Generating software bill of materials at component level

[PragatiGarg-eaton]

I am exploring the SBOM generation feature present in the west toolchain.

• I can generate the Software bill of materials in spdx format at source file level. However, to import the same in the BlackDuck, it doesn't accept the generated output file from West, which says corrupted file.

• After digging deeper, I got the understanding the Blackduck accepts the sbom in a specific format, understands at component level and might not understand at the source level.

zephr.spdx file generated by west spdx: zephyr.spdx.json

Please suggest if there is any way to generate SBOM at the component level instead of at the source level.

Commands used to build:
build command: west spdx -d BUILD_DIR
Question: How can we generate sbom at component level instead of at source level using west toolchain?

OS: Windows

Links: https://docs.zephyrproject.org/latest/develop/west/zephyr-cmds.html#software-bill-of-materials-west-spdx
https://www.zephyrproject.org/how-to-generate-a-software-bill-of-materials-sbom-with-open-source-standards-and-tooling/
https://www.zephyrproject.org/generating-sboms-for-iot-at-build-time/

[kartben]

@tgagneret-embedded might be able to provide some insights

[yashi]

zephr.spdx file generated by west spdx: zephyr.spdx.json

I don't know what Black Duck SPDX does, but as you can see from the file above the file format West generate is not JSON.

There seems to be online converters if you search the net.

[tgagneret-embedded]

Hi @PragatiGarg-eaton ,

So if I understand you correctly you want the source files NOT to be present in the SPDX is that right ?
If so, I could add an option to west spdx to remove the source file from the output SBOM, it shouldn't be an issue (even though I need to confirm this).

For your information, I don't think the current SBOM will be useable by external tools right now. There is one PR waiting to be merged (#66495) and then modules would need to add information too.

[PragatiGarg-eaton]

So if I understand you correctly you want the source files NOT to be present in the SPDX is that right?

I am not necessarily saying that the source file should not be present in the SBOM. I am more interested in getting the SBOM at the module/component level. And if I could understand your PR correctly, it will be handling the same, right?

[tgagneret-embedded]

Looking at the zephr.spdx(.json), I understand what you are saying.

What you describe has been added to 3.6.0 (related PR: #66182). Did you use Zephyr 3.6.0 to generate your SBOM ?

[PragatiGarg-eaton]

No, I have been using zephyr 3.2.0, let me try it out with 3.6.0 once.