Provide a SBOM for each distribution of an APEX Version

klaus.schuermann Public · Mar 10 2026

Idea Summary
Please provide a SBOM (Software Bill of Material) for each distribution of an APEX Version or patch in order to comply with the requirements of the US-Executive Order 14028 or the EU Cyber Resilience Act.
Use one of the three internationally recognized standard formats:
- CycloneDX
- SPDX (Software Package Data Exchange)
- SWID (Software Identification) Tags

Use Case
Case 1:
It helps to check for vulnerable or outdated components during the vulnerability management process.
Case 2:
Transparency in the software supply chain.

Preferred Solution (Optional)
put an apex_26.1.spdx.json file into apex_26.1.zip

This is currently on the roadmap for a future release of Oracle APEX.

Comments

vladislav.uvarov APEX Team OP 2 days ago

We are aware of the upcoming SBOM-related requirements and are tracking these developments. We want to ensure we address SBOM in a holistic way that's consistent across Oracle products and cloud services - not just for APEX.

In the meantime, you can find the list of third-party software included in each APEX release in the documentation below. This information is kept up to date throughout the release cycle.

Oracle APEX Licensing Information User Manual
Third-Party Notices and/or Licenses for Oracle APEX

1 Voters

Provide a SBOM for each distribution of an APEX Version

Feature

Comments

Comments