SBOM (Software Bill of Materials)
What is an SBOM
An SBOM is an inventory of all software packages that make up a software version. Common formats are CycloneDX, SPDX, and SWID.
Memfault SBOM support
Memfault supports attaching a single SBOM file to a software version. This can be a JSON, XML, SPDX, or YAML file. If you have multiple SBOM files that define a single version, you must first merge them. This can be done using a tool specific to the SBOM format, for example the CycloneDX CLI or sbommerge.
Memfault does not currently validate specific formats or parse the SBOM file, but will ensure that the file is a valid file (i.e. valid JSON, XML, SPDX, or YAML).
Uploading an SBOM
You can upload an SBOM manually via the web app or via the CLI. We recommend uploading the SBOM via your CI build process for that specific version - see Uploading SBOMs from CI/CD for an example.
If you use Memfault OTA, you should upload the SBOM right after you upload the artifacts for that Release.
Web App
To upload an SBOM, navigate to the Versions tab, choose a Software Type, and click "Upload" under the SBOM column.
You can also download an existing SBOM from the same page.
CLI
Use the
upload-software-version-sbom
command to upload an SBOM:
memfault \
--org-token $ORG_TOKEN \
--org acme-inc \
--project smart-sink \
upload-software-version-sbom \
--software-type stm32-fw \
--software-version 1.0.0-alpha \
build/sbom.json
Only a single SBOM can be attached to one software version. Any subsequent uploads will fail. To replace the SBOM, delete it first.
Generating SBOMs
See the following guides for how to generate SPDX documents for common platforms:
Nordic nRF Connect SDK
Follow the guide here to generate an SBOM for your NCS project:
https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/scripts/west_commands/sbom/README.html
Specifically, after setting up the ncs-sbom west command and building your
project, run this command to generate an SBOM in SPDX format:
west ncs-sbom -d build --output-spdx sbom.spdx
This command can take several minutes to complete (>15 minutes) depending on the size of your project and the number of dependencies.
The .spdx file can then be uploaded to Memfault's
SBOM management system.
Zephyr RTOS
Zephyr provides a west utility to generate an SBOM in SPDX format:
To generate an SBOM for your project, follow these steps:
-
Generate the SPDX files:
# NOTE: for sysbuild projects, the build directory will be "build/<application>"# NOTE: start with a clean build, i.e. "rm -rf build"$ west spdx --init --build-dir=build$ west build --pristine always ...$ west spdx --build-dir=buildThe SPDX documents will be generated into the build directory under a directory named
spdx:build/spdx├── app.spdx├── build.spdx├── modules-deps.spdx└── zephyr.spdx -
Merge the files into a single document. This can be done with the
spdxmergeutility:# install the utility$ pip install spdxmerge# merge the SPDX documents. arguments are example values, adjust as needed.# NOTE: merge type is "1" for deep merge$ spdxmerge \--name "Product Name" \--author "Author Name" \--email "author@email.net" \--docnamespace "https://spdx.organization.name" \--filetype t \--mergetype 1 \--docpath build/spdx --outpath build/spdxFile spdx/merged-SBoM-deep.spdx is generated -
The merged file has a minor error that causes it to fail SPDX validation. Correct it by opening it and find/replacing the fields in question, or use the
sedutility:$ sed -i 's/FilesAnalyzed: True/FilesAnalyzed: true/' build/spdx/merged-SBoM-deep.spdx
The output file, build/spdx/merged-SBoM-deep.spdx, is the one to upload to
Memfault's SBOM management system.
Espressif ESP32
Espressif provides a utility, esp-idf-sbom, to generate an SBOM in SPDX
format:
https://github.com/espressif/esp-idf-sbom
To generate an SBOM for your project, follow these steps:
-
Build the project as usual with
idf.py build. -
Run the
esp-idf-sbomutility:# install the tool if needed$ pip install esp-idf-sbom$ esp-idf-sbom create build/project_description.json --output-file memfault_demo_app.spdx
The output file, here memfault_demo_app.spdx, is the one to upload to
Memfault's SBOM management system.
Yocto
The OpenEmbedded build system can generate an SBOM for your image in SPDX format. See the upstream Yocto documentation for details:
https://docs.yoctoproject.org/dev/dev-manual/sbom.html
On recent Yocto releases (scarthgap and newer), the create-spdx class is
inherited by default and SBOM generation runs automatically when you build an
image. On older releases, enable it by adding the following to your
conf/local.conf:
INHERIT += "create-spdx"
Build an image as usual, e.g.:
$ bitbake core-image-minimal
The merged image SBOM is written to:
tmp/deploy/images/<MACHINE>/<image>-<MACHINE>.spdx.json
This is the file to upload to Memfault's SBOM management system.