This patch series introduces a Python-based tool for generating SBOM
documents in the SPDX 3.0.1 format for kernel builds.
A Software Bill of Materials (SBOM) describes the individual components
of a software product. For the kernel, the goal is to describe the
distributable build outputs (typically the kernel image and modules),
the source files involved in producing these outputs, and the build
process that connects the source and output files.
To achieve this, the SBOM tool generates three SPDX documents:
- sbom-output.spdx.json
Describes the final build outputs together with high-level
build metadata.
- sbom-source.spdx.json
Describes all source files involved in the build, including
licensing information and additional file metadata.
- sbom-build.spdx.json
Describes the entire build process, linking source files
from the source SBOM to output files in the output SBOM.
The `make sbom` target allows the SBOM tool to be run after all build
artifacts have been generated. Starting from the kernel image and
kernel modules as root nodes, the tool reconstructs the build
dependency graph up to the original source files. Build dependencies
are primarily derived from the `.cmd` files generated by Kbuild, which
record the full command used to build each output file.
Currently, the tool only supports x86 and arm64 architectures.
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
---
Changes in v3:
- Suppress make message "Nothing to be done" if sbom does not need to be
regenerated
- Remove CONFIG_SBOM. Instead, introduce dedicated `make sbom` target to
invoke the tool
---
Luis Augenstein (14):
tools/sbom: integrate tool in make process
tools/sbom: setup sbom logging
tools/sbom: add command parsers
tools/sbom: add cmd graph generation
tools/sbom: add additional dependency sources for cmd graph
tools/sbom: add SPDX classes
tools/sbom: add JSON-LD serialization
tools/sbom: add shared SPDX elements
tools/sbom: collect file metadata
tools/sbom: add SPDX output graph
tools/sbom: add SPDX source graph
tools/sbom: add SPDX build graph
tools/sbom: add unit tests for command parsers
tools/sbom: add unit tests for SPDX-License-Identifier parsing
.gitignore | 1 +
MAINTAINERS | 6 +
Makefile | 15 +-
tools/Makefile | 3 +-
tools/sbom/Makefile | 43 ++
tools/sbom/README | 207 ++++++
tools/sbom/sbom.py | 129 ++++
tools/sbom/sbom/__init__.py | 0
tools/sbom/sbom/cmd_graph/__init__.py | 7 +
tools/sbom/sbom/cmd_graph/cmd_file.py | 149 ++++
tools/sbom/sbom/cmd_graph/cmd_graph.py | 46 ++
tools/sbom/sbom/cmd_graph/cmd_graph_node.py | 142 ++++
tools/sbom/sbom/cmd_graph/deps_parser.py | 52 ++
.../sbom/cmd_graph/hardcoded_dependencies.py | 83 +++
tools/sbom/sbom/cmd_graph/incbin_parser.py | 42 ++
tools/sbom/sbom/cmd_graph/savedcmd_parser.py | 664 ++++++++++++++++++
tools/sbom/sbom/config.py | 335 +++++++++
tools/sbom/sbom/environment.py | 164 +++++
tools/sbom/sbom/path_utils.py | 11 +
tools/sbom/sbom/sbom_logging.py | 88 +++
tools/sbom/sbom/spdx/__init__.py | 7 +
tools/sbom/sbom/spdx/build.py | 17 +
tools/sbom/sbom/spdx/core.py | 182 +++++
tools/sbom/sbom/spdx/serialization.py | 56 ++
tools/sbom/sbom/spdx/simplelicensing.py | 20 +
tools/sbom/sbom/spdx/software.py | 71 ++
tools/sbom/sbom/spdx/spdxId.py | 36 +
tools/sbom/sbom/spdx_graph/__init__.py | 7 +
.../sbom/sbom/spdx_graph/build_spdx_graphs.py | 82 +++
tools/sbom/sbom/spdx_graph/kernel_file.py | 310 ++++++++
.../sbom/spdx_graph/shared_spdx_elements.py | 32 +
.../sbom/sbom/spdx_graph/spdx_build_graph.py | 317 +++++++++
.../sbom/sbom/spdx_graph/spdx_graph_model.py | 36 +
.../sbom/sbom/spdx_graph/spdx_output_graph.py | 188 +++++
.../sbom/sbom/spdx_graph/spdx_source_graph.py | 126 ++++
tools/sbom/tests/__init__.py | 0
tools/sbom/tests/cmd_graph/__init__.py | 0
.../tests/cmd_graph/test_savedcmd_parser.py | 383 ++++++++++
tools/sbom/tests/spdx_graph/__init__.py | 0
.../sbom/tests/spdx_graph/test_kernel_file.py | 32 +
40 files changed, 4086 insertions(+), 3 deletions(-)
create mode 100644 tools/sbom/Makefile
create mode 100644 tools/sbom/README
create mode 100644 tools/sbom/sbom.py
create mode 100644 tools/sbom/sbom/__init__.py
create mode 100644 tools/sbom/sbom/cmd_graph/__init__.py
create mode 100644 tools/sbom/sbom/cmd_graph/cmd_file.py
create mode 100644 tools/sbom/sbom/cmd_graph/cmd_graph.py
create mode 100644 tools/sbom/sbom/cmd_graph/cmd_graph_node.py
create mode 100644 tools/sbom/sbom/cmd_graph/deps_parser.py
create mode 100644 tools/sbom/sbom/cmd_graph/hardcoded_dependencies.py
create mode 100644 tools/sbom/sbom/cmd_graph/incbin_parser.py
create mode 100644 tools/sbom/sbom/cmd_graph/savedcmd_parser.py
create mode 100644 tools/sbom/sbom/config.py
create mode 100644 tools/sbom/sbom/environment.py
create mode 100644 tools/sbom/sbom/path_utils.py
create mode 100644 tools/sbom/sbom/sbom_logging.py
create mode 100644 tools/sbom/sbom/spdx/__init__.py
create mode 100644 tools/sbom/sbom/spdx/build.py
create mode 100644 tools/sbom/sbom/spdx/core.py
create mode 100644 tools/sbom/sbom/spdx/serialization.py
create mode 100644 tools/sbom/sbom/spdx/simplelicensing.py
create mode 100644 tools/sbom/sbom/spdx/software.py
create mode 100644 tools/sbom/sbom/spdx/spdxId.py
create mode 100644 tools/sbom/sbom/spdx_graph/__init__.py
create mode 100644 tools/sbom/sbom/spdx_graph/build_spdx_graphs.py
create mode 100644 tools/sbom/sbom/spdx_graph/kernel_file.py
create mode 100644 tools/sbom/sbom/spdx_graph/shared_spdx_elements.py
create mode 100644 tools/sbom/sbom/spdx_graph/spdx_build_graph.py
create mode 100644 tools/sbom/sbom/spdx_graph/spdx_graph_model.py
create mode 100644 tools/sbom/sbom/spdx_graph/spdx_output_graph.py
create mode 100644 tools/sbom/sbom/spdx_graph/spdx_source_graph.py
create mode 100644 tools/sbom/tests/__init__.py
create mode 100644 tools/sbom/tests/cmd_graph/__init__.py
create mode 100644 tools/sbom/tests/cmd_graph/test_savedcmd_parser.py
create mode 100644 tools/sbom/tests/spdx_graph/__init__.py
create mode 100644 tools/sbom/tests/spdx_graph/test_kernel_file.py
--
2.34.1