Table of Contents:
Software Bill of Materials
Software Bill of Materials (SBOM) is an essential part in the supply chain management, especially for complex open source projects like Apertis. Indeed, Apertis combines components from different sources and with different licenses. This diversity could lead to license compliance failures and/or security failures without a strong automatic listing process. SBOM allows to overcome this situation by building an inventory of all components used in a product. For these traceability purposes, every Apertis images come with several SBOM reports.
Licenses SBOM
To ensure a product is compliant its components’ licenses, a list of
all licenses must be generated. The whole process to generate this licenses
report is described in the document
Automated License Compliance.
Roughly, it relies on the Debian’s tool scan-copyrights to detect licenses and
copyright of each files used. The result is integrated into binary packages. Then,
when building an image, a script scans all packages used to assemble all licenses
and copyright used in the image.
For instance, the licenses SBOM report for the image
apertis_v2024-fixedfunction-amd64-uefi_v2024.1.img is available here
v2024.1 licenses SBOM.
Moreover, OSS Review Toolkit is used
to generate supplementary reports in various formats
(YAML, PDF, CycloneDX, SPDX,
and WebApp) allowing an easy review of the licenses used by Apertis images.
Among the generated reports, there are human friendly ones like the dynamic
WebApp report which includes a summary of detected license with statistics and
diagrams. For instance, the ORT’s reports for the image
apertis_v2024-fixedfunction-amd64-uefi_v2024.1.img are available here
v2024.1 ORT reports.
This makes Apertis compliant with the OpenChain ISO/IEC 5230:2020 International Standard.
Security SBOM
Tracking vulnerabilities of a product during its whole lifetime can be challenging, that is where a SBOM can be of great help. For a given image, the Apertis security SBOM lists all installed packages and their version. In addition to that, for every package, all packages (with their version) used as build dependencies are also listed. This SBOM allows to easily track which package might need to be rebuilt in case of a vulnerability was found in its dependency chain.
For instance, the ORT’s reports for the image
apertis_v2024-fixedfunction-amd64-uefi_v2024.1.img are available here
v2024.1 security SBOM
This information helps to easily track CVEs that might potentially affect Apertis packages.