Fossil User Forum

Software Bill Of Materials interest
Login

Software Bill Of Materials interest

Hierarchical

Software Bill Of Materials interest

(1) By anonymous on 2025-02-28 06:44:51 [link] [source]

A project we are working on requires us to generate software bill of materials from a set of components in fossil.

See cyclonedx.org for the standard and noting the existing tools we are considering a small TCL based tool which combines fossil version info and some elf analysis.

Would there any interest in this? The code for the project is a mix of licenses so bsd2 could be used and we would do the development but if there is anyone interested in looking at it is question 2 or has someone done this already.

(2) By Richard Hipp (drh) on 2025-02-28 14:50:43 in reply to 1 [link] [source]

This proposal would carry a lot more weight if it came from a registered users, especially a registered user using their real name rather than a handle or alias, and if it contained more detail about the proposed enhancement, as well as a list of advantages associated with supporting this feature. As it stands now, it has low probability of gaining any traction.

(3) By Warren Young (wyoung) on 2025-02-28 16:55:49 in reply to 1 [link] [source]

SBOM is more closely aligned with packaging and distribution, not development. Not until you have distributable binaries can you have the full SBOM.

If you want to tie Fossil into an SBOM system that works top-down from the committed source code — as opposed to the bottom-up binary method I've just advocated for — I think you'd be more productive selecting a suitably FOSS alternative from that list and then adding the ability to clone directly from Fossil and reference its commit IDs. Until someone does that, the prime probability is that each tool you look at will presume Git is the only DVCS in existence.

While Fossil has the ability to mirror to a Git repo, and that this can aid integration with such third-party tooling, it creates an impedance mismatch which may be problematic in light of the traceability requirements SBOM implies. When someone tells you to give them an auditable list of what went into the software, they will prefer that you point right at each referent, not point at the thing that points at the thing.

(4) By pjm (PhilMaker) on 2025-02-28 21:48:09 in reply to 2 [link] [source]

Richard,

Twas me who posted it from under a small tree in the tropics. I've signed a signed a contributor agreement long ago so apologies re: This proposal would carry a lot more weight if it came from a registered users, especially a registered user using their real name rather than a handle or alias,

The purpose was to answer:

  1. Anyone (at all) interested in the whole SBOM thing with fossil. Answer: seems to be no which is fine, we just need to solve it anyways.
  2. Prior works that may be interest noting I've done a fair bit of work reviewing the alternatives as mentioned by Warren.

and if it contained more detail about the proposed enhancement, as well as a list of advantages associated with supporting this feature.

I'll write up a summary of the scope of works for penance in a separate message, just in case anyone comes across and close the issue.

As it stands now, it has low probability of gaining any traction.

Ack.

(5) By pjm (PhilMaker) on 2025-02-28 22:04:29 in reply to 3 [link] [source]

Warren,

Thanks, I think I'm proposing what you describe in para 2, i.e. a top down and bottom up generation along with a merge using existing tools. I guess the main points are:

  1. No suggestion of a change to fossil itself, just conventions.
  2. A tool that generates a per component SBOM with references using a collection of fossil repos as the basis.
  3. For the binary build use the existing toolsets as you say.

I'll write a summary in response for penance to the original post but pretty much lets consider it a non-problem.

(6) By pjm (PhilMaker) on 2025-02-28 22:58:31 in reply to 1 [source]

G'day,

A few more details to close this out.

  1. This was not intended to be a change to fossil (to be clear).
  2. Its not intended to replace existing toolsets that generate/combine/.. SBOMS from binaries etc. The intent is to run those separately.
  3. It is intended to generate component level SBOMs from source in fossil repos (a large number) and then use it as a basis for the system SBOMS. This is in the context of a distributed control system with at least some verified components.

Why:

  1. A minimalist SBOM generator could be useful to tick the boxes for the government.
  2. Some of the SBOM tools have very large dependency chains and the aim was to minimise those, at least for the build process and source level components.

How:

Fossil workdir or repo Template Expander Component SBOM json Template 
boxrad = 3

cylinder "Fossil" "workdir or" "repo" fit
arrow
E: box "Template" "Expander" fit
arrow 
file "Component" "SBOM" "json" fit
down
move
left
move 1.3
T: file "Template"
arrow from T.n to E.s

The template expander is a tiny TCL program that just calls out to fossil, sqlite etc to generate the appropriate data SBOM in JSON.

In terms of use case we have a large ~1000 set of fossil repos each representing a separate component (e.g. a Wind Turbine Model) which may have separate licensing, ownership and distribution conditions. That data is kept in the fossil component repo so it makes sense to extract it automagically for the SBOM perhaps.

Anyways consider this closed, the Good Idea Fairy.