Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-16796

Publish an SBOM for Solr artifacts

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • None
    • None
    • Build
    • None

    Description

      It would be nice if Solr published an 'SBOM' (Software Bill of Materials) for its artifacts. An SBOM gives an overview of the components included in the artifact, which can be useful for example for scanner software that looks for dependencies with potential security vulnerabilities.

      Such consumers of the SBOM should probably combine it with the VEX published for Solr (https://solr.apache.org/security.html#vex) to avoid getting reports for known false positives.

      Draft PR starting point for this is at https://github.com/apache/solr/pull/1203

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #1203

          Activity

            People

              Unassigned Unassigned
              engelen Arnout Engelen
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 50m
                  50m