From 95e9d066988c67fa12e3999e59cc6b43f6ab67c3 Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Mon, 9 Dec 2024 11:47:41 +0000
Subject: [PATCH] Add a SBOM template in CycloneDX format

Improve supply chain security by including a SBOM file with substituted values.

This will be used to construct a composite platform SBOM.

Signed-off-by: Richard Hughes <richard@hughsie.com>
---
 docs/sbom.cdx.json | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 docs/sbom.cdx.json

diff --git a/docs/sbom.cdx.json b/docs/sbom.cdx.json
new file mode 100644
index 0000000..0f883d8
--- /dev/null
+++ b/docs/sbom.cdx.json
@@ -0,0 +1,31 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "components": [
+    {
+      "type": "library",
+      "bom-ref": "pkg:github/riscv-software-src/opensbi@@VCS_TAG@",
+      "cpe": "cpe:2.3:a:riscv:opensbi:@VCS_TAG@:*:*:*:*:*:*:*",
+      "name": "OpenSBI",
+      "version": "@VCS_VERSION@",
+      "description": "Open Source Supervisor Binary Interface for RISC-V",
+      "supplier": {
+        "name": "RISC-V Foundation"
+      },
+      "licenses": [
+        {
+          "license": {
+            "id": "BSD-2-Clause"
+          }
+        }
+      ],
+      "externalReferences": [
+        {
+          "type": "vcs",
+          "url": "https://github.com/riscv-software-src/opensbi"
+        }
+      ]
+    }
+  ]
+}
-- 
2.47.1