SBOM generation, vulnerability scanning, and signed SBOMs in the ASF Celix release process #823
Description
Intro
To improve software supply-chain transparency and to better support downstream users, a CI-driven SBOM and vulnerability scanning pipeline would be very welcome.
To complete this, the release process should be updated so that we publish a signed SBOMs as part of a official release.
If feasible, it would also be valuable to backport this approach and create a Celix 2.4.x release that includes an SBOM.
Background
The EU Cyber Resilience Act (CRA) has been introduced. While open-source projects without a commercial service offering are not required to:
- Provide SBOMs
- Fix vulnerabilities
- Offer SLAs or continuous monitoring
it is still beneficial for downstream users if we can offer transparent dependency information.
Providing:
- an SBOM (generated in CI and published with releases), and
- an initial vulnerability scan
Scope
This issue will be split into the following four sub-issues:
- Generate an SBOM as part of the CI pipeline
- Add vulnerability scanning based on the generated SBOM
- Update the release process to include a signed SBOM alongside released source artifacts
- Backport the SBOM generation and create a Celix 2.4.x release including an SBOM