Software Composition

Automating creation of Software Bills of Materials

Generating SPDX documents for CMake and Zephyr

February 7, 2021
3:35 PM – 3:50 PM

D.composition

Steve Winslow

A Software Bill of Materials (SBoM) can communicate details about a software package's contents, as well as the inputs and sources that were used to build it. However, SBoMs created by manual processes can often be incomplete, incorrect or out-of-date as a software package evolves. Effective use of SBoMs will typically require creating them during the build process itself using automated tooling. In this talk, I will present a proof-of-concept for generating an SPDX SBoM for CMake-based projects.

I will discuss an experiment with leveraging the CMake file-based APIs to automatically create SPDX 2.2 SBoMs. The generated SBoM includes relationships to denote which source files were used as inputs for the corresponding build artifacts. I will present this in the context of the Zephyr project, an open source RTOS for embedded systems that leverages CMake. I will briefly discuss this proof-of-concept, some early results from it and thoughts for next steps.

Additional information

Type	devroom

More sessions

2/7/21	Software Composition Analysis Devroom Welcome Software Composition Philippe Ombredanne D.composition Welcome to the Software Composition Analysis Devroom
2/7/21	OSS Review Toolkit - project update Software Composition Thomas Steenbergen D.composition In this session we will provide an update on OSS Review Toolkit (ORT) - which features have been recently added and what they ORT team is currently working on.
2/7/21	ScanCode projects update Software Composition Philippe Ombredanne D.composition This is a presentation of the latest features and updates in ScanCode toolkit.
2/7/21	FOSSology SCA integration Software Composition D.composition FOSSology focusses on license compliance analyses. Recently, a number of new features have been published by the community to integrate better with software composition analysis. The presentation shows an introduction of the main and relevant development here.
2/7/21	SCANOSS: Democratising Open Source Risk Management Software Composition Alan Facey D.composition Software Composition Analysis (SCA) tools perform source-code analysis, comparison and identification of Open Source components. Sadly, none of the SCA vendors have embraced Open Source themselves, most of their tooling consists of proprietary code and their OSS Knowledge Bases are also closed.
2/7/21	Composition analysis of Docker images and other rootfs Software Composition Philippe Ombredanne D.composition Container and VM images contain many packages and are quite a challenge for composition analysis.
2/7/21	OSS Projects Update - Concluding Q&A Software Composition D.composition The very short time is some placeholder between presentation groups to have questions being asked and answered or just simple to have a break.

FOSDEM 2021

2/6/21 – 2/7/21

Event

Hackerkonferenzen

Created by @blinkenweb 10 Follower

Channel