Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add command for generating SBOM #44

Open
MarkoSagadin opened this issue Jan 31, 2023 · 2 comments
Open

Add command for generating SBOM #44

MarkoSagadin opened this issue Jan 31, 2023 · 2 comments
Assignees
@MarkoSagadin
Labels
state: confirmed This issue will be worked on. type: feature request New feature or request.

Comments

@MarkoSagadin
Copy link
Collaborator

Context

One key aspect of being able to secure your software ecosystem is to know what software you are using in the first place. Various tools and approaches are commonly used to analyze software after the fact, to attempt to determine what comprises a software distribution. However, a more useful approach can be to gather and record this information at the time the software is being built, when conclusions can be made with certainty about the software being used. This information can then be conveyed in a software bill of materials (SBOM) in a shared, standardized metadata format.

West already supports a command that generates a SBOM. The required steps are described here: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/scripts/west_commands/sbom/README.html

Required steps / Implementation details

  1. Go through above link and understand what it does.
  2. See if (and how) can you optimise the generation process.
  3. Implement such command in the east

Definition of Done

Command for SBOM generation is implemented, tested and reviewed.
@MarkoSagadin MarkoSagadin self-assigned this Jan 31, 2023
@MarkoSagadin MarkoSagadin added the type: feature request New feature or request. label Jan 31, 2023
@MarkoSagadin
Copy link
Collaborator Author

@SloMusti
Evaluation of current west implementation was done.

Report can be generated with west ncs-sbom command.
On a small-medium sized project this command took about 4.5 minutes.

Output was an html report with a list of all licenses used in the project. For each license it also listed all files that mention it.

It also listed files without detected license texts.

Implementation ideas for east:

  • It is easy to wrap this with east (and add some text about taking this quite long).
  • This command could be included in East release process. It should be enabled as an extra flag (due to the time it takes). East should add this as an extra job and move the generated report to the release folder.
  • Care should be taken from which build folder the is report generated as the output differs. It should probably be generated from some release build of an application image.

@MarkoSagadin MarkoSagadin mentioned this issue Sep 22, 2023
Merged
2 tasks
@MarkoSagadin MarkoSagadin added the state: on hold On hold due to higher priority task. label Sep 27, 2023
@MarkoSagadin
Copy link
Collaborator Author

This was implemented in #92, however I will keep this issue open for the visibility as I suspect that there will be some more work.

@MarkoSagadin MarkoSagadin added state: confirmed This issue will be worked on. and removed state: on hold On hold due to higher priority task. labels Nov 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MarkoSagadin MarkoSagadin

Labels
state: confirmed This issue will be worked on. type: feature request New feature or request.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MarkoSagadin