Hi everyone,
I'm trying to generate SBOM from the code based on nRF SDK v17.1.0. I noticed that SBOM feature was only supported with NRF Connect SDK. I did search for tools to generate SBOM. The following are popular ones:
- Syft — a CLI tool that allows you to efficiently create accurate SBOMs from container images and filesystems.
- FOSSA — an automated tool focused on open-source compliance and security, capable of generating SBOMs while ensuring adherence to licensing requirements.
- Tern — an open-source tool that inspects container images, providing insights into software components and their licenses and helping developers ensure compliance and security throughout the container lifecycle.
- CycloneDX — a widely recognized SBOM standard used across various tools and platforms to enhance software supply chain security. It is supported by numerous SBOM generation tools including Syft, OWASP Dependency-Track for Java and other languages, and GitLab for CI/CD pipelines. CycloneDX is versatile and applicable across different programming languages and environments.
- Microsoft’s SBOM Tool — a command-line utility that generates SBOMs for software projects, integrating with Microsoft’s security and compliance frameworks to enhance transparency and security across the software supply chain.
However, these are suitable for regular software solutions. I'm not sure if these are compatible for embedded software based on nRF SDK. Thus, I'd greatly appreciate if Nordic staff/forum members share your thoughts and solutions.
Thanks,
Tai
