---

Software Bill of Material (SBOM)

A Software Bill of Materials (SBOM) can be generated automatically during the Android build process.

An SBOM lists all components used to build the Android image.

Generating the Software Bill of Materials

AOSP can generate an SBOM in SPDX format via a dedicated build target. It is not produced by the default Variscite build you must explicitly request it:

$ source build/envsetup.sh
$ lunch dart_mx8mp-var_stable-userdebug
$ m sbom

After the build completes, the SBOM file is available at:

out/soong/sbom/dart_mx8mp/sbom.spdx.json

Further Reading

• Creating a Software Bill of Materials in Android
• SPDX Project Website
• SPDX Tools