File tree Expand file tree Collapse file tree 1 file changed +25
-0
lines changed
content/chainguard/libraries/java Expand file tree Collapse file tree 1 file changed +25
-0
lines changed Original file line number Diff line number Diff line change @@ -162,3 +162,28 @@ The option `-L` is required to follow redirects for the actual file locations.
162162[ Use checksums of any file to
163163verify] ( /chainguard/libraries/java/management/#java-verification ) if it
164164originates from the Chainguard repository.
165+
166+ ## SBOM and attestation files
167+
168+ Chainguard Libraries for Java include files that contain software bill of
169+ material (SBOM) information. Additional files attest details about build
170+ infrastructure with the [ Supply-chain Levels for Software Artifacts
171+ (SLSA)] ( https://slsa.dev/ ) provenance information.
172+
173+ The related files for Chainguard Libraries for Java are located in the same
174+ location as the ` .pom ` , ` .jar ` , and other artifacts for a specific library
175+ version and uses the same ` artifactId-version ` naming convention with the
176+ following extensions:
177+
178+ * ` .slsa-attestation.json ` for the SLSA provenance attestation
179+ * `.spdx.json for the SBOM information
180+
181+ For example, the file location for artifactId ` commons-compress ` and version
182+ ` 1.28.0 ` is
183+ [ https://libraries.cgr.dev/java/org/apache/commons/commons-compress/1.28.0/ ] ( https://libraries.cgr.dev/java/org/apache/commons/commons-compress/1.28.0/ ) .
184+ It includes the following files:
185+
186+ * ` commons-compress-1.28.0.pom `
187+ * ` commons-compress-1.28.0.jar `
188+ * ` commons-compress-1.28.0.slsa-attestation.json `
189+ * ` commons-compress-1.28.0.spdx.json `
You can’t perform that action at this time.
0 commit comments