Skip to main content

SBOM (Software Bill of Materials)

What is an SBOM

An SBOM is an inventory of all software packages that make up a software version. Common formats are CycloneDX, SPDX, and SWID.

Memfault SBOM support

Memfault supports attaching a single SBOM file to a software version. This can be a JSON, XML, SPDX, or YAML file. If you have multiple SBOM files that define a single version, you must first merge them. This can be done using a tool specific to the SBOM format, for example the CycloneDX CLI or sbommerge.

note

Memfault does not currently validate specific formats or parse the SBOM file, but will ensure that the file is a valid file (i.e. valid JSON, XML, SPDX, or YAML).

Uploading an SBOM

You can upload an SBOM manually via the web app or via the CLI. We recommend uploading the SBOM via your CI build process for that specific version - see Uploading SBOMs from CI/CD for an example.

If you use Memfault OTA, you should upload the SBOM right after you upload the artifacts for that Release.

Web App

To upload an SBOM, navigate to the Versions tab, choose a Software Type, and click "Upload" under the SBOM column.

You can also download an existing SBOM from the same page.

CLI

Use the upload-software-version-sbom command to upload an SBOM:

memfault \
--org-token $ORG_TOKEN \
--org acme-inc \
--project smart-sink \
upload-software-version-sbom \
--software-type stm32-fw \
--software-version 1.0.0-alpha \
build/sbom.json
note

Only a single SBOM can be attached to one software version. Any subsequent uploads will fail. To replace the SBOM, delete it first.

Generating SBOMs

See the following guides for how to generate SPDX documents for common platforms:

Nordic nRF Connect SDK

Follow the guide here to generate an SBOM for your NCS project:

https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/scripts/west_commands/sbom/README.html

Specifically, after setting up the ncs-sbom west command and building your project, run this command to generate an SBOM in SPDX format:

west ncs-sbom -d build --output-spdx sbom.spdx
note

This command can take several minutes to complete (>15 minutes) depending on the size of your project and the number of dependencies.

The .spdx file can then be uploaded to Memfault's SBOM management system.

Zephyr RTOS

Zephyr provides a west utility to generate an SBOM in SPDX format:

https://docs.zephyrproject.org/4.0.0/develop/west/zephyr-cmds.html#software-bill-of-materials-west-spdx

To generate an SBOM for your project, follow these steps:

  1. Generate the SPDX files:

    # NOTE: for sysbuild projects, the build directory will be "build/<application>"
    # NOTE: start with a clean build, i.e. "rm -rf build"
    $ west spdx --init --build-dir=build
    $ west build --pristine always ...
    $ west spdx --build-dir=build

    The SPDX documents will be generated into the build directory under a directory named spdx:

    build/spdx
    ├── app.spdx
    ├── build.spdx
    ├── modules-deps.spdx
    └── zephyr.spdx
  2. Merge the files into a single document. This can be done with the spdxmerge utility:

    # install the utility
    $ pip install spdxmerge
    # merge the SPDX documents. arguments are example values, adjust as needed.
    # NOTE: merge type is "1" for deep merge
    $ spdxmerge \
    --name "Product Name" \
    --author "Author Name" \
    --email "author@email.net" \
    --docnamespace "https://spdx.organization.name" \
    --filetype t \
    --mergetype 1 \
    --docpath build/spdx --outpath build/spdx
    File spdx/merged-SBoM-deep.spdx is generated
  3. The merged file has a minor error that causes it to fail SPDX validation. Correct it by opening it and find/replacing the fields in question, or use the sed utility:

    $ sed -i 's/FilesAnalyzed: True/FilesAnalyzed: true/' build/spdx/merged-SBoM-deep.spdx

The output file, build/spdx/merged-SBoM-deep.spdx, is the one to upload to Memfault's SBOM management system.

Espressif ESP32

Espressif provides a utility, esp-idf-sbom, to generate an SBOM in SPDX format:

https://github.com/espressif/esp-idf-sbom

To generate an SBOM for your project, follow these steps:

  1. Build the project as usual with idf.py build.

  2. Run the esp-idf-sbom utility:

    # install the tool if needed
    $ pip install esp-idf-sbom
    $ esp-idf-sbom create build/project_description.json --output-file memfault_demo_app.spdx

The output file, here memfault_demo_app.spdx, is the one to upload to Memfault's SBOM management system.

Yocto

The OpenEmbedded build system can generate an SBOM for your image in SPDX format. See the upstream Yocto documentation for details:

https://docs.yoctoproject.org/dev/dev-manual/sbom.html

On recent Yocto releases (scarthgap and newer), the create-spdx class is inherited by default and SBOM generation runs automatically when you build an image. On older releases, enable it by adding the following to your conf/local.conf:

INHERIT += "create-spdx"

Build an image as usual, e.g.:

$ bitbake core-image-minimal

The merged image SBOM is written to:

tmp/deploy/images/<MACHINE>/<image>-<MACHINE>.spdx.json

This is the file to upload to Memfault's SBOM management system.