Skip to content

SPDX Generation #57

New issue
New issue
Open
8 of 8 issues completed
Open
SPDX Generation#57
8 of 8 issues completed
Labels
EpicTop-level issue used to organize and track multiple related sub-issues under a common theme.
@augelu-tng

Description

@augelu-tng
augelu-tng
opened on Oct 30, 2025

The primary purpose of the sbom.py script is to generate an sbom.spdx.json file conforming to the SPDX specification.
The desired structure of the SPDX document is defined in #58 .
The currently implemented Structure is as follows:

  • Spdx generation #60

    • One instance each of: SpdxDocument, SoftwareAgent, CreationInfo, Sbom
    • One Package containing the root artifacts (final kernel image plus .ko modules)
      • The package is connected to a simpleLicensing/LicenseExpression element via a hasDeclaredLicense-Relationship. The License must be provided as command-line argument.
    • One File element for each file involved in the kernel build.
      • File names are specified relative to the source or output tree. When the two trees differ, two File elements of type directory are created to represent their roots. Each file is linked to the appropriate tree via a contains-Relationship.
      • sha256 hashes of the original file are attached to each File element
    • One Build element for each build step, connecting input files to the produced output file via hasInput- and hasOutput-Relationship elements.

  • License Header Parsing #66

    • added hasDeclaredLicense-Relationship from each File element in the source tree to the corresponding LicenseExpression elements according to the specified SPDX-License-Identifier at the beginning of the file.

  • Compact IRIs #69

    • reduced spdx document size by introducing an spdxId prefix in the @context.

  • File Metadata #73

    • added primaryPurpose and contentIdentifier properties to File elements.

  • split spdx document into source, build and output #75

    • split up the single spdx document into three:
      • source: Licenses, source Files
      • build: generated Files, source Files outside src_tree
      • output: Package, distributed Files (copy from Build)

  • kernel module packages #86

    • split up the single output package into one individual package per root output (kernel + kernel modules)

  • Build Metadata & High Level Build  #87

    • high level Build element describing the build environment.

Not yet implemented features are:

  • validate in CI that the three spdx documents can be combined into one single graph without issues.

Sub-issues

Metadata

Metadata

Assignees

No one assigned

    Labels

    EpicTop-level issue used to organize and track multiple related sub-issues under a common theme.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions