-
Story
-
Resolution: Done
-
Normal
-
None
-
None
-
None
-
None
*.jar packages built by Jenkins have pretty much no usable metadata, here are results from a set of ONAP images: https://wiki.onap.org/display/DW/2022/03/03/Manifests+for+jar+packages+improvement
The minimal information we need for SBoMs (required by all projects sold to US federal gov):
- uniquely identify the package (name, version
- what it was built from (e.g. git url + commit sha)
- license tag and license file (in the package not in manifest)
- we should handle copyrights too- I'm unsure how those should be published (maybe there is some plugin that could gather the copyright notices from code files and create a nice list)
This was brought up on PTL call 28.02.
- relates to
-
RELENG-4104 SBOM macro for Nexus scans
- Done