Status/2025Q4/sbmo.adoc: Add report

Differential Revision: https://reviews.freebsd.org/D54345
2026-01-11 19:56:47 +00:00 · 2025-12-30 11:22:02 +01:00 · 2025-12-30 11:22:02 +01:00 · fca85bb36a
commit fca85bb36a
parent 714747f016
1 changed files with 36 additions and 0 deletions
--- a/website/content/en/status/report-2025-10-2025-12/sbom.adoc
+++ b/website/content/en/status/report-2025-10-2025-12/sbom.adoc
@ -0,0 +1,36 @@
+=== FreeBSD Software Bill of Materials
+
+Links: +
+link:https://github.com/pkgconf/pkgconf/pull/429[pkgconf PR 429 which adds spdxtool] URL: link:https://github.com/pkgconf/pkgconf/pull/429[] +
+link:https://spdx.github.io/spdx-spec/v3.0.1/[SPDX Lite 3.0.1 documentation] URL: link:https://spdx.github.io/spdx-spec/v3.0.1/[] +
+link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/illuusio/update-licenses/json-ld/FreeBSD.jsonld[FreeBSD SPDX 3.0.1 JSON-LD file: FreeBSD.jsonld] URL: link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/illuusio/update-licenses/json-ld/FreeBSD.jsonld[] +
+link:https://github.com/illuusio/freebsd-src/tree/freebsd-sbom/share/sbom[Source files to make SBOM] URL: link:https://github.com/illuusio/freebsd-src/tree/freebsd-sbom/share/sbom[] +
+link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/illuusio/update-licenses/license.md[Current status of license gathering for SBOM in Markdown file] URL: link:https://github.com/FreeBSDFoundation/alpha-omega-beach-cleaning/blob/illuusio/update-licenses/license.md[] +
+link:https://reviews.freebsd.org/D53318[Add sbom target to Makefile and needed Lua scripts] URL: link:https://reviews.freebsd.org/D53318[] +
+link:https://reviews.freebsd.org/D53317[Lua functions to handle make command output for specific FreeBSD ports targets] URL: link:https://reviews.freebsd.org/D53317[] +
+link:https://reviews.freebsd.org/D53316[Add Lua Logging module to FreeBSD ports tree and introduce Lua functions and modules to ports] URL: link:https://reviews.freebsd.org/D53316[]
+
+Contact: Tuukka Pasanen <tuukka.pasanen@ilmi.fi>
+
+The Software Bill of Materials (SBOM) project has been ongoing since May, with the goal of providing the necessary tooling to create SBOMs from FreeBSD Ports and the base system.
+
+One of the major developments in 2025Q4 was upstreaming spdxtool to the pkgconf upstream. The upstreamed code ensures that pkgconf tools have an SPDX Lite 3.0.1 profile-compatible SBOM creation tool with the next release.
+
+Another significant effort has been gathering information about applications that form part of the FreeBSD base system.
+These applications are primarily located in the [.filename]#usr.bin#, [.filename]#usr.sbin#, [.filename]#sbin#, and [.filename]#bin# directories inside FreeBSD git repository.
+The FreeBSD Alpha Omega Beach Cleaning project has been instrumental as it gathers information about third-party libraries and applications, and I have contributed to this effort.
+Now there is Lua scripts and a file that can produce the needed files for pkgconf's spdxtool, which can be exported in SPDX JSON-LD format.
+
+Tools using this gathered information and current raw data can be found in my fork of the FreeBSD src tree. Mainly, all C and header files that hold SPDX-License-Identifier are now gathered and processed.
+
+There have also been efforts to upstream SBOM creation per package for FreeBSD Ports, but this has stalled and needs updating.
+
+If you want to help with this effort:
+
+* Add SPDX-License-Identifier headers to C and header files under the FreeBSD src.
+* Verify that the files current SPDX-License-Identifier is correct.
+* Verify that the gathered information is accurate.
+  Currently, all tools that have some man page for section 1, 7, and 8 are added, with descriptions taken from the man page using a script.
+  These may be incorrect.
+
+Sponsor: The FreeBSD Foundation