[Feature Request] Create and release SBOMs for OpenSearch artifacts #16745
Labels
Build
Build Tasks/Gradle Plugin, groovy scripts, build tools, Javadoc enforcement.
enhancement
Enhancement or improvement to existing feature or request
Comments
der-eismann
added
enhancement
github-actions
bot
added
the
Build
|
[Catch All Triage - 1, 2, 3, 4] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe
Hey everyone! Maybe you've heart of SBOMs before - if not, it's a Software Bill of Materials listing all dependencies including versions that a project is using. This allows users to have quickly check if they are affected when info about a new vulnerability is released.
Some more info can be found here:
https://thenewstack.io/sbom-everywhere-the-openssf-plan-for-sboms/
https://cwiki.apache.org/confluence/display/COMDEV/SBOM
Describe the solution you'd like
There's an excellect Gradle plugin (https://github.com/CycloneDX/cyclonedx-gradle-plugin) that produces such SBOMs during the build process with lots of custom settings. These SBOMs can then be bundled with the released artifacts. JSON would be my preferred format.
Ideally this would be done for every component (OpenSearch, OS Dashboards etc), please let me know if I should open copies of this issue there as well.
Related component
Build
Describe alternatives you've considered
None
Additional context
No response
The text was updated successfully, but these errors were encountered: