--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CANYWk7P1bw1BKmeKmituBGCdVbHK96C-PJn_qDC1aRHLxLrxKw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CAD%2BL2cznqXwLWkB8DVeHzXfsorZ5ty4rBGhDOpNPAepQ_Lkx0Q%40mail.gmail.com.
+1.
I think its interesting and fits into the /q/info endpoint we have - which is not active by default (good for security)
and can be put behind separate management port (even better for security).
Having a sbom serving feature is one thing.
The other is how that sbom is generated and that's where Alexey's comments are relevant:
cyclone (and any other tool out there today) don't capture/grok Quarkus dependency setup;
some will argue they don't even know about java :)
So having such understanding contributed to those projects would be a good thing.
If we can then within Quarkus build system enhance those sboms in both Maven and Gradle that might be further interesting.
/max
To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/CAJ97idH19jmGmpirNfKU4ZRz4ZAdrJjMGnwJEnd%2B-m6VsJV8YA%40mail.gmail.com.
+1.
I think its interesting and fits into the /q/info endpoint we have - which is not active by default (good for security)
and can be put behind separate management port (even better for security).
To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/8CDE2A09-3C73-42A5-A6D4-0E91E9259B89%40redhat.com.
Georgios Andrianakis
Independent Contractor