この記事は何?
弊開発現場(医療機器の組込みソフトウェア開発)でもSBOMへの対応が喫緊の課題となってきました。
ソフトウェアも食品と同じく重要なインフラだと思います。
食品と同じように構成要素をSBOMで明確にすることは自然な流れとも思います。
米国大統領令、EUサイバーレジリエンス法(CRA)などの規制の影響も背景にあると思います。
商用のSBOM作成ツールは多数あると思いますが、個人的にOSSでSBOMをつくれるか確認してみたかったので試してみることにしました。
SBOM作成
前述のとおりOSSでSBOMをつくれるか確認してみたかったので、OSSでSBOMを作れるツールという条件としました。
GitHubでSBOM作成
GitHubでもSBOM作成可能ということがわかったので調べてみることにしました。
GitHubでのSBOM作成手順
GitHubでのSBOM作成手順はつぎのとおりです。
- SBOM作成したいリポジトリに移動する
- Insightsのタブを選択する
- 左側のメニューからDependency graphを選択する
- 右側のExport SBOMのボタンを押下する
- SBOMの保存先、ファイル名称を指定する
SBOMファイルはjsonで記載されています。
SBOM作成例1 cpputest
C, C++のテストフレームワークCppUTestのSBOMを作成してみます。
CppUTestのリポジトリ
https://github.com/cpputest/cpputest
SBOM作成例1 SBOM内容
SBOMファイルの内容はつぎになりました。
{"spdxVersion":"SPDX-2.3","dataLicense":"CC0-1.0","SPDXID":"SPDXRef-DOCUMENT","name":"com.github.cpputest/cpputest","documentNamespace":"https://spdx.org/spdxdocs/protobom/ece9bbe3-301b-4e16-8ba0-8140f5139dce","creationInfo":{"creators":["Tool: protobom-devel","Tool: GitHub.com-Dependency-Graph"],"created":"2024-12-08T12:28:48Z"},"packages":[{"name":"actions/checkout","SPDXID":"SPDXRef-githubactions-actions-checkout-main-7b26ed","versionInfo":"main","downloadLocation":"NOASSERTION","filesAnalyzed":false,"externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:githubactions/actions/checkout@main"}]},{"name":"coverallsapp/github-action","SPDXID":"SPDXRef-githubactions-coverallsapp-github-action-master-d87ce5","versionInfo":"master","downloadLocation":"NOASSERTION","filesAnalyzed":false,"externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:githubactions/coverallsapp/github-action@master"}]},{"name":"cygwin/cygwin-install-action","SPDXID":"SPDXRef-githubactions-cygwin-cygwin-install-action-master-41e328","versionInfo":"master","downloadLocation":"NOASSERTION","filesAnalyzed":false,"externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:githubactions/cygwin/cygwin-install-action@master"}]},{"name":"actions/upload-artifact","SPDXID":"SPDXRef-githubactions-actions-upload-artifact-3..-613322","versionInfo":"3.*.*","downloadLocation":"NOASSERTION","filesAnalyzed":false,"externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:githubactions/actions/upload-artifact@3.%2A.%2A"}]},{"name":"actions/checkout","SPDXID":"SPDXRef-githubactions-actions-checkout-3..-c8865b","versionInfo":"3.*.*","downloadLocation":"NOASSERTION","filesAnalyzed":false,"externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:githubactions/actions/checkout@3.%2A.%2A"}]},{"name":"github/codeql-action/analyze","SPDXID":"SPDXRef-githubactions-githubcodeql-action-analyze-2..-58cb0d","versionInfo":"2.*.*","downloadLocation":"NOASSERTION","filesAnalyzed":false,"externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:githubactions/github/codeql-action/analyze@2.%2A.%2A"}]},{"name":"github/codeql-action/init","SPDXID":"SPDXRef-githubactions-githubcodeql-action-init-2..-447376","versionInfo":"2.*.*","downloadLocation":"NOASSERTION","filesAnalyzed":false,"externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:githubactions/github/codeql-action/init@2.%2A.