Better SBOMs with Maven #65
Labels
Comments
hendrikebbers
added
epic
Size: L
|
There is already an issue in the CyclonDX plugin for that use case: CycloneDX/cyclonedx-maven-plugin#382 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Today there are different ways how SBOMs can be created but it looks like the CyclonDX format is used more often than anything else. Based on that the Maven plugin to create SBOMs based on that format is quite popular (https://github.com/CycloneDX/cyclonedx-maven-plugin). From a supply chain security perspective SBOM support is a must in near future. Therefore we need a good solution for SBOMs that are created by Maven. That can be the CyclonDX plugin today. Sadly an SBOM created with that plugin miss a lot of metadata about the used build tools. For a full SBOM that information is a must. Based on that we need to add information about Maven and all used plugins for a build so that it can be added to a SBOM created by CyclonDX.
Based on discussion #1
The text was updated successfully, but these errors were encountered: