts

In Progress

PARQUET-2224 Publish SBOM artifacts

Resolved

SPARK-41893 Publish SBOM artifacts

Resolved

ORC-1342 Publish SBOM artifacts

Closed

links to

GitHub Pull Request #2046

GitHub Pull Request #2049

(1 links to)

Activity

People

Assignee:: Dongjoon Hyun

Reporter:: Dongjoon Hyun

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 05/Jan/23 18:11

Updated:: 25/May/23 18:41

Resolved:: 06/Jan/23 08:29

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1h 50m