%2A"}]},{"name":"docker/login-action","SPDXID":"SPDXRef-githubactions-docker-login-action-2..-91a7d4","versionInfo":"2.*.*","downloadLocation":"NOASSERTION","filesAnalyzed":false,"externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:githubactions/docker/login-action@2.%2A.%2A"}]},{"name":"docker/setup-buildx-action","SPDXID":"SPDXRef-githubactions-docker-setup-buildx-action-2..-892651","versionInfo":"2.*.*","downloadLocation":"NOASSERTION","filesAnalyzed":false,"externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:githubactions/docker/setup-buildx-action@2.%2A.%2A"}]},{"name":"docker/setup-qemu-action","SPDXID":"SPDXRef-githubactions-docker-setup-qemu-action-2..-fc0b53","versionInfo":"2.*.*","downloadLocation":"NOASSERTION","filesAnalyzed":false,"externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:githubactions/docker/setup-qemu-action@2.%2A.%2A"}]},{"name":"msys2/setup-msys2","SPDXID":"SPDXRef-githubactions-msys2-setup-msys2-2..-6ce22e","versionInfo":"2.*.*","downloadLocation":"NOASSERTION","filesAnalyzed":false,"externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:githubactions/msys2/setup-msys2@2.%2A.%2A"}]},{"name":"docker/build-push-action","SPDXID":"SPDXRef-githubactions-docker-build-push-action-3..-d8263e","versionInfo":"3.*.*","downloadLocation":"NOASSERTION","filesAnalyzed":false,"externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:githubactions/docker/build-push-action@3.%2A.%2A"}]},{"name":"DoozyX/clang-format-lint-action","SPDXID":"SPDXRef-githubactions-DoozyX-clang-format-lint-action-0.14.-665fca","versionInfo":"0.14.*","downloadLocation":"NOASSERTION","filesAnalyzed":false,"externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:githubactions/DoozyX/clang-format-lint-action@0.14.%2A"}]},{"name":"carlosperate/arm-none-eabi-gcc-action","SPDXID":"SPDXRef-githubactions-carlosperate-arm-none-eabi-gcc-action-1..-b58159","versionInfo":"1.*.*","downloadLocation":"NOASSERTION","filesAnalyzed":false,"externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:githubactions/carlosperate/arm-none-eabi-gcc-action@1.%2A.%2A"}]},{"name":"open-watcom/setup-watcom","SPDXID":"SPDXRef-githubactions-open-watcom-setup-watcom-0..-2e9f19","versionInfo":"0.*.*","downloadLocation":"NOASSERTION","filesAnalyzed":false,"externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:githubactions/open-watcom/setup-watcom@0.%2A.%2A"}]},{"name":"dorny/test-reporter","SPDXID":"SPDXRef-githubactions-dorny-test-reporter-1-575b3d","versionInfo":"1","downloadLocation":"NOASSERTION","filesAnalyzed":false,"externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:githubactions/dorny/test-reporter@1"}]},{"name":"com.github.cpputest/cpputest","SPDXID":"SPDXRef-github-cpputest-cpputest-master-e7c2cd","versionInfo":"master","downloadLocation":"git+https://github.com/cpputest/cpputest","filesAnalyzed":false,"licenseDeclared":"BSD-3-Clause","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:github/cpputest/cpputest@master"}]}],"relationships":[{"spdxElementId":"SPDXRef-github-cpputest-cpputest-master-e7c2cd","