[PATCH 1/1] Add a SBOM template in CycloneDX format

[Richard Hughes]

On Monday, 9 December 2024 at 16:12, Jessica Clarke <jrtc27 at jrtc27.com> wrote:
>> then we use a tool called uswid to "find" all the SBOM components and populate the tokenized values automatically
> Should that not be part of the upstream build process for each project?

For coreboot, we could do that -- i.e. we'd build libpng, libhwbase (and any other deps) *then* coreboot -- and so it's perfectly fine to do this in the upstream build system. There's an example using meson in fwupd: https://github.com/fwupd/fwupd/blob/main/contrib/meson.build#L15 -- although I'd advise not doing this at this point.

For EDK II the upstream submodule build system typically isn't used at all, and so we can't rely on the subproject cmake/scons/whatever generating the post-processed file which we can absorb as part of the firmware build. Shipping the template seems a pragmatic first step, and means the open source software appears accurately on the SBOM HTML page of the OEM "binary" firmware.

> > "authors": [
> > {
> > "name": "Anup Patel, Atish Patra, Bin Meng, Samuel Holland, Xiang W, Damien Le Moal, Heinrich Schuchardt, Yu Chien Peter Lin, Himanshu Chauhan, Inochi Amaoto, Alistair Francis, Andrew Jones, Clément Léger, Mayuresh Chitale, Nikita Shubin, Vivian Wang, Rahul Pathak, Ivan Orlov, Lad Prabhakar, Jessica Clarke, Xiang Wang, Abner Chang, Ben Zong-You Xie, Guo Ren, Liu Yibin, Nylon Chen, Bo Gan, Dong Du, Olof Johansson, Daniel Schaefer, Jan Remes, Nam Cao, Nick Kossifidis"
> > }
> > ]
> Should this not be:
> "authors:" [
> { "name": "Anup Patel" },
> { "name": "Atish Patra" },
> ...
> ]

It certainly *could* be. We didn't do it like this as CycloneDX < v1.6 had just a single string field for the author (and SPDX is just the same), and we wanted to maintain compatibility between the different formats. If this is a blocker for inclusion let me know and I'll write some code in uswid to accept either style.

Richard.