[Buildroot] CycloneDX SBOM support

[Michael Nosthoff]

Hi,

> On 28. Aug 2023, at 08:00, Peter Korsgaard <peter at korsgaard.com> wrote:
> 
>>>>>> "Robert" == Robert Smigielski <ptdropper at gmail.com> writes:
> 
> Hi,
> 
>> Announcing CycloneDX support for the embedded / IOT / MIOT world. Using
>> your Buildroot output, my project produces CycloneDX SBOM files for supply
>> chain management and vulnerability management. I am a long time Buildroot
>> user now in the device security space. Glad to provide CycloneDX SBOM
>> support for Buildroot users.
> 
>> https://github.com/CycloneDX/cyclonedx-buildroot
> 
>> https://pypi.org/project/CycloneDX-Buildroot/

I’m just returning from vacation so it will take some days but I will happily try this out.
I recently built my own show-info to cyclone-dx python script but from skimming through
your package this looks way better than mine.

So without further checking already: thanks for taking on this task!

> 
> Thanks! I think I have seen it earlier, where I noticed that it only
> worked on the legal-info manifest - But we have quite a bit more
> SBOM-related info in Buildroot nowadays visible in show-info. I see that
> you are now also using this info for the CPE data, so that is good.
> 
> So what is the status of this project? Anything missing? Anything you
> are missing from Buildroot? What (open source) tools can consume the
> generated SBOMs and do something interesting with it?

There are multiple tools which can work with the cyclone-dx format and from what
I’m reading this might become the “de-facto SBOM standard”.

What we are currently evaluating is Dependency Track (https://dependencytrack.org/).
It’s not perfect but it checks your SBOM frequently for new Issues and generates
management friendly Dashboard Views. In the end this is pretty new for most of us I guess.

Regards,
Michael


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildroot.org/pipermail/buildroot/attachments/20230828/662890c7/attachment-0001.html>