Add sbom generation tooling (#2232)#106
Add sbom generation tooling (#2232)#106Lukasz-Juranek wants to merge 1 commit intoeclipse-score:mainfrom
Conversation
|
@Lukasz-Juranek this looks interesting! Can you describe a little why we need custom code? No native bazel support etc. |
|
Hi right now i'm not aware of any out of box support for bazel that would really cover all c++ imports and rust code. But IMO tooling itself is not important that much, this can be replaced later on with anything What is important is to start getting the SBOM data for 3rd party dependencies in any meaningful format when there is not much deps, and to build in SCORE developers this behavior that when you import some stuff to your project you think about SBOM. If SBOM data will be available then you can do conversion to some mature solution. |
Lukasz-Juranek
force-pushed
the
feat/issue-2232-sbom-init
branch
from
ffca1f1 to
e308870
Compare
|
Updated PR according discussion that we had https://github.com/orgs/eclipse-score/discussions/2226#discussioncomment-15669973 Now manual generation of is removed , sbom data is generated via
Added mandatory fields from
For details see updated readme https://github.com/Lukasz-Juranek/score-tooling/blob/8e9cb957c32b7b2da9b4faf607be172ba9b14a6f/sbom/SBOM_Readme.md @masc2023 you asked for list of tools here it is https://github.com/Lukasz-Juranek/score-tooling/blob/8e9cb957c32b7b2da9b4faf607be172ba9b14a6f/sbom/SBOM_Readme.md#core-tools |
Lukasz-Juranek
force-pushed
the
feat/issue-2232-sbom-init
branch
2 times, most recently
from
cad2c59 to
8e9cb95
Compare
Lukasz-Juranek
force-pushed
the
feat/issue-2232-sbom-init
branch
4 times, most recently
from
9382341 to
c8d2a39
Compare
sbom/SBOM_Readme.md
Outdated
| | [@cyclonedx/cdxgen](https://github.com/CycloneDX/cdxgen) | C++ dependency scanner and license discovery tool | C++ metadata extraction when `auto_cdxgen = True` | | ||
| | [Node.js / npm](https://nodejs.org) | Runtime for cdxgen | C++ metadata extraction when `auto_cdxgen = True` | | ||
|
|
||
| ### Five-Phase Architecture |
There was a problem hiding this comment.
Which of these actually depend on bazel? Can we use this tool without bazel?
There was a problem hiding this comment.
@AlexanderLanin thx for review.
cyclonedx/cdxgen you can use without bazel, both NPM and cdxgen are currently required on system to be installed on system they are not deployed via bazel.
Bazel is only needed to collect dependencies that are needed to build the target,
This data is then hold in sbom_aspect then tool is matching data from this structure to data from cdxgen and bazel lockfile
But if you have all data that is needed in dash-license-scan then we should use this as source of data, not cdxgen and bazel lockfile
Maybe lets make some short sync on this just ping me on slack when you will have time
For think that we can't use only the dash-licensese-scan but we can extract license data from it
| Field | crates_metadata.json provides | dash-license-scan provides |
|---|---|---|
| version | Yes | Yes (from Cargo.lock parse) |
| license | Yes (from crates.io API) | Yes (from Eclipse/ClearlyDefined) |
| checksum (SHA-256) | Yes | No |
| purl | Yes (pkg:cargo/name@ver) | No (uses crate/cratesio/-/ format) |
| repository | Yes (from crates.io API) | No |
| #!/usr/bin/env python3 | ||
| """Generate crates.io metadata cache for SBOM generation. | ||
|
|
||
| This script parses Cargo.lock files and/or MODULE.bazel.lock files, |
There was a problem hiding this comment.
cargo.lock parsing has also been implemented in dash-license-scan. Probably needs alignment.
| lockfile_path: Path to MODULE.bazel.lock file | ||
|
|
||
| Returns: | ||
| Dict mapping crate name to {version, checksum, source} |
There was a problem hiding this comment.
how do you know which version to use? Thats the main reason I have not implemented bazel lockfile parsing in dash-license-scan, since there is no way to know which version is actually relevant?!
There was a problem hiding this comment.
no i was not aware of this problem
| @@ -0,0 +1,142 @@ | |||
| """Tests for CycloneDX 1.6 formatter.""" | |||
|
|
|||
| import unittest | |||
There was a problem hiding this comment.
would you consider pytest? I don't know if its better or worse. But we use pytest everywhere.
