[PATCH 1/1] Add a SBOM template in CycloneDX format
Richard Hughes
richard at hughsie.com
Mon Dec 9 08:01:42 PST 2024
On Monday, 9 December 2024 at 15:46, Jessica Clarke <jrtc27 at jrtc27.com> wrote:
> What turns this template into the actual file? And surely this isn’t
> the right templating for a list here? A set of authors is not a
> singular author’s name.
Right, agreed. The way this works now is that we do a recursive clone of all the firmware components when building either EDK II or coreboot, and then we use a tool called uswid to "find" all the SBOM components and populate the tokenized values automatically. I've written a bit about it here: https://blogs.gnome.org/hughsie/2024/11/14/firmware-sboms-for-open-source-projects/
In the case of OpenSBI the finished component looks like this:
{
"type": "library",
"cpe": "cpe:2.3:a:riscv:opensbi:1.5.1:*:*:*:*:*:*:*",
"name": "OpenSBI",
"version": "1.5.1",
"description": "Open Source Supervisor Binary Interface for RISC-V",
"bom-ref": "pkg:github/riscv-software-src/opensbi at 1.5.1",
"externalReferences": [
{
"type": "vcs",
"url": "https://github.com/riscv-software-src/opensbi"
}
],
"licenses": [
{
"license": {
"url": "https://spdx.org/licenses/BSD-2-Clause.html",
"id": "BSD-2-Clause"
}
}
],
"supplier": {
"name": "RISC-V Foundation"
},
"authors": [
{
"name": "Anup Patel, Atish Patra, Bin Meng, Samuel Holland, Xiang W, Damien Le Moal, Heinrich Schuchardt, Yu Chien Peter Lin, Himanshu Chauhan, Inochi Amaoto, Alistair Francis, Andrew Jones, Clément Léger, Mayuresh Chitale, Nikita Shubin, Vivian Wang, Rahul Pathak, Ivan Orlov, Lad Prabhakar, Jessica Clarke, Xiang Wang, Abner Chang, Ben Zong-You Xie, Guo Ren, Liu Yibin, Nylon Chen, Bo Gan, Dong Du, Olof Johansson, Daniel Schaefer, Jan Remes, Nam Cao, Nick Kossifidis"
}
]
}
Richard
More information about the opensbi
mailing list