relatedSpdxElement":"SPDXRef-githubactions-actions-checkout-main-7b26ed","relationshipType":"DEPENDS_ON"},{"spdxElementId":"SPDXRef-github-cpputest-cpputest-master-e7c2cd","relatedSpdxElement":"SPDXRef-githubactions-coverallsapp-github-action-master-d87ce5","relationshipType":"DEPENDS_ON"},{"spdxElementId":"SPDXRef-github-cpputest-cpputest-master-e7c2cd","relatedSpdxElement":"SPDXRef-githubactions-cygwin-cygwin-install-action-master-41e328","relationshipType":"DEPENDS_ON"},{"spdxElementId":"SPDXRef-github-cpputest-cpputest-master-e7c2cd","relatedSpdxElement":"SPDXRef-githubactions-actions-upload-artifact-3..-613322","relationshipType":"DEPENDS_ON"},{"spdxElementId":"SPDXRef-github-cpputest-cpputest-master-e7c2cd","relatedSpdxElement":"SPDXRef-githubactions-actions-checkout-3..-c8865b","relationshipType":"DEPENDS_ON"},{"spdxElementId":"SPDXRef-github-cpputest-cpputest-master-e7c2cd","relatedSpdxElement":"SPDXRef-githubactions-githubcodeql-action-analyze-2..-58cb0d","relationshipType":"DEPENDS_ON"},{"spdxElementId":"SPDXRef-github-cpputest-cpputest-master-e7c2cd","relatedSpdxElement":"SPDXRef-githubactions-githubcodeql-action-init-2..-447376","relationshipType":"DEPENDS_ON"},{"spdxElementId":"SPDXRef-github-cpputest-cpputest-master-e7c2cd","relatedSpdxElement":"SPDXRef-githubactions-docker-login-action-2..-91a7d4","relationshipType":"DEPENDS_ON"},{"spdxElementId":"SPDXRef-github-cpputest-cpputest-master-e7c2cd","relatedSpdxElement":"SPDXRef-githubactions-docker-setup-buildx-action-2..-892651","relationshipType":"DEPENDS_ON"},{"spdxElementId":"SPDXRef-github-cpputest-cpputest-master-e7c2cd","relatedSpdxElement":"SPDXRef-githubactions-docker-setup-qemu-action-2..-fc0b53","relationshipType":"DEPENDS_ON"},{"spdxElementId":"SPDXRef-github-cpputest-cpputest-master-e7c2cd","relatedSpdxElement":"SPDXRef-githubactions-msys2-setup-msys2-2..-6ce22e","relationshipType":"DEPENDS_ON"},{"spdxElementId":"SPDXRef-github-cpputest-cpputest-master-e7c2cd","relatedSpdxElement":"SPDXRef-githubactions-docker-build-push-action-3..-d8263e","relationshipType":"DEPENDS_ON"},{"spdxElementId":"SPDXRef-github-cpputest-cpputest-master-e7c2cd","relatedSpdxElement":"SPDXRef-githubactions-DoozyX-clang-format-lint-action-0.14.-665fca","relationshipType":"DEPENDS_ON"},{"spdxElementId":"SPDXRef-github-cpputest-cpputest-master-e7c2cd","relatedSpdxElement":"SPDXRef-githubactions-carlosperate-arm-none-eabi-gcc-action-1..-b58159","relationshipType":"DEPENDS_ON"},{"spdxElementId":"SPDXRef-github-cpputest-cpputest-master-e7c2cd","relatedSpdxElement":"SPDXRef-githubactions-open-watcom-setup-watcom-0..-2e9f19","relationshipType":"DEPENDS_ON"},{"spdxElementId":"SPDXRef-github-cpputest-cpputest-master-e7c2cd","relatedSpdxElement":"SPDXRef-githubactions-dorny-test-reporter-1-575b3d","relationshipType":"DEPENDS_ON"},{"spdxElementId":"SPDXRef-DOCUMENT","relatedSpdxElement":"SPDXRef-github-cpputest-cpputest-master-e7c2cd","relationshipType":"DESCRIBES"}]}
jsonを見やすくするjqコマンドをインストールします。
$ brew install jq
保存したSBOMファイルをjqコマンドに入力し確認します。
$ cat cpputest_cpputest_881127.json | jq .
