Skip to content

Add sbom generation description (#2232) #2672

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
PandaeDo merged 1 commit into from
Mar 11, 2026
Merged

Add sbom generation description (#2232) #2672

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions docs/platform_management_plan/vulnerability_management.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,52 @@ Multiple channels are established for vulnerability identification:
* Security advisories from upstream projects and suppliers
* Community-reported issues through GitHub issue tracking

SBOM Requirements
^^^^^^^^^^^^^^^^^

SBOMs are generated for all planned platform releases per :need:`wp__sw_platform_sbom` and for all planned module
releases per :need:`wp__sw_module_sbom`, using the
`S-CORE SBOM tool <https://github.com/eclipse-score/sbom-tool>`_.
All metadata values are derived from automated sources (Bazel dependency graph,
lockfiles, and external registries) and must not be manually edited.

The following SBOM formats are supported:

.. list-table::
:header-rows: 1
:widths: 30 25 25 20

* - Format
- Current support
- Planned support
- Notes
* - SPDX
- 2.3
- 3.x
-
* - CycloneDX
- 1.6
-
-

Every generated SBOM must include the
`CISA 2025 minimum elements <https://www.cisa.gov/resources-tools/resources/2025-minimum-elements-software-bill-materials-sbom>`_
for each component:

* **Component name** - human-readable name of the dependency
Copy link
Contributor

@masc2023 masc2023 Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we considering to add CVEs later too?

Copy link
Contributor Author

@Lukasz-Juranek Lukasz-Juranek Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVE will be handled by dependabot this is how i undersatand this i've added it to description

* **Component version** - exact released version string used in the build
* **Component hash (SHA-256)** - integrity checksum sourced from the module lockfile
* **Software identifier (PURL)** - package URL uniquely identifying the component by ecosystem, name, and version
* **License expression** - SPDX license expression concluded for the component
* **Dependency relationships** - graph edges recording transitive dependency exposure
* **Supplier** - organisation or individual that distributes the component
* **Component description** - short summary of what the component does
* **SBOM author** - entity responsible for producing the SBOM document
* **Tool name** - name and version of the tool that generated the SBOM
* **Timestamp** - UTC timestamp recording when the SBOM was generated

CVE information for known vulnerabilities is not included in generated SBOMs, as this is handled by GitHub Dependabot.

Vulnerability Analysis
^^^^^^^^^^^^^^^^^^^^^^

Expand Down
Loading