Implement and document SBOM (apache/logging-log4j2#1707)

apache · Oct 20, 2023 · cd5dc8e · cd5dc8e
1 parent 76d211d
commit cd5dc8e
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 0 deletions.
diff --git a/src/changelog/.0.x.x/add-sbom.xml b/src/changelog/.0.x.x/add-sbom.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to you under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns="http://logging.apache.org/log4j/changelog"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
+       type="added">
+  <author id="github:vy"/>
+  <description format="asciidoc">Started generating CycloneDX SBOM with the recent update of `logging-parent` to version `10.2.0`</description>
+</entry>
diff --git a/src/site/index.adoc b/src/site/index.adoc
@@ -58,6 +58,38 @@ In accordance with the Apache Software Foundation's release https://infra.apache
 
 See xref:#release-instructions[the release instructions] for details.
 
+[#maven-bom]
+=== Maven Bill of Materials (BOM)
+
+To keep your {project-name} module versions aligned, a https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#bill-of-materials-bom-poms[Maven Bill of Materials (BOM) POM] is provided for your convenience.
+
+To use this with Maven, add the dependency listed below to your `pom.xml` file.
+Note that the `<dependencyManagement>` nesting and the `<scope>import</scope>` instruction.
+This will _import_ all modules bundled with the associated Log4j release to your `dependencyManagement`.
+As a result, you don't have to specify versions of the imported modules (`log4j-changelog`, `log4j-changelog-maven-plugin`, etc.) while using them.
+
+.`pom.xml` snippet importing `log4j-tools-bom`
+[source,subs="+attributes"]
+----
+<dependencyManagement>
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-tools-bom</artifactId>
+      <version>{project-version}</version>
+      <scope>import</scope>
+      <type>pom</type>
+    </dependency>
+  </dependencies>
+</dependencyManagement>
+----
+
+[#cyclonedx-sbom]
+=== CycloneDX Software Bill of Materials (SBOM)
+
+Starting with version `0.6.0`, {project-name} distributes https://cyclonedx.org/capabilities/sbom/[CyclenoDX Software Bill of Materials (SBOM)] along with each deployed artifact.
+This is streamlined by `logging-parent`, see https://logging.apache.org/logging-parent/latest/#cyclonedx-sbom[its website] for details.
+
 [#support]
 == Support