{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "com.github.cpputest/cpputest",
"documentNamespace": "https://spdx.org/spdxdocs/protobom/ece9bbe3-301b-4e16-8ba0-8140f5139dce",
"creationInfo": {
"creators": [
"Tool: protobom-devel",
"Tool: GitHub.com-Dependency-Graph"
],
"created": "2024-12-08T12:28:48Z"
},
"packages": [
{
"name": "actions/checkout",
"SPDXID": "SPDXRef-githubactions-actions-checkout-main-7b26ed",
"versionInfo": "main",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:githubactions/actions/checkout@main"
}
]
},
{
"name": "coverallsapp/github-action",
"SPDXID": "SPDXRef-githubactions-coverallsapp-github-action-master-d87ce5",
"versionInfo": "master",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:githubactions/coverallsapp/github-action@master"
}
]
},
{
"name": "cygwin/cygwin-install-action",
"SPDXID": "SPDXRef-githubactions-cygwin-cygwin-install-action-master-41e328",
"versionInfo": "master",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:githubactions/cygwin/cygwin-install-action@master"
}
]
},
{
"name": "actions/upload-artifact",
"SPDXID": "SPDXRef-githubactions-actions-upload-artifact-3..-613322",
"versionInfo": "3.*.*",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:githubactions/actions/upload-artifact@3.%2A.%2A"
}
]
},
{
"name": "actions/checkout",
"SPDXID": "SPDXRef-githubactions-actions-checkout-3..-c8865b",
"versionInfo": "3.*.*",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:githubactions/actions/checkout@3.%2A.%2A"
}
]
},
{
"name": "github/codeql-action/analyze",
"SPDXID": "SPDXRef-githubactions-githubcodeql-action-analyze-2..-58cb0d",
"versionInfo": "2.*.*",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:githubactions/github/codeql-action/analyze@2.%2A.%2A"
}
]
},
{
"name": "github/codeql-action/init",
"SPDXID": "SPDXRef-githubactions-githubcodeql-action-init-2..-447376",
"versionInfo": "2.*.*",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:githubactions/github/codeql-action/init@2.%2A.%2A"
}
]
},
{
"name": "docker/login-action",
"SPDXID": "SPDXRef-githubactions-docker-login-action-2..-91a7d4",
"versionInfo": "2.*.*",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:githubactions/docker/login-action@2.%2A.%2A"
}
]
},
{
"name": "docker/setup-buildx-action",
"SPDXID": "SPDXRef-githubactions-docker-setup-buildx-action-2..-892651",
"versionInfo": "2.*.*",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:githubactions/docker/setup-buildx-action@2.%2A.%2A"
}
]
},
{
"name": "docker/setup-qemu-action",
"SPDXID": "SPDXRef-githubactions-docker-setup-qemu-action-2..-fc0b53",
"versionInfo": "2.*.*",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:githubactions/docker/setup-qemu-action@2.%2A.%2A"
}
]
},
{
"name": "msys2/setup-msys2",
"SPDXID": "SPDXRef-githubactions-msys2-setup-msys2-2..-6ce22e",
"versionInfo": "2.*.*",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:githubactions/msys2/setup-msys2@2.%2A.%2A"
}
]
},
{
"name": "docker/build-push-action",
"SPDXID": "SPDXRef-githubactions-docker-build-push-action-3..-d8263e",
