Copyright and all other rights reserved by Reliable Energy Analytics, LLC (REA) 2018-2021.
Licensed under Creative Commons 4.0 https://creativecommons.org/licenses/by/4.0/
DISCLAIMER OF WARRANTIES TO THE EXTENT NOT PROHIBITED BY LAW, REA HEREBY DISCLAIMS ALL EXPRESS OR IMPLIED REPRESENTATIONS, WARRANTIES, GUARANTEES, AND CONDITIONS OF ANY KIND, ARISING BY LAW OR OTHERWISE, WITH REGARD TO THIS ARTIFACT, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, GUARANTEES, AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NONINFRINGEMENT, AND QUALITY OF SERVICE.
REA MAKES NO REPRESENTATIONS OR WARRANTIES REGARDING THE CONTENT, EFFECTIVENESS, USEFULNESS, RELIABILITY, AVAILABILITY, TIMELINESS, QUALITY, SUITABILITY, ACCURACY OR COMPLETENESS OF THIS ARTIFACT OR THE RESULTS YOU MAY OBTAIN BY USING THE ARTIFACT OR THAT THE ARTIFACT WILL BE ERROR-FREE.
These Apache Log4j SBOM files were created from a binary (zip file) distribution of Log4j version 2.15.0. FileChecksums at the SBOM component level should be ignored as they only represent the file hash for the primary component, appearing in the Package object.An SBOM representing the Apache Log4j 2.17.0 CORE classes are also provided as a separate SBOM in SPDX TV and JSON formats and a complete Vulnerability Disclosure Report, open-source format containing FixStatus and Vendor Analysis Findings as placeholder elements.
NOTE: The VDR clearly shows the need to have SBOM data aligned with NIST NVD data; the Log4j CVE 44228 is not associated with any of the SBOM components listed in the SBOM; this really needs to be addressed. Please promote the alignment of SBOM data with NIST NVD data in order to improve vulnerability search results on SBOM's.