Blog post featured image

If your security or compliance team has started asking “does it ship with an SBOM?”, you are not alone. The EU Cyber Resilience Act (CRA) will require SBOM delivery for software sold in the EU, US Executive Order 14028 and NIST guidance make SBOMs a federal procurement expectation, and enterprise evaluation checklists increasingly treat SBOM availability as a gate.

Apache Camel has shipped SBOMs with every release since 4.0.3 — long before these regulations finalized. Here is what that means for you in practice.

What is an SBOM?

A Software Bill of Materials is a machine-readable inventory of every component in a piece of software: direct dependencies, transitive dependencies, their versions, and their licenses. Think of it as a nutrition label for your software supply chain.

Two formats dominate: CycloneDX (OWASP) and SPDX (Linux Foundation). Camel supports both.

The value is straightforward: feed an SBOM into a vulnerability scanner, and you get an instant, continuously updatable view of every known CVE in your dependency tree — no manual audit required.

What Camel ships

Since release 4.0.3 (November 2023), every Apache Camel release includes PGP-signed CycloneDX SBOMs in both JSON and XML formats. You will find them on the download page right next to the source archive and its checksums.

These SBOMs cover the entire Camel distribution: all modules, all dependencies, all transitive dependencies. Combined with Camel’s track record of 2,449 dependency updates across 20 releases, you get a framework where the supply chain is not just documented — it is actively maintained.

Generating SBOMs for your own applications

The framework SBOM tells you what is in Camel. But compliance teams typically also need an SBOM for your application — the thing you actually deploy. Camel gives you three ways to do this, depending on your runtime.

Camel CLI

The fastest path. If you are using the Camel CLI, a single command does it:

camel sbom

This produces a sbom.json in CycloneDX format. Switch to SPDX with --sbom-format=spdx, or target a specific runtime:

camel sbom --runtime=spring-boot
camel sbom --runtime=quarkus

See the camel sbom command reference for the full set of options.

Camel Spring Boot

Spring Boot 3.3+ has built-in SBOM support: it generates a CycloneDX SBOM during the build, packages it inside the uber jar at META-INF/sbom/application.cdx.json, and can expose it via an actuator endpoint. Since Camel Spring Boot runs on top of Spring Boot, this automatically covers Camel and all its transitive dependencies — no extra plugin or Camel-specific configuration needed.

Camel Quarkus

Quarkus has its own dependency resolver that differs from standard Maven resolution, which means the generic CycloneDX Maven plugin will not capture the full dependency graph. Instead, use the native Quarkus CycloneDX extension. Add it to your project:

<dependency>
    <groupId>io.quarkus</groupId>
    <artifactId>quarkus-cyclonedx</artifactId>
</dependency>

This generates a distribution SBOM automatically every time you build. You can also generate a dependency SBOM before building with mvn quarkus:dependency-sbom.

For the full guide, see Generating SBOMs in the user manual.

Combining SBOMs with vulnerability scanning

An SBOM by itself is an inventory. The real value comes when you feed it into a scanner that matches components against known CVEs. Here are three tools that ingest CycloneDX SBOMs directly:

OWASP Dependency-Track — a full platform for continuous SBOM analysis. Upload your SBOM, and it monitors for new CVEs against your dependency tree automatically. Supports policy-based alerting and integrates with CI/CD pipelines.

Grype — a command-line vulnerability scanner. Point it at your SBOM file:

grype sbom:./sbom.json

Trivy — another CLI scanner, widely used in container security. It can scan CycloneDX SBOMs directly:

trivy sbom ./sbom.json

Any of these will give you an immediate, actionable list of known vulnerabilities in your dependency tree — turning the SBOM from a compliance checkbox into a practical security tool.

The bigger picture

SBOMs are one piece of Camel’s supply chain security story. The full picture includes:

  • 500+ dependencies kept current — 2,449 version updates across 20 releases, so you are not stuck on a vulnerable library waiting for an upstream bump
  • Security advisories — every vulnerability handled through the ASF’s coordinated disclosure process with full PGP-signed advisories going back to 2013
  • Security model — a canonical reference documenting where trust boundaries sit and what is in or out of scope
  • A 99.8% bug fix rate with a median fix time of one day

When someone asks whether Camel is ready for regulated environments, the answer is in the public record — including, now, every dependency in every release. See the Trust page for the complete picture.

Why AI Already Knows Apache Camel

 , by

Ask an AI coding assistant to write an Apache Camel route and you will likely get working code on the first try. Ask it to configure a Kafka consumer, wire up an error handler, or transform a message with the Simple language, and the result is usually correct — often surprisingly so. This is not because AI models were specifically trained on Camel. It is because Camel’s 19-year track record has produced exactly the kind of public, high-quality, consistent data that large language models learn best from.

Continue reading ❯

AI

The DNA of Apache Camel: How a 42-File Commit Became the World's Integration Framework

 , by

On March 19, 2007, at 10:54 UTC, James Strachan pushed commit 77b260b6 with the message “Initial checkin of Camel routing library.” It contained 42 files across two modules: camel-core and camel-jms. Nineteen years later, the repository has crossed 100,000+ commits from 1,600+ contributors, ships 350+ integration components, and runs in production from CERN’s Large Hadron Collider to UPS processing tens of billions of messages per day. Through all of that — through the rise and fall of ESBs, the SOA-to-microservices migration, the cloud-native revolution, Kubernetes, serverless, and now AI coding agents — the core DNA has remained remarkably stable.

Continue reading ❯

COMMUNITY

Apache Camel by the Numbers: 19 Years of Open Source Integration

 , by

When the first commit landed on March 19, 2007, Apache Camel was a routing library with a handful of components and a single contributor. Nineteen years later, the git repository has crossed 100,000 commits from 1,500+ contributors representing 450+ companies across more than 20 countries. The project ships 311 integration components, has published 300+ releases, and runs in production at organizations where downtime means grounded flights, blocked payments, or missed diagnoses.

Continue reading ❯

COMMUNITY

Apache Camel 4.20 What's New

 , by

Apache Camel 4.20 has just been released. This release is an expedited security fix release on top of the previous 4.19 release. JDK25 compatibility This is the first release supporting JDK25. However, there are a few 3rd party libraries that does not yet fully support JDK25, see more in CAMEL-22114. Camel JBang You can now easier configure HTTPS for development purposes with self-signed certificates, so you can host services via HTTPS locally in Camel.

Continue reading ❯

RELEASES

Apache Camel 4.19 What's New

 , by , , , , ,

Apache Camel 4.19 has just been released. This release introduces a set of new features and noticeable improvements that we will cover in this blog post. Camel Spring Boot This is our first release that supports Spring Boot v4. Spring Boot v3 is no longer supported. Camel Jackson 3 Components Four new components have been added which provide Jackson 3 support - they are named similarly to the previously existing camel-jackson components.

Continue reading ❯

RELEASES