"versionInfo": "3.*.*",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:githubactions/docker/build-push-action@3.%2A.%2A"
}
]
},
{
"name": "DoozyX/clang-format-lint-action",
"SPDXID": "SPDXRef-githubactions-DoozyX-clang-format-lint-action-0.14.-665fca",
"versionInfo": "0.14.*",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:githubactions/DoozyX/clang-format-lint-action@0.14.%2A"
}
]
},
{
"name": "carlosperate/arm-none-eabi-gcc-action",
"SPDXID": "SPDXRef-githubactions-carlosperate-arm-none-eabi-gcc-action-1..-b58159",
"versionInfo": "1.*.*",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:githubactions/carlosperate/arm-none-eabi-gcc-action@1.%2A.%2A"
}
]
},
{
"name": "open-watcom/setup-watcom",
"SPDXID": "SPDXRef-githubactions-open-watcom-setup-watcom-0..-2e9f19",
"versionInfo": "0.*.*",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:githubactions/open-watcom/setup-watcom@0.%2A.%2A"
}
]
},
{
"name": "dorny/test-reporter",
"SPDXID": "SPDXRef-githubactions-dorny-test-reporter-1-575b3d",
"versionInfo": "1",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:githubactions/dorny/test-reporter@1"
}
]
},
{
"name": "com.github.cpputest/cpputest",
"SPDXID": "SPDXRef-github-cpputest-cpputest-master-e7c2cd",
"versionInfo": "master",
"downloadLocation": "git+https://github.com/cpputest/cpputest",
"filesAnalyzed": false,
"licenseDeclared": "BSD-3-Clause",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:github/cpputest/cpputest@master"
}
]
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-github-cpputest-cpputest-master-e7c2cd",
"relatedSpdxElement": "SPDXRef-githubactions-actions-checkout-main-7b26ed",
"relationshipType": "DEPENDS_ON"
},
{
"spdxElementId": "SPDXRef-github-cpputest-cpputest-master-e7c2cd",
"relatedSpdxElement": "SPDXRef-githubactions-coverallsapp-github-action-master-d87ce5",
"relationshipType": "DEPENDS_ON"
},
{
"spdxElementId": "SPDXRef-github-cpputest-cpputest-master-e7c2cd",
"relatedSpdxElement": "SPDXRef-githubactions-cygwin-cygwin-install-action-master-41e328",
"relationshipType": "DEPENDS_ON"
},
{
"spdxElementId": "SPDXRef-github-cpputest-cpputest-master-e7c2cd",
"relatedSpdxElement": "SPDXRef-githubactions-actions-upload-artifact-3..-613322",
"relationshipType": "DEPENDS_ON"
},
{
"spdxElementId": "SPDXRef-github-cpputest-cpputest-master-e7c2cd",
"relatedSpdxElement": "SPDXRef-githubactions-actions-checkout-3..-c8865b",
"relationshipType": "DEPENDS_ON"
},
{
"spdxElementId": "SPDXRef-github-cpputest-cpputest-master-e7c2cd",
"relatedSpdxElement": "SPDXRef-githubactions-githubcodeql-action-analyze-2..-58cb0d",
"relationshipType": "DEPENDS_ON"
},
{
"spdxElementId": "SPDXRef-github-cpputest-cpputest-master-e7c2cd",
"relatedSpdxElement": "SPDXRef-githubactions-githubcodeql-action-init-2..-447376",
"relationshipType": "DEPENDS_ON"
},
{
"spdxElementId": "SPDXRef-github-cpputest-cpputest-master-e7c2cd",
"relatedSpdxElement": "SPDXRef-githubactions-docker-login-action-2..-91a7d4",
"relationshipType": "DEPENDS_ON"
},
{
