A Software Bill of Materials (SBoM) can communicate details about a software package's contents, as well as the inputs and sources that were used to build it. However, SBoMs created by manual processes can often be incomplete, incorrect or out-of-date as a software package evolves. Effective use of SBoMs will typically require creating them during the build process itself using automated tooling. In this talk, I will present a proof-of-concept for generating an SPDX SBoM for CMake-based projects.
I will discuss an experiment with leveraging the CMake file-based APIs to automatically create SPDX 2.2 SBoMs. The generated SBoM includes relationships to denote which source files were used as inputs for the corresponding build artifacts. I will present this in the context of the Zephyr project, an open source RTOS for embedded systems that leverages CMake. I will briefly discuss this proof-of-concept, some early results from it and thoughts for next steps.
Speakers: Steve Winslow