[PATCH 1/1] Add a SBOM template in CycloneDX format
Jessica Clarke
jrtc27 at jrtc27.com
Mon Dec 9 07:46:21 PST 2024
On 9 Dec 2024, at 12:05, Richard Hughes <hughsient at gmail.com> wrote:
>
> Improve supply chain security by including a SBOM file with substituted values.
>
> This will be used to construct a composite platform SBOM.
>
> Signed-off-by: Richard Hughes <richard at hughsie.com>
> ---
> docs/sbom.cdx.json | 43 +++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 43 insertions(+)
> create mode 100644 docs/sbom.cdx.json
>
> diff --git a/docs/sbom.cdx.json b/docs/sbom.cdx.json
> new file mode 100644
> index 0000000..d300807
> --- /dev/null
> +++ b/docs/sbom.cdx.json
> @@ -0,0 +1,43 @@
> +{
> + "bomFormat": "CycloneDX",
> + "specVersion": "1.6",
> + "version": 1,
> + "metadata": {
> + "authors": [
> + {
> + "name": "@VCS_SBOM_AUTHORS@"
What turns this template into the actual file? And surely this isn’t
the right templating for a list here? A set of authors is not a
singular author’s name.
Jess
> + }
> + ]
> + },
> + "components": [
> + {
> + "type": "library",
> + "bom-ref": "pkg:github/riscv-software-src/opensbi@@VCS_TAG@",
> + "cpe": "cpe:2.3:a:riscv:opensbi:@VCS_TAG@:*:*:*:*:*:*:*",
> + "name": "OpenSBI",
> + "version": "@VCS_VERSION@",
> + "description": "Open Source Supervisor Binary Interface for RISC-V",
> + "authors": [
> + {
> + "name": "@VCS_AUTHORS@"
> + }
> + ],
> + "supplier": {
> + "name": "RISC-V Foundation"
> + },
> + "licenses": [
> + {
> + "license": {
> + "id": "BSD-2-Clause"
> + }
> + }
> + ],
> + "externalReferences": [
> + {
> + "type": "vcs",
> + "url": "https://github.com/riscv-software-src/opensbi"
> + }
> + ]
> + }
> + ]
> +}
> --
> 2.47.1
>
>
> --
> opensbi mailing list
> opensbi at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/opensbi
More information about the opensbi
mailing list