Skip to content

Add sbom generation description (#2232)#2672

Merged
PandaeDo merged 1 commit intoeclipse-score:mainfrom
Lukasz-Juranek:feat/issue-2232-sbom-init
Mar 11, 2026
Merged

Add sbom generation description (#2232)#2672
PandaeDo merged 1 commit intoeclipse-score:mainfrom
Lukasz-Juranek:feat/issue-2232-sbom-init

Conversation

@Lukasz-Juranek
Copy link
Contributor

@Lukasz-Juranek Lukasz-Juranek commented Mar 10, 2026
edited
Loading

Documentation for SBOM tooling added in eclipse-score/sbom-tool#1

@github-actions
Copy link

github-actions bot commented Mar 10, 2026

⚠️ Docs-as-Code version mismatch detected
Please check the CI build logs for details and align the documentation version with the Bazel dependency.

@Lukasz-Juranek Lukasz-Juranek mentioned this pull request Mar 10, 2026
Merged
@github-actions
Copy link

github-actions bot commented Mar 10, 2026

The created documentation from the pull request is available at: docu-html

masc2023
masc2023 reviewed Mar 11, 2026
View reviewed changes
docs/platform_management_plan/vulnerability_management.rst Outdated
SBOM Requirements
^^^^^^^^^^^^^^^^^

SBOMs are generated for all planned releases per :need:`wp__sw_platform_sbom` in SPDX 2.3 and CycloneDX 1.6 formats
Copy link
Contributor

@masc2023 masc2023 Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have also Module SBOMs, https://eclipse-score.github.io/process_description/main/process_areas/security_management/security_management_workproducts.html#wp__sw_module_sbom,
thus also for all planned Module releases the SBOM shall be generated too.

Copy link
Contributor Author

@Lukasz-Juranek Lukasz-Juranek Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

docs/platform_management_plan/vulnerability_management.rst Outdated
SBOM Requirements
^^^^^^^^^^^^^^^^^

SBOMs are generated for all planned releases per :need:`wp__sw_platform_sbom` in SPDX 2.3 and CycloneDX 1.6 formats
Copy link
Contributor

@masc2023 masc2023 Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the Formats we may add a table, showing current support version and future, e.g. SPDX 2.3, indicating future support 3.x?

Copy link
Contributor Author

@Lukasz-Juranek Lukasz-Juranek Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

docs/platform_management_plan/vulnerability_management.rst Outdated
^^^^^^^^^^^^^^^^^

SBOMs are generated for all planned releases per :need:`wp__sw_platform_sbom` in SPDX 2.3 and CycloneDX 1.6 formats
using the S-CORE SBOM tooling. All metadata values are derived from automated sources (Bazel dependency graph,
Copy link
Contributor

@masc2023 masc2023 Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May add link to to the tool repo?

Copy link
Contributor Author

@Lukasz-Juranek Lukasz-Juranek Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

docs/platform_management_plan/vulnerability_management.rst Outdated
using the S-CORE SBOM tooling. All metadata values are derived from automated sources (Bazel dependency graph,
lockfiles, and external registries) and must not be manually edited.

Every generated SBOM must include the CISA 2025 minimum elements for each component:
Copy link
Contributor

@masc2023 masc2023 Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May add link to the public available documentation where we got the information from

Copy link
Contributor Author

@Lukasz-Juranek Lukasz-Juranek Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

docs/platform_management_plan/vulnerability_management.rst

Every generated SBOM must include the CISA 2025 minimum elements for each component:

* **Component name** - human-readable name of the dependency
Copy link
Contributor

@masc2023 masc2023 Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we considering to add CVEs later too?

Copy link
Contributor Author

@Lukasz-Juranek Lukasz-Juranek Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVE will be handled by dependabot this is how i undersatand this i've added it to description

@Lukasz-Juranek Lukasz-Juranek force-pushed the feat/issue-2232-sbom-init branch from 439436a to acbb1cc Compare March 11, 2026 09:40
@masc2023 masc2023 marked this pull request as ready for review March 11, 2026 10:01
PandaeDo
PandaeDo approved these changes Mar 11, 2026
View reviewed changes
Copy link
Contributor

@PandaeDo PandaeDo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@PandaeDo PandaeDo merged commit 6886745 into eclipse-score:main Mar 11, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@masc2023 masc2023 masc2023 approved these changes

@PandaeDo PandaeDo PandaeDo approved these changes

@pahmann pahmann Awaiting requested review from pahmann pahmann is a code owner

@aschemmel-tech aschemmel-tech Awaiting requested review from aschemmel-tech aschemmel-tech is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Lukasz-Juranek @masc2023 @PandaeDo