SBOM (Software Bill of Materials)
What is an SBOM
An SBOM is an inventory of all software packages that make up a software version. Common formats are CycloneDX, SPDX, and SWID.
Memfault SBOM support
Memfault supports attaching a single SBOM file to a software version. This can be a JSON, XML, SPDX, or YAML file. If you have multiple SBOM files that define a single version, you must first merge them. This can be done using a tool specific to the SBOM format, for example the CycloneDX CLI or sbommerge.
Memfault does not currently validate specific formats or parse the SBOM file, but will ensure that the file is a valid file (i.e. valid JSON, XML, SPDX, or YAML).
Uploading an SBOM
You can upload an SBOM manually via the web app or via the CLI. We recommend uploading the SBOM via your CI build process for that specific version.
If you use Memfault OTA, you should upload the SBOM right after you upload the artifacts for that Release.
Web App
To upload an SBOM, navigate to the Versions tab, choose a Software Type, and click "Upload" under the SBOM column.
You can also download an existing SBOM from the same page.
CLI
Use the
upload-software-version-sbom
command to upload an SBOM:
memfault \
--org-token $ORG_TOKEN \
--org acme-inc \
--project smart-sink \
upload-software-version-sbom \
--software-type stm32-fw \
--software-version 1.0.0-alpha \
build/sbom.json
Only a single SBOM can be attached to one software version. Any subsequent uploads will fail. To replace the SBOM, delete it first.
Generating SBOMs
See the following guides for how to generate SPDX documents for common platforms: