[ODLPARENT-280] Generate an SBOM for artifacts Created: 24/Feb/22 Updated: 20/Oct/22 Resolved: 24/Feb/22 |
|
| Status: | Resolved |
| Project: | odlparent |
| Component/s: | General |
| Affects Version/s: | None |
| Fix Version/s: | 10.0.0, 9.0.16 |
| Type: | New Feature | Priority: | Medium |
| Reporter: | Robert Varga | Assignee: | Robert Varga |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
|
As part of improving OpenDaylight's inputs into supply chain security, generate an SBOM for all artifacts built by maven, so they can be signed and published to Maven Central. |
| Comments |
| Comment by Robert Varga [ 24/Feb/22 ] |
|
Integrating cyclonedx-maven-plugin seems super easy. The metadata seems to be properly attached to build artifacts and signed by Sigul in stage jobs. Unless something crops up, this job is done. |