Add sbom generation tooling (#2232)#106
Draft
Lukasz-Juranek wants to merge 1 commit intoeclipse-score:mainfrom
Draft
Add sbom generation tooling (#2232)#106Lukasz-Juranek wants to merge 1 commit intoeclipse-score:mainfrom
Lukasz-Juranek wants to merge 1 commit intoeclipse-score:mainfrom
Conversation
This was referenced Jan 31, 2026
Member
|
@Lukasz-Juranek this looks interesting! Can you describe a little why we need custom code? No native bazel support etc. |
Author
|
Hi right now i'm not aware of any out of box support for bazel that would really cover all c++ imports and rust code. But IMO tooling itself is not important that much, this can be replaced later on with anything What is important is to start getting the SBOM data for 3rd party dependencies in any meaningful format when there is not much deps, and to build in SCORE developers this behavior that when you import some stuff to your project you think about SBOM. If SBOM data will be available then you can do conversion to some mature solution. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds basic sbom bazel rules for details see
https://github.com/Lukasz-Juranek/score-tooling/blob/01e9dd78913f28e8de71a0e35e9fc54d23a783e0/sbom/SBOM_Readme.md
https://github.com/Lukasz-Juranek/score-tooling/blob/01e9dd78913f28e8de71a0e35e9fc54d23a783e0/sbom/SBOM_Implementation_Approach_SCORE.md
Here are generated SBOMs for reference_integration targets:
sbom_kyron.cdx.json
sbom_kyron.spdx.json
sbom_orch_per.cdx.json
sbom_orch_per.spdx.json
Here is SBOM target definition: eclipse-score/reference_integration#83
Here is example definition of SBOM data: eclipse-score/baselibs#93
This is not full solution but rather sth to begin with.
Happy to discuss this in details.