Build and publish SBOM?

[stuebingerb]

No description provided.

[mervyn-mccreight]

I plan to submit the dependencies using the dependency-submission API.
This way all dependencies will be visible in the respective view in GitHub.

Would that be sufficient?

[stuebingerb]

Dependency API is surely a good start but I think it might be easier to consume if the SBOM is part of the published artifact. Not sure if the dependency API can generate an SBOM for arbitrary releases (and in case of an incident you want to know the used versions as exactly as possible).

[mervyn-mccreight]

if the SBOM is part of the published artifact

Oh, is this a thing now? Do you know if there is a standard way of doing that (I'm looking for information about where to locate it exactly for publishing it).

[stuebingerb]

Haven't thought that far yet.

Jetty seems to put it in the root of the jar (jetty/jetty.project#9502, while also discussing a dedicated maven artifact), the GitHub action mentioned in https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api seems to add it to the GitHub release (only?), SUSE has separate files on their download page (https://www.suse.com/download/sles/), and Spring Boot seems to include them in their uber-jar (https://spring.io/blog/2024/05/24/sbom-support-in-spring-boot-3-3).