Software Bill of Material (SBOM)¶
The following page will focus on a tool called debsbom to generate a Software Bill of Materials for your Debian Image. Please also refer to the debsbom documentation.
debsbom works with a root filesystem. This means that you can execute the tool
- after the build process has finished, directly with the build output (recommended)
- on the running target
debsbom will use the metadata that is installed as part of the Debian package management system.
Installation of debsbom¶
The following steps need to be executed to install debsbom.
python3 -m venv --system-site-packages debsbom
source debsbom/bin/activate
pip3 install debsbom[cdx,spdx,download]
Running debsbom¶
When running debsbom on the build output
The bdebstrap build process provides the root image only as a tarball, so you will have to extract the rootfs to a temporary directory:
mkdir /tmp/rootfs/
sudo tar xf build/am62-bookworm-09.02.01.010_var01/tisdk-am62-bookworm-variscite-am62xx-var-som-rootfs.tar.xz -C /tmp/rootfs
source debsbom/bin/activate
debsbom --progress generate -t spdx -o sbom --distro-arch=arm64 --root /tmp/rootfs/tisdk-am62-bookworm-variscite-am62xx-var-som-rootfs/
When executing directly from the target
Limitations of SBOM generation with debsbom¶
The debsbom tool can only track packages that were installed with the Debian package management tool. Everything that is included to the root file system at a later stage is not included.