SBOM Generation

As the software industry seeks to improve the security of supply chains, SBOMs (Software Bill of Materials) are becoming increasingly widespread. SBOMs are an important input to tools like Dependency-Track, which help to quickly identify vulnerable dependencies so those vulnerabilities can be assessed and mitigated. In the US, the federal government will soon require vendors to produce SBOMs for all software it procures, as per Executive Order 14028.

Currently, WildFly does not produce an SBOM. Even if it did, that would be of limited value for people who provision WildFly using Galleon, since Galleon allows the easy addition of extra feature packs that are maintained by WildFly devs (like wildfly-datasources-galleon-pack) and proprietary feature packs (my company has a few).

Therefore, it would be helpful if Galleon could produce an SBOM based on the JARs it downloads during provisioning. CycloneDX seems to be the emerging standard for SBOMs, and that is what my company is using, but SPDX is also being used by some organizations.

Alternatively, an SBOM could be generated by scanning the JARs after provisioning is done. But it could be difficult to match the JARs to their Maven coordinates. Also, CycloneDX can represent the dependencies between the JARs, but after-the-fact scanning would lose that information.