Automating creation of Software Bills of Materials
Generating SPDX documents for CMake and Zephyr
- Track: Software Composition devroom
- Room: D.composition
- Day: Sunday
- Start: 15:35
- End: 15:50
- Video with Q&A: D.composition
- Video only: D.composition
- Chat: Join the conversation!
A Software Bill of Materials (SBoM) can communicate details about a software package's contents, as well as the inputs and sources that were used to build it. However, SBoMs created by manual processes can often be incomplete, incorrect or out-of-date as a software package evolves. Effective use of SBoMs will typically require creating them during the build process itself using automated tooling. In this talk, I will present a proof-of-concept for generating an SPDX SBoM for CMake-based projects.
I will discuss an experiment with leveraging the CMake file-based APIs to automatically create SPDX 2.2 SBoMs. The generated SBoM includes relationships to denote which source files were used as inputs for the corresponding build artifacts. I will present this in the context of the Zephyr project, an open source RTOS for embedded systems that leverages CMake. I will briefly discuss this proof-of-concept, some early results from it and thoughts for next steps.
Speakers
 |
Steve Winslow |