There was a problem hiding this comment.
ok i will change framework
sbom/crates_licenses_common.json
Outdated
| @@ -0,0 +1,78 @@ | |||
| { | |||
| "serde": {"license": "MIT OR Apache-2.0"}, | |||
There was a problem hiding this comment.
note that different versions can have different licenses
There was a problem hiding this comment.
this file is not used ,
The actual license data now comes from crates_metadata.json (generated by the cache script from crates.io API + MODULE.bazel.lock).
i need to clean this trash
| targets, traversing their transitive dependencies and generating output | ||
| in SPDX 2.3 and/or CycloneDX 1.6 format. | ||
|
|
||
| License metadata is collected automatically: |
There was a problem hiding this comment.
this is where dash-license-scan could somehow fit it. It collects verified license information.
There was a problem hiding this comment.
i will check it if we can match get license field from dash output makes sense.
sbom/SBOM_Readme.md
Outdated
| # bazel_dep module (version from module graph) | ||
| sbom_ext.license( | ||
| name = "googletest", | ||
| license = "BSD-3-Clause", |
There was a problem hiding this comment.
we should use dash-licene-scan and not write hand collected license infos
Lukasz-Juranek
force-pushed
the
feat/issue-2232-sbom-init
branch
2 times, most recently
from
3c0af62 to
35c92b1
Compare
|
@AlexanderLanin i've updated SBOM tooling to get license from dash you can take a look at some generated files sbom_communication.cdx.json Two things to confirm
|
|
Thanks for the work on the SBOM generation! I reviewed the CycloneDX output and have some feedback: Must fix:
// ✅ Correct:
Nice to have (can be addressed in a follow-up):
|
Lukasz-Juranek
force-pushed
the
feat/issue-2232-sbom-init
branch
from
7b00264 to
3d5b273
Compare
Updated PR fixed licenses you can check this i've validated it using https://tools.spdx.org/app/ntia_checker/ and it passed |
|
@Lukasz-Juranek , you can also check here, both files above seems valid |
| config: dict[str, Any], | ||
| timestamp: str, | ||
| ) -> dict[str, Any]: | ||
| """Generate SPDX 2.3 JSON document. |
There was a problem hiding this comment.
Latest version of SPDX is 3.0 at least.
There was a problem hiding this comment.
if we are sure that tooling that we want to use for venerability scan and some other stuff is supporting SPDX 3.0 then fine i can generate SPDX 3.0
PandaeDo
requested review from
MaximilianSoerenPollak,
aschemmel-tech and
sunildevda
|
Attaching regenerated SBOM files (post license-normalization fix): |
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Lukasz-Juranek
force-pushed
the
feat/issue-2232-sbom-init
branch
from
1f779eb to
1aca6d2
Compare
5 participants
This PR adds SBOM Bazel rules for SCORE modules. For setup details see the SBOM_Readme.md.
Generated SBOM files (reference_integration — sbom_kyron_module, 2026-02-27)
Built with
bazel build //:sbom_kyron_moduleafter all compliance fixes.sbom_kyron_module.spdx.json — SPDX 2.3 (96 KB, 93 packages)
sbom_kyron_module.cdx.json — CycloneDX 1.6 (75 KB, 93 components)
Both files pass
sbomgenerator.com/tools/validatorwith zero errors and zero warnings.Coverage (93 packages)
Missing licenses: 22 packages —
iceoryx2-*-qnx8platform forks (not in Eclipse Foundation / ClearlyDefined) + a handful of other crates not yet indexed.Generated file formats
CISA 2025 element coverage (both formats)
Compliance fixes (commits e443267 → 9acc306)
Dependabot / GitHub Dependency Graph integration (f2cc71f)
The generated SPDX 2.3 SBOMs can feed GitHub Dependabot via the Dependency Submission API.
New: `sbom/scripts/spdx_to_github_snapshot.py`
Converts SPDX 2.3 → GitHub Dependency Submission snapshot (handles SPDX 2.3 — GitHub's official action only supports 2.2):
New: `.github/workflows/sbom_dependency_submission.yml`
Reusable workflow: builds SBOM → converts `*.spdx.json` → POSTs to `dependency-graph/snapshots`.
Prerequisite: enable Dependency Graph in repo Settings → Code security → Dependency graph.
Dash-license-scan results (288 crates from `MODULE.bazel.lock`)
27 crates lack license data: 19 `iceoryx2-*-qnx8` platform forks + 8 others (`tonic`, `ipc-channel`, `argh`, etc.) not yet indexed by Eclipse Foundation / ClearlyDefined.
Test results: 79 passed
Related
SBOM is automatically generated — no modifications are needed for SCORE modules.