Create a BOM inventory - dcasota/photonos-scripts GitHub Wiki

Tools

https://github.com/anchore/syft
https://github.com/IBM/cbomkit-theia
https://github.com/IBM/sonar-cryptography

Weblinks

see https://github.com/vmware/photon/issues/1576

I used the sbom tool syft (syft ./photon/ -o spdx-json=sbom.spdx.json --scope all-layers) and compared the output file sbom.spdx.json with the Ph5 license.txt files using a pwsh helper script Ph5spdxDiff.

Syft runs on x86_64 and Arm64, allows to generate spdx V.2.2.1, which is compliant to Executive Order 14028 and ISO/IEC 5962:2021, and it generates also CycloneDX format. No, a cryptographic bill of material is not possible (yet?).

Overall, the matching is very good. Syft separates the declared license per rpm. That's a plus in granularity in comparison to the single Ph5 license.txt file per spec directory. In addition, the same rpm name, built in different versions, becomes distinguishable - here the devel rpm diff for the sbom.spdx.json above.