Skip to content

Commit acbb1cc

Browse files
Lukasz-JuranekLukasz-Juranek
committed
Add sbom generation description (#2232)
1 parent cb3438f commit acbb1cc

File tree

1 file changed

+46
-0
lines changed

1 file changed

+46
-0
lines changed

docs/platform_management_plan/vulnerability_management.rst

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -189,6 +189,52 @@ Multiple channels are established for vulnerability identification:
189189
* Security advisories from upstream projects and suppliers
190190
* Community-reported issues through GitHub issue tracking
191191

192+
SBOM Requirements
193+
^^^^^^^^^^^^^^^^^
194+
195+
SBOMs are generated for all planned platform releases per :need:`wp__sw_platform_sbom` and for all planned module
196+
releases per :need:`wp__sw_module_sbom`, using the
197+
`S-CORE SBOM tool <https://github.com/eclipse-score/sbom-tool>`_.
198+
All metadata values are derived from automated sources (Bazel dependency graph,
199+
lockfiles, and external registries) and must not be manually edited.
200+
201+
The following SBOM formats are supported:
202+
203+
.. list-table::
204+
:header-rows: 1
205+
:widths: 30 25 25 20
206+
207+
* - Format
208+
- Current support
209+
- Planned support
210+
- Notes
211+
* - SPDX
212+
- 2.3
213+
- 3.x
214+
-
215+
* - CycloneDX
216+
- 1.6
217+
-
218+
-
219+
220+
Every generated SBOM must include the
221+
`CISA 2025 minimum elements <https://www.cisa.gov/resources-tools/resources/2025-minimum-elements-software-bill-materials-sbom>`_
222+
for each component:
223+
224+
* **Component name** - human-readable name of the dependency
225+
* **Component version** - exact released version string used in the build
226+
* **Component hash (SHA-256)** - integrity checksum sourced from the module lockfile
227+
* **Software identifier (PURL)** - package URL uniquely identifying the component by ecosystem, name, and version
228+
* **License expression** - SPDX license expression concluded for the component
229+
* **Dependency relationships** - graph edges recording transitive dependency exposure
230+
* **Supplier** - organisation or individual that distributes the component
231+
* **Component description** - short summary of what the component does
232+
* **SBOM author** - entity responsible for producing the SBOM document
233+
* **Tool name** - name and version of the tool that generated the SBOM
234+
* **Timestamp** - UTC timestamp recording when the SBOM was generated
235+
236+
CVE information for known vulnerabilities is not included in generated SBOMs, as this is handled by GitHub Dependabot.
237+
192238
Vulnerability Analysis
193239
^^^^^^^^^^^^^^^^^^^^^^
194240

0 commit comments

Comments
 (0)