Software Bill of Materials in kmpkg
kmpkg generates a Software Bill of Materials (SBOM) based on the Software Package Data Exchange (SPDX) specification. It tracks important information used to build a package, such as source origin, and aims to provide package consumers with software transparency and integrity. See this blog post about SBOM and SPDX for more information.
kmpkg generates a SPDX file containing the SBOM information for each package
that is installed. The files are located in
<installed_dir>/<triplet>/share/<package name>/kmpkg.spdx.json. The
installation directory depends on whether kmpkg is running on manifest
mode or classic
mode. Since a package can have different
dependencies depending on the target platform, the generated files are separated
by triplet as well.
kmpkg specific fields
The following fields generated by kmpkg may appear in your SBOM depending on how your package is built.
name
Refers to the name of the document. This field contains the package name, triplet, version followed by the ABI hash used to identify the package.
SPDX Reference: Document name field
creationInfo
Refers to the creator of the document, kmpkg. The creators field contains kmpkg followed by the version.
SPDX Reference: Creator field
relationships
Contains information about the relationship between kmpkg SPDX elements. SPDXRef-port refers to the port, SPDXRef-file-N refers to each file in the port including the portfile.cmake and SPDXRef-binary refers to the binary package. In kmpkg, the binary package is generated by the port.
SPDX Reference: Relationships field
packages
Refers to each package generated by kmpkg. SPDXRef-port refers to the port, and SPDXRef-binary refers to the binary package, and SPDXRef-resource refers to any sources used in kmpkg's portfile. kmpkg heuristically generates source information from the portfile.cmake by parsing kmpkg_from_github, kmpkg_from_git, kmpkg_download_distfile and kmpkg_from_sourceforge calls.
SPDX Reference: Package information
files
Refers to each of the files in the port. It contains a relative path to the file and a checksum.
SPDX Reference: File information
CycloneDX support
kmpkg does not support the CycloneDX SBOM format out of the box. We recommend using the CycloneDX CLI tool to convert the SPDX JSON files generated by kmpkg to the CycloneDX format.
For example:
cyclonedx convert --input-file kmpkg.spdx.json --input-format spdxjson --output-format json --output-file <file>
Some kmpkg dependency information may be lost during conversion. Refer to the CycloneDX documentation for more details.