Skip to content

Software Bill of Material (SBOM)

The following page will focus on a tool called debsbom to generate a Software Bill of Materials for your Debian Image. Please also refer to the debsbom documentation.

debsbom works with a root filesystem. This means that you can execute the tool

  • after the build process has finished, directly with the build output (recommended)
  • on the running target

debsom will use the metadata that is installed as part of the Debian package management system.

Installation of debsbom

The following steps need to be executed to install debsbom.

# python3 -m venv --system-site-packages debsbom
# source debsbom/bin/activate
(debsbom) # pip3 install debsbom[cdx,spdx,download]
Collecting debsbom[cdx,download,spdx]
  Downloading debsbom-0.7.1-py3-none-any.whl (96 kB)
...

Running debsbom

When running debsbom on the build output

The bdebstrap build process provides the root image only has a tarball, so you will have to extract the rootfs to a temporary directory:

# mkdir /tmp/rootfs/
# sudo tar xf build/am62-bookworm-09.02.01.010_var01/tisdk-am62-bookworm-variscite-am62xx-var-som-rootfs.tar.xz -C /tmp/rootfs

# source debsbom/bin/activate
(debsbom) # debsbom --progress generate -t spdx -o sbom --distro-arch=arm64 --root /tmp/rootfs/tisdk-am62-bookworm-variscite-am62xx-var-som-rootfs/

When executing directly from the target

root@am62x-var-som:~# source debsbom/bin/activate
(debsbom) root@am62x-var-som:~# debsbom --progress generate -t spdx -o sbom --distro-arch=arm64

Limitations of SBOM generation with debsbom

The debsbom tool can only track packages that were installed with the Debian package management tool. Everything that is included to the root file system at a later stage is not included.