SBOM

Introduction

The term “software supply chain” represents all the tools and bits of code used to build and publish a piece of software. It is important to keep track of this supply chain for security and legal reasons. One way redpesk participates towards this goal is by providing Software Bills of Materials.

An SBOM lists the components of a software artifact, mainly the other software components it is made of. A couple of different standards exist to write SBOM documents, notably SPDX and CycloneDX.

SBOMs in redpesk factory

As of the Armel 1.8 release, the redpesk factory can generate an SPDX SBOM document for each image build (provided that the build was successful). Once generated, the document appears in the result files of the image build; it is named spdx.json. A preview of the file is also available under the “LOGS” tab.

Image build files list with SBOM document

Image build SBOM preview in the logs tab

That file is of the SPDX 2.3 format, which is thoroughly detailed in The Software Package Data Exchange® (SPDX®) Specification Version 2.3. It is a flexible data format which allows to represent a list of software components and the relationship between them. We have made the choice to list the RPM packages installed in the associated image build, and the RPM repositories they belong to.

The repositories appear first in the packages list of the file (there are usually 4 or 5 of them), followed by all the packages. The relationships list then establishes the link between packages and repositories, each package belonging to one repo.

Sample of an SBOM document describing an image build

SBOM generation

The SBOM document is automatically generated at the end of a successful image build. There are two cases where, even though the image build is successful, the spdx.json file does not appear in the files list:

If the image build predates the update of that redpesk factory instance to Armel 1.8.
If there was an issue in the SBOM generation process.

In the former case, you can refer to the next section to manually launch the SBOM generation process. In the later case, please contact an IoT.bzh staff member who will look into the problem.

Manually generating an image build SBOM

It is possible to manually run the SBOM generation for a given image, using rp-cli.

Here below the command to run, ‘my-image’ being the slug of the image for which the SBOM generation is wanted.

rp-cli images builds sbom my-image

Next release

Work is underway to better integrate SBOM generation in the web interface of the redpesk factory. It is also planned to generate a document listing the CVEs which apply to the software included in an image. All of that should be available in the next feature release of the factory.

redpesk factory releases

Continuous delivery

Projects management

Containers management

Images management

Applications management

Security & supply chain

Monitoring

redpesk command line interface (rp-cli)

Local builder

Test Framework

Models boards management