Add a SBOM file in CycloneDX format #4
Conversation
|
Are you sure you want this here rather than upstream dtc and I can copy it in from there? This repo only exists for the purpose of packaging pylibfdt for pypi. AFAIK, EDK and coreboot use libfdt in the firmware itself, but those should come directly from dtc and not this repo. I'm pretty sure that should be the case as their use predates the existence of this repo. I don't know about if it is used in the build process, but pylibfdt could come from pypi or the distro. Is this SBOM going to go into every distro's build? |
|
Hey Rob. I wasn't sure -- I'm happy to defer to what you think is best. I guess if you're okay to copy from the upstream dtc that's fine for me -- it's this repo the IBVs seem to be using to build EDK II which might be slightly mad, but the reality in the field so to speak :) The SBOM is only used at build time, we do a recursive scan on *.cdx.json on the exploded firmware source tree. What would be an appropriate way to push this file up into upstream dtc please? Thanks. |
Send a patch to [email protected]. Or looks like David will take PRs here: https://github.com/dgibson/dtc (Though the "official" dtc repo is on kernel.org) |
|
Done! dgibson/dtc#156 -- thanks for the reply. |
hughsie
force-pushed
the
hughsie/sbom
branch
from
c7defa5 to
ab70c86
Compare
Improve supply chain security by including a SBOM file with substituted values. This will be used to construct a composite platform SBOM. Signed-off-by: Richard Hughes <[email protected]>
hughsie
force-pushed
the
hughsie/sbom
branch
from
ab70c86 to
c610ed6
Compare
|
David merged this into dgibson/dtc and I've updated this PR to match what we upstreamed there. I think it still makes sense to merge here too if that's okay with you. Thanks. |
|
Thanks Rob! |
Hi,
My name is Richard Hughes and I'm a developer at Red Hat. I'm the maintainer of fwupd and LVFS, and am trying to improve software supply chain security by encouraging OEMs, ODMs and IBVs to ship Software Bill of Materials with each firmware binary blob (SBOMs).
I'm working alongside lots of other companies proactively trying to do the right thing. The reason I've opened this pull request is because pylibfdt is either used in the build process of a firmware we care about (e.g. EDK II, or coreboot) or is built into the firmware binary itself. Although my personal focus is on firmware, the SBOM file is in CycloneDX format (one of the most popular industry standards) which makes it also useful when building containers or OS images too.
I would like to contribute this template SBOM file into your project that gets included into source control with substituted values that get populated automatically. I'm not super familiar with pylibfdt, and so I've done my best populating the project values -- but please point out any that are incorrect and I'll fix them up. I've also put the
sbom.cdx.jsonfile in what I feel is the right place, but please say if you want me to put it somewhere different or name it a different thing; the directory andsbomprefix are unimportant. I think this file makes sense here rather than moving it up to libfdt as this is what the IBVs seem to be using.I've written a bit more about this proposal here https://blogs.gnome.org/hughsie/2024/11/14/firmware-sboms-for-open-source-projects/ and there's also lot more information about firmware SBOMs here: https://lvfs.readthedocs.io/en/latest/sbom.html – many thanks for your time.