We are collecting documentation on how to use SBOM within Apache at the SBOM Software Bill of Materials page.
WH Theme: SBOMS / Notifications
- Look at OpenSSF SLSA/SBOM work (SLSA). See also mail from GOSST
- Look at https://github.com/ossf/wg-security-tooling
- https://github.com/spdx/spdx-maven-plugin
- See security-discuss mailing list discussion
Other background:
- SBOM section at https://openssf.org/oss-security-mobilization-plan/ based on WH and other meetings
- CSRB report on Log4j mentions some current issues, limitations, and recommendations https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf
Draft ASF Position:
- SBOMs needs to be automatically generated for builds at build time
- SBOMs need to be signed with the same keys used for releases, in the same way (detached signature, detached hash)
- SBOMs are expected to be static to the given release, must never be changed after release
- SBOMs need to be useful (i.e. can be parsed, machine readable by current/future tools)
Questions
- What type of projects/builds should include SBOMs?
- What format should be used (e.g., SPDX, CycloneDX)
- What projects are interested in working on this?
- Airflow (Python, CycloneDX, merged)
- ARROW Java: Publish SBOM artifacts (Maven, CycloneDX, published)
- AVRO-3700: Publish SBOM artifacts (Maven, CycloneDX)
- Commons https://github.com/apache/commons-parent/pull/122 (Maven, CycloneDX, published for some)
- DRUID: Publish SBOM artifacts (Maven, CycloneDX, merged)
- FLINK-30578: Publish SBOM artifacts (Maven, CycloneDX, published)
- GROOVY-10993: Produce and publish CycloneDX SBOM artifacts (Gradle, CycloneDX, published)
- HADOOP-18590. Publish SBOM artifacts (Maven, CycloneDX, published)
- HIVE-26912: Publish SBOM artifacts (Maven, CycloneDX, merged)
- HBASE-27562 Publish SBOM artifacts (Maven, CycloneDX, published)
- Maven MPOM-346: publish SBOM on release (Maven, CycloneDX, published)
- ORC-1342: Publish SBOM artifacts (Maven, CycloneDX, published)
- PARQUET-2224: Publish SBOM artifacts (Maven, CycloneDX, published)
- SPARK-41893: Publish SBOM artifacts (Maven, CycloneDX, published)
- SOLR-16796: Publish an SBOM for Solr artifacts (Gradle, CycloneDX, not published)
- SYNCOPE-1746: Provide Software Bill Of Materials (SBOM) (Maven, CycloneDX, published)
- Tomcat
- ZOOKEEPER-4657: Publish SBOM artifacts (Maven, CycloneDX, published)
- How to deal with multi-language projects? (like arrow, avro, logging, parquet, spark, ...)