SPDX SBOM Generation Tool Proposed For The Linux Kernel

For those organizations on the Software Bill of Materials (SBOM) bandwagon for increasing transparency around software components with license compliance, vulnerability management, and securing the software supply chain, proposed patches to the Linux kernel would introduce an SPDX SBOM Generation Tool.

German consulting firm TNG Tech has been working on this SPDX SBOM generation tool for the Linux kernel source tree as a Python scripted tool to generate SBOM documents in the SPDX 3.0.1 format for Linux kernel builds in describing the kernel and modules built for SBOM compliance:

“A Software Bill of Materials (SBOM) describes the individual components of a software product. For the kernel, the goal is to describe the distributable build outputs (typically the kernel image and modules), the source files involved in producing these outputs, and the build process that connects the source and output files.

To achieve this, the SBOM tool generates three SPDX documents:

– sbom-output.spdx.json
Describes the final build outputs together with high-level build metadata.

– sbom-source.spdx.json
Describes all source files involved in the build, including licensing information and additional file metadata.

– sbom-build.spdx.json
Describes the entire build process, linking source files from the source SBOM to output files in the output SBOM.

The sbom tool is optional and runs only when CONFIG_SBOM is enabled. It is invoked after the build, once all output artifacts have been generated. Starting from the kernel image and modules as root nodes, the tool reconstructs the dependency graph up to the original source files. Build dependencies are primarily derived from the .cmd files generated by Kbuild, which record the full command used to build each output file.”

Those wishing to learn more about this proposed SPDX SBOM generation tool for the Linux kernel can see the new patch series out today on the Linux kernel mailing list.