Skip to content

Software Bill of Material (SBOM)

The following page will focus on a tool called debsbom to generate a Software Bill of Materials for your Debian Image. Please also refer to the debsbom documentation.

debsbom works with a root filesystem. This means that you can execute the tool

  • after the build process has finished, directly with the build output (recommended)
  • on the running target

debsom will use the metadata that is installed as part of the Debian package management system.

Installation of debsbom

The following steps need to be executed to install debsbom.

# python3 -m venv --system-site-packages debsbom
# source debsbom/bin/activate
(debsbom) # pip3 install debsbom[cdx,spdx,download]
Collecting debsbom[cdx,download,spdx]
  Downloading debsbom-0.7.1-py3-none-any.whl (96 kB)
...

Running debsbom

When executing from the build output from within the Docker container:

[root@fbdebian flexbuild]$ source debsbom/bin/activate
(debsbom) [root@fbdebian flexbuild]$ debsbom --progress generate -t spdx -o sbom --distro-arch=arm64 --root build_lsdk2412/rfs/rootfs_lsdk2412_debian_desktop_arm64

Info

Replace _desktop_ with _server_ if you have built the server image.

When executing directly from the target

root@imx91-var-som:~# source debsbom/bin/activate
(debsbom) root@imx91-var-som:~# debsbom --progress generate -t spdx -o sbom --distro-arch=arm64

Limitations of SBOM generation with debsbom

The debsbom tool can only track packages that were installed with the Debian package management tool. Everything that is compiled during build time (and not simply downloaded from a Debian server) is not part of that SBOM.

You can easily see these extra files if you browse the build output folder:

ls build_lsdk2412/
apps  bsp  firmware  images  linux  rfs

This folder contains the following components:

  • apps: application data that is also installed to the root filesystem. This is not part of the generated SBOM.
  • bsp: BSP-specific firmware and components. These are not part of the generated SBOM.
  • firmware: extra firmware items. These are not part of the generated SBOM.
  • images: This folder contains the root filesystem in image format, so that it can be flashed to SD cards.
  • linux: The Linux kernel and kernel-related artifacts. These are not part of the generated SBOM.
  • rfs: The extracted root filesystem. This contains both the files that were added as part of the Debian package management installation as well as the components from the other folders.

In order to get a complete SBOM you would have to manually add and track the components in the folders apps, bsp, firmware and linux.