-
Notifications
You must be signed in to change notification settings - Fork 261
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate SBOMs for Egeria (all repos) #6621
Comments
Observation: Sonatype Life (which scans our code) can generate CycloneDX SBOMs with vulnarability information. See https://lift.sonatype.com/results/github.com/odpi/egeria/01G5PTAEMBCH6PTJ4F8GFTVQAV?tab=dependencies |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 20 days if no further activity occurs. Thank you for your contributions. |
See also https://github.blog/2023-03-28-introducing-self-service-sboms/ & referenced actions |
Is there an existing issue for this?
Please describe the new behavior that that will improve Egeria
SBOMs (Software Bill of Materials) can include information about
as part of the information on the software supply chain. See https://en.wikipedia.org/wiki/Software_supply_chain
SBOMs should be associated with each deliverable - for example maven artifact, distribution, container. They also must be signed
The two main formats are:
Tooling is available for a variety of languages, though it is still very much work in progress.
Organizations are increasingly focussing on software supply chain, so we need to look at what some (small) steps are that we can take in Egeria to make this easier.
Creation of SBOMs has been one suggestion - this may involve either build-time creation through a maven/gradle plugin, or use of external tools.
Alternatives
No response
Any Further Information?
No response
Would you be prepared to be assigned this issue to work on?
The text was updated successfully, but these errors were encountered: