Date: Tue, 30 Dec 2025 10:22:54 +0000 From: Lorenzo Salvadore <salvadore@FreeBSD.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org Cc: Tuukka Pasanen <tuukka.pasanen@ilmi.fi> Subject: git: fca85bb36a - main - Status/2025Q4/sbmo.adoc: Add report Message-ID: <6953a7fe.239ca.46238a14@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by salvadore: URL: https://cgit.FreeBSD.org/doc/commit/?id=fca85bb36a35d1a755dc9db7ee83a30796932bc7 commit fca85bb36a35d1a755dc9db7ee83a30796932bc7 Author: Tuukka Pasanen <tuukka.pasanen@ilmi.fi> AuthorDate: 2025-12-30 10:22:02 +0000 Commit: Lorenzo Salvadore <salvadore@FreeBSD.org> CommitDate: 2025-12-30 10:22:02 +0000 Status/2025Q4/sbmo.adoc: Add report Differential Revision: https://reviews.freebsd.org/D54345 --- .../en/status/report-2025-10-2025-12/sbom.adoc | 36 ++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/website/content/en/status/report-2025-10-2025-12/sbom.adoc b/website/content/en/status/report-2025-10-2025-12/sbom.adoc new file mode 100644 index 0000000000..ce23c3bfe2 --- /dev/null +++ b/website/content/en/status/report-2025-10-2025-12/sbom.adoc @@ -0,0 +1,36 @@ +=== FreeBSD Software Bill of Materials + +Links: + +link:https://github.com/pkgconf/pkgconf/pull/429[pkgconf PR 429 which adds spdxtool] URL: link:https://github.com/pkgconf/pkgconf/pull/429[] + +link:https://spdx.github.io/spdx-spec/v3.0.1/[SPDX Lite 3.0.1 documentation] URL: link:https://spdx.github.io/spdx-spec/v3.0.1/[] + +link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/illuusio/update-licenses/json-ld/FreeBSD.jsonld[FreeBSD SPDX 3.0.1 JSON-LD file: FreeBSD.jsonld] URL: link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/illuusio/update-licenses/json-ld/FreeBSD.jsonld[] + +link:https://github.com/illuusio/freebsd-src/tree/freebsd-sbom/share/sbom[Source files to make SBOM] URL: link:https://github.com/illuusio/freebsd-src/tree/freebsd-sbom/share/sbom[] + +link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/illuusio/update-licenses/license.md[Current status of license gathering for SBOM in Markdown file] URL: link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/illuusio/update-licenses/license.md[] + +link:https://reviews.freebsd.org/D53318[Add sbom target to Makefile and needed Lua scripts] URL: link:https://reviews.freebsd.org/D53318[] + +link:https://reviews.freebsd.org/D53317[Lua functions to handle make command output for specific FreeBSD ports targets] URL: link:https://reviews.freebsd.org/D53317[] + +link:https://reviews.freebsd.org/D53316[Add Lua Logging module to FreeBSD ports tree and introduce Lua functions and modules to ports] URL: link:https://reviews.freebsd.org/D53316[] + +Contact: Tuukka Pasanen <tuukka.pasanen@ilmi.fi> + +The Software Bill of Materials (SBOM) project has been ongoing since May, with the goal of providing the necessary tooling to create SBOMs from FreeBSD Ports and the base system. + +One of the major developments in 2025Q4 was upstreaming spdxtool to the pkgconf upstream. The upstreamed code ensures that pkgconf tools have an SPDX Lite 3.0.1 profile-compatible SBOM creation tool with the next release. + +Another significant effort has been gathering information about applications that form part of the FreeBSD base system. +These applications are primarily located in the [.filename]#usr.bin#, [.filename]#usr.sbin#, [.filename]#sbin#, and [.filename]#bin# directories inside FreeBSD git repository. +The FreeBSD Alpha Omega Beach Cleaning project has been instrumental as it gathers information about third-party libraries and applications, and I have contributed to this effort. +Now there is Lua scripts and a file that can produce the needed files for pkgconf's spdxtool, which can be exported in SPDX JSON-LD format. + +Tools using this gathered information and current raw data can be found in my fork of the FreeBSD src tree. Mainly, all C and header files that hold SPDX-License-Identifier are now gathered and processed. + +There have also been efforts to upstream SBOM creation per package for FreeBSD Ports, but this has stalled and needs updating. + +If you want to help with this effort: + +* Add SPDX-License-Identifier headers to C and header files under the FreeBSD src. +* Verify that the files current SPDX-License-Identifier is correct. +* Verify that the gathered information is accurate. + Currently, all tools that have some man page for section 1, 7, and 8 are added, with descriptions taken from the man page using a script. + These may be incorrect. + +Sponsor: The FreeBSD Foundationhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6953a7fe.239ca.46238a14>