We are collecting documentation on how to use SBOM within Apache at the Software Bill of Materials SBOM page.

WH Theme: SBOMS /  Notifications

Other background:

Draft ASF Position:

  • SBOMs needs to be automatically generated for builds at build time
  • SBOMs need to be signed with the same keys used for releases, in the same way (detached signature, detached hash)
  • SBOMs are expected to be static to the given release, must never be changed after release
  • SBOMs need to be useful (i.e. can be parsed, machine readable by current/future tools)


  • No labels