|
|
@@ -180,6 +180,34 @@ a newer upstream version for those packages.
|
|
|
make pkg-stats
|
|
|
----
|
|
|
|
|
|
+=== Generating CycloneDX SBOM
|
|
|
+
|
|
|
+Based on the output of +show-info+ Buildroot can generate a SBOM in
|
|
|
+the CycloneDX format. While it doesn't offer any additional
|
|
|
+information, CycloneDX is a format specification that can be consumed
|
|
|
+by other projects.
|
|
|
+
|
|
|
+----
|
|
|
+make show-info | utils/generate-cyclonedx
|
|
|
+----
|
|
|
+
|
|
|
+For more information check the help of the +generate-cyclonedx+ script, the
|
|
|
+script call can be tailored to your project.
|
|
|
+
|
|
|
+----
|
|
|
+utils/generate-cyclonedx --help
|
|
|
+----
|
|
|
+
|
|
|
+Similarly to +pkg-stats+, CycloneDX SBOM's can be enriched with vulnerability
|
|
|
+analysis from the NVD database.
|
|
|
+
|
|
|
+----
|
|
|
+make show | utils/generate-cyclonedx > sbom.cdx.json
|
|
|
+cat sbom.cdx.json | support/scripts/cve-check --nvd-path dl/buildroot-nvd/
|
|
|
+----
|
|
|
+
|
|
|
+For more information about CycloneDX see https://cyclonedx.org/[].
|
|
|
+
|
|
|
=== Graphing the dependencies between packages
|
|
|
|
|
|
[[graph-depends]]
|
Thomas Perale