davsclaus opened a new issue, #1679:
URL: https://github.com/apache/camel-website/issues/1679
Write a blog post covering SBOM (Software Bill of Materials) and supply
chain security in Apache Camel.
**Why now:**
- EU Cyber Resilience Act (CRA) will require SBOM delivery for software sold
in the EU
- US Executive Order 14028 and NIST guidance make SBOMs a federal
procurement expectation
- Enterprise teams increasingly treat SBOM availability as a hard
requirement when evaluating frameworks
**Suggested content:**
1. **What is an SBOM and why it matters** — brief intro for users who aren't
familiar with the concept and the regulatory landscape driving adoption (EU
CRA, US EO 14028).
2. **What Camel already provides** — every release since 4.0.3 ships with
PGP-signed CycloneDX SBOMs (JSON + XML) in the download section. Explain what's
in them and how users can use them for vulnerability scanning.
3. **How to generate SBOMs for your own Camel applications:**
- **Camel Spring Boot / Maven**: add the `cyclonedx-maven-plugin` to your
`pom.xml` — it's a standard Maven plugin, nothing Camel-specific needed.
- **Camel Quarkus**: similar Maven plugin approach.
- **Camel JBang**: the built-in `sbom` command can generate CycloneDX or
SPDX SBOMs directly.
4. **Combining SBOMs with CVE scanning** — how to use the generated SBOM
with tools like `grype`, `trivy`, or OWASP Dependency-Track to get continuous
security analysis.
5. **Camel's broader security posture** — link to the trust page, security
advisories, the 500+ dependency update track record, and the security model
documentation.
Related: #1678 (promote SBOM on the trust page)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
