Zephyr SBOM Generator Fail

Hi,

The nRF Connect SDK include a SBOM generation tool that can be invoked with west ncs-sbom -d <build_folder>. Please see Software Bill of Materials for details.

Thanks for your reply.

I am aware of the west ncs-sbom tool. However, as it is stated in the in the link your provided:

"It provides a list of used licenses for an application build or specific files."

While licenses might be an important aspect, what is relevant in context of CRA is the ability to check for vulnerabilities in used libraries.

One of the SBOM files generated by Zephyr's SBOM tool is modules-deps.spdx. In there, all the modules used for building an application firmware are listed, including Common Platform Enumerations (CPE) and Package URLs (PURL).

The information contained in modules-deps.spdx can be imported into dependency tracking tools, e.g. dependencytrack. That way, tracking of vulnerabilities for dependent modules becomes much easier, thanks to the CPEs.

Therefore, I have to get Zephyr's SBOM generator running.

Many thanks in advance for your support.

--

Regards

Thanks for your reply.

I am aware of the west ncs-sbom tool. However, as it is stated in the in the link your provided:

"It provides a list of used licenses for an application build or specific files."

While licenses might be an important aspect, what is relevant in context of CRA is the ability to check for vulnerabilities in used libraries.

One of the SBOM files generated by Zephyr's SBOM tool is modules-deps.spdx. In there, all the modules used for building an application firmware are listed, including Common Platform Enumerations (CPE) and Package URLs (PURL).

The information contained in modules-deps.spdx can be imported into dependency tracking tools, e.g. dependencytrack. That way, tracking of vulnerabilities for dependent modules becomes much easier, thanks to the CPEs.

Therefore, I have to get Zephyr's SBOM generator running.

Many thanks in advance for your support.

--

Regards

Hi,

I see. However, the ncs-sbom tool can also generate an spdx file using the --output-spdx option (example: west ncs-sbom --output-spdx generated.spdx -d build).

Hi,

Yes, I am aware that ncs-sbom allows to specify spdx-format for output. But it does not give me a modules-dep file that is required for dependency tracking. Therefore, I need Zephyr's SBOM generator to work.

Searching for the error message

CONFIG_BUILD_OUTPUT_META must be enabled to generate spdx files

reveals that it is thrown from

/home/developer/ncs/v3.0.2/zephyr/scripts/west_commands/zspdx/walker.py

# check if meta file is generated
if not self.metaFile:
log.err("CONFIG_BUILD_OUTPUT_META must be enabled to generate spdx files; bailing")
return False

Error is thrown if self.meta is not set. Looking at where is should be set reveals

# parse cache file and pull out relevant data
def getCacheFile(self):
cacheFilePath = os.path.join(self.cfg.buildDir, "CMakeCache.txt")
self.cmakeCache = parseCMakeCacheFile(cacheFilePath)
if self.cmakeCache:
self.compilerPath = self.cmakeCache.get("CMAKE_C_COMPILER", "")
self.sdkPath = self.cmakeCache.get("ZEPHYR_SDK_INSTALL_DIR", "")
self.metaFile = self.cmakeCache.get("KERNEL_META_PATH", "")

Seems as either the cmakeCache file is not present (but I think I have seen it in the build directory) or KERNEL_META_PATH is not present in the cmakeCache file.

Any ideas what's up with KERNEL_META_PATH?

--

Regards

Hi,

I saw the same issue with compltains about CONFIG_BUILD_OUTPUT_META not being set even if it was with builds done with sysbuild. Wihtout sysbiuld I did not see this. It seems that west spdx can only be used on a single image at a time.

That is described in the documentation here where there is a note about sysbuild. Note however that there seems to be a slight issue there, but I had success with the peripheral_uart sample as a reference and sysbuild using this:

west spdx --init -d BUILD_DIR/peripheral_uart
west build -d BUILD_DIR -b nrf52840dk/nrf52840
west spdx -d BUILD_DIR/peripheral_uart

Hi,

Thanks for you answer.

Running west build with --no-sysbuild and -- -DCONFIG_BUILD_OUTPUT_META=y solves the problem and zephyr's SBOMs are built.