[PATCH 1/1] Add a SBOM template in CycloneDX format

[Richard Hughes]

On Monday, 9 December 2024 at 16:37, Jessica Clarke <jrtc27 at jrtc27.com> wrote:
> I don’t mean you have to use it that way in consumers. Just that if
> you’re adding the file to upstream projects you should do the work to
> integrate it into their build systems so others can benefit.

Adding it to the upstream build system is pointless without installing or embedding the artifact somewhere. There was a murmuring of a proposal that we could install the dist'd post-processed file in something like /usr/share/sbom but the details are still being worked on and I don't think opensbi would be terribly useful in a docker image or as an rpm anyway.

> IMO the single string field is better than this nonsense format

Okay...

> But better still would be doing the proper thing and having a list of
> author objects, so ideally extend your tooling to support the new
> format rather than pretend it doesn’t exist, and if you can’t do that
> then adopt the old format fully.

We do support multiple authors in the uSWID project, but only the SWID format and CycloneDX format >= 1.6 support it. I've attached a new patch without the authors sections, and uswid --fixup will auto-add the sections as required in the specific format.

Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-a-SBOM-template-in-CycloneDX-format.patch
Type: text/x-patch
Size: 1459 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/opensbi/attachments/20241209/13d1f7f4/attachment-0001.bin>