Add command for generating SBOM
Opened this issue · 2 comments
Context
One key aspect of being able to secure your software ecosystem is to know what software you are using in the first place. Various tools and approaches are commonly used to analyze software after the fact, to attempt to determine what comprises a software distribution. However, a more useful approach can be to gather and record this information at the time the software is being built, when conclusions can be made with certainty about the software being used. This information can then be conveyed in a software bill of materials (SBOM) in a shared, standardized metadata format.
West already supports a command that generates a SBOM. The required steps are described here: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/scripts/west_commands/sbom/README.html
Required steps / Implementation details
- Go through above link and understand what it does.
- See if (and how) can you optimise the generation process.
- Implement such command in the
east
Definition of Done
Command for SBOM generation is implemented, tested and reviewed.
@SloMusti
Evaluation of current west implementation was done.
Report can be generated with west ncs-sbom command.
On a small-medium sized project this command took about 4.5 minutes.
Output was an html report with a list of all licenses used in the project. For each license it also listed all files that mention it.
It also listed files without detected license texts.
Implementation ideas for east:
- It is easy to wrap this with east (and add some text about taking this quite long).
- This command could be included in East release process. It should be enabled as an extra flag (due to the time it takes). East should add this as an extra job and move the generated report to the release folder.
- Care should be taken from which build folder the is report generated as the output differs. It should probably be generated from some release build of an application image.
This was implemented in #92, however I will keep this issue open for the visibility as I suspect that there will be some more work.