Create Software Bill of Materials for better/faster Security and dependency updates

[mc-chaos]

Software Bill of Materials (SBOM) is a way to trace and manage Software dependencies for Software-Projects.
There are 2 standards, most projects are Using:

• CycloneDX from the Open Web Application Security Project (OWASP)
• SPDX from the Linux Foundation

With a SBOM this Project could better/faster answer to the last Log4J / Logback (#1266) Issue or could show the "old" SpringBoot components (#1267) used in this project.

I think, we need a way to manage dependency-updates for security-, performance- and function-upgrades. With the switch from OpenCensus-Framework to the OpenTelemetry-Framework there is more need to manage this dependency-upgrades until there is a LTS release of Otel-Framework.
I think with / before every release, there should be a way to check for every dependency, if we must/should/would upgrade this dependency to the latest release. For security-checks, we have the github-bot, witch helps in this area . But for performance- or function-upgrades this does not help.

Here is a good explanation of what a sbom is and what it could do for one What an SBOM Can Do for You or this overview awesome-sbom

Regards, Sascha

[mariusoe]

Hi @mc-chaos

that's a good idea to provide some kind of information.
We'll have a look on this.

[aaronweissler]

Hi Sascha,
with #1367 merged CycloneDX SBOMs are now generated for any new release. It has also already been used the first time with release 1.16.0.
Best regards, Aaron