[PATCH 1/1] Add a SBOM template in CycloneDX format

Jessica Clarke jrtc27 at jrtc27.com
Mon Dec 9 08:12:09 PST 2024 

On 9 Dec 2024, at 16:01, Richard Hughes <richard at hughsie.com> wrote:
> 
> On Monday, 9 December 2024 at 15:46, Jessica Clarke <jrtc27 at jrtc27.com> wrote:
>> What turns this template into the actual file? And surely this isn’t
>> the right templating for a list here? A set of authors is not a
>> singular author’s name.
> 
> Right, agreed. The way this works now is that we do a recursive clone of all the firmware components when building either EDK II or coreboot, and then we use a tool called uswid to "find" all the SBOM components and populate the tokenized values automatically. I've written a bit about it here: https://blogs.gnome.org/hughsie/2024/11/14/firmware-sboms-for-open-source-projects/

Should that not be part of the upstream build process for each project?

> In the case of OpenSBI the finished component looks like this:
> 
>    {
>      "type": "library",
>      "cpe": "cpe:2.3:a:riscv:opensbi:1.5.1:*:*:*:*:*:*:*",
>      "name": "OpenSBI",
>      "version": "1.5.1",
>      "description": "Open Source Supervisor Binary Interface for RISC-V",
>      "bom-ref": "pkg:github/riscv-software-src/opensbi at 1.5.1",
>      "externalReferences": [
>        {
>          "type": "vcs",
>          "url": "https://github.com/riscv-software-src/opensbi"
>        }
>      ],
>      "licenses": [
>        {
>          "license": {
>            "url": "https://spdx.org/licenses/BSD-2-Clause.html",
>            "id": "BSD-2-Clause"
>          }
>        }
>      ],
>      "supplier": {
>        "name": "RISC-V Foundation"
>      },
>      "authors": [
>        {
>          "name": "Anup Patel, Atish Patra, Bin Meng, Samuel Holland, Xiang W, Damien Le Moal, Heinrich Schuchardt, Yu Chien Peter Lin, Himanshu Chauhan, Inochi Amaoto, Alistair Francis, Andrew Jones, Clément Léger, Mayuresh Chitale, Nikita Shubin, Vivian Wang, Rahul Pathak, Ivan Orlov, Lad Prabhakar, Jessica Clarke, Xiang Wang, Abner Chang, Ben Zong-You Xie, Guo Ren, Liu Yibin, Nylon Chen, Bo Gan, Dong Du, Olof Johansson, Daniel Schaefer, Jan Remes, Nam Cao, Nick Kossifidis"
>        }
>      ]

Should this not be:

"authors:" [
  { "name": "Anup Patel" },
  { "name": "Atish Patra" },
  ...
]

?

Otherwise why is there the outer list? (But just having JSON that’s a
comma-separated string wouldn’t exactly be great, so removing the outer
list isn’t a real solution).

Jess

>    }
> 
> Richard
>

More information about the opensbi mailing list