[wp-meta] [Making WordPress.org] #8136: SBOM - Software Bill of Materials to automate license validation and vulnerability/security notifications

Making WordPress.org noreply at wordpress.org
Sun Nov 23 20:19:28 UTC 2025 

#8136: SBOM - Software Bill of Materials to automate license validation and
vulnerability/security notifications
--------------------------+--------------------
 Reporter:  kkmuffme      |      Owner:  (none)
     Type:  enhancement   |     Status:  new
 Priority:  normal        |  Milestone:
Component:  Theme Review  |   Keywords:
--------------------------+--------------------
 There are some ongoing initiatives about software requiring a SBOM - a
 list of included/bundled 3rd party code.
 If/how/when this applies to open-source is unclear, however I think this
 is an initiative that would actually make reviewing plugins and themes for
 the directory easier.
 Additionally, this would also contribute to WP security, since notifying
 plugins/themes that contain 3rd party code with vulnerabilities would be
 much easier/faster/automated, since it's structured data.

 There are tools available that automatically create these (e.g.
 https://github.com/CycloneDX/cyclonedx-php-composer) and they have an
 essentially standarized format https://cyclonedx.org/docs/1.7/json/
 e.g. https://github.com/CycloneDX/bom-examples/blob/master/SBOM
 /protonmail-webclient-v4-0912dff/bom.json
 Additionally, there are tools for both composer and npm to warn/restrict
 to specific licenses in the first place, to ensure people won't
 accidentally end up using a non-copmatible license.

 I am not familiar with the current plugin/theme review process and only
 found an seemingly old link https://make.wordpress.org/themes/handbook
 /get-involved/onboarding-for-new-reviewers/licensing-both-easy-and-
 difficult/ which stresses this and makes it look like checking licenses is
 a manual process?
 Which obviously will result in an oversight from time to time e.g.
 https://wordpress.org/plugins/woocommerce-paypal-payments/ is released as
 GPLv2 but includes Apache 2.0 licensed JS which is incompatible with GPLv2
 (needs GPLv3)

 Is this something you think would make sense?
 How would you go about implementing it?

 I think there are 2 parts:
 1) at least documentation on how to create the SBOM using existing tools
 (composer, npm,...) at "worst" a plugin (or WP CLI command?) that creates
 the SBOM for a plugin (similar to the wp cli i18n commands?)

 2) integration in the theme review process to automatically validate the
 readme.txt/plugin License: header against the bom.json provided
 (in the best case: automatically/CI using the WP CLI command of 1) to
 generate the SBOM upon submission of the plugin)

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/8136>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list