"spdxElementId": "SPDXRef-github-cpputest-cpputest-master-e7c2cd",
"relatedSpdxElement": "SPDXRef-githubactions-docker-setup-buildx-action-2..-892651",
"relationshipType": "DEPENDS_ON"
},
{
"spdxElementId": "SPDXRef-github-cpputest-cpputest-master-e7c2cd",
"relatedSpdxElement": "SPDXRef-githubactions-docker-setup-qemu-action-2..-fc0b53",
"relationshipType": "DEPENDS_ON"
},
{
"spdxElementId": "SPDXRef-github-cpputest-cpputest-master-e7c2cd",
"relatedSpdxElement": "SPDXRef-githubactions-msys2-setup-msys2-2..-6ce22e",
"relationshipType": "DEPENDS_ON"
},
{
"spdxElementId": "SPDXRef-github-cpputest-cpputest-master-e7c2cd",
"relatedSpdxElement": "SPDXRef-githubactions-docker-build-push-action-3..-d8263e",
"relationshipType": "DEPENDS_ON"
},
{
"spdxElementId": "SPDXRef-github-cpputest-cpputest-master-e7c2cd",
"relatedSpdxElement": "SPDXRef-githubactions-DoozyX-clang-format-lint-action-0.14.-665fca",
"relationshipType": "DEPENDS_ON"
},
{
"spdxElementId": "SPDXRef-github-cpputest-cpputest-master-e7c2cd",
"relatedSpdxElement": "SPDXRef-githubactions-carlosperate-arm-none-eabi-gcc-action-1..-b58159",
"relationshipType": "DEPENDS_ON"
},
{
"spdxElementId": "SPDXRef-github-cpputest-cpputest-master-e7c2cd",
"relatedSpdxElement": "SPDXRef-githubactions-open-watcom-setup-watcom-0..-2e9f19",
"relationshipType": "DEPENDS_ON"
},
{
"spdxElementId": "SPDXRef-github-cpputest-cpputest-master-e7c2cd",
"relatedSpdxElement": "SPDXRef-githubactions-dorny-test-reporter-1-575b3d",
"relationshipType": "DEPENDS_ON"
},
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-github-cpputest-cpputest-master-e7c2cd",
"relationshipType": "DESCRIBES"
}
]
}
少し見やすくなりました。
残念ながら今のところ内容は知識不足でわかりません😅
SBOM作成例2 cpputestをサブモジュールとして使っているリポジトリ
SBOM作成例2ではcpputestをサブモジュールとして使っているリポジトリのSBOMを作ってみます。
CppUTestをサブモジュールとして使っている次のリポジトリのSBOMを作成します。
CppUTestをサブモジュールとして使っているリポジトリ TDD_EmbeddedC
https://github.com/iwatake2222/TDD_EmbeddedC
こちらのリポジトリはTDDの本のコードをCppUTest、GoogleTest、Unityの各テストフレームワークで写経しています。
SBOM作成例2 SBOM内容
こちらのリポジトリのSBOMはつぎの内容になりました。
$ cat iwatake2222_TDD_EmbeddedC_932060.json | jq .
{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "com.github.iwatake2222/TDD_EmbeddedC",
"documentNamespace": "https://spdx.org/spdxdocs/protobom/0dfd6f26-214a-4c37-93b1-2768e2da30b9",
"creationInfo": {
"creators": [
"Tool: protobom-devel",
"Tool: GitHub.com-Dependency-Graph"
],
"created": "2024-12-08T12:33:11Z"
},
"packages": [
{
"name": "com.github.iwatake2222/TDD_EmbeddedC",
"SPDXID": "SPDXRef-github-iwatake2222-TDDEmbeddedC-master-8d02d6",
"versionInfo": "master",
"downloadLocation": "git+https://github.com/iwatake2222/TDD_EmbeddedC",
"filesAnalyzed": false,
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:github/iwatake2222/TDD_EmbeddedC@master"
}
]
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-github-iwatake2222-TDDEmbeddedC-master-8d02d6",
"relationshipType": "DESCRIBES"
}
]
}
サブモジュール先のリポジトリのSBOMは作成されていないようです。
まとめ
今回の実験で以下のことがわかりました。
- GitHubでSBOMを作成できた。
- サブモジュールのSBOMまでは作成されない模様
作成されたSBOMを参考にしてライセンス違反、脆弱性のチェックなどをしていくものだと思います。
引き続きOSSのツールでどこまでできるか?、の確認をしていきたいと思います。