Automating creation of Software Bills of Materials

CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/52428 (DOI)

Publisher

FOSDEM VZW

Release Date

2021

Language

English

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

A Software Bill of Materials (SBoM) can communicate details about a software package's contents, as well as the inputs and sources that were used to build it. However, SBoMs created by manual processes can often be incomplete, incorrect or out-of-date as a software package evolves. Effective use of SBoMs will typically require creating them during the build process itself using automated tooling. In this talk, I will present a proof-of-concept for generating an SPDX SBoM for CMake-based projects. I will discuss an experiment with leveraging the CMake file-based APIs to automatically create SPDX 2.2 SBoMs. The generated SBoM includes relationships to denote which source files were used as inputs for the corresponding build artifacts. I will present this in the context of the Zephyr project, an open source RTOS for embedded systems that leverages CMake. I will briefly discuss this proof-of-concept, some early results from it and thoughts for next steps.