From b0cc1ff41b498458c3f4eacfdfc13c8e33af8076 Mon Sep 17 00:00:00 2001 From: Richard Hughes Date: Mon, 25 Nov 2024 14:37:10 +0000 Subject: [PATCH] Add a SBOM template in CycloneDX format Improve supply chain security by including a SBOM file with substituted values. This will be used to construct a composite platform SBOM. Signed-off-by: Richard Hughes --- .reuse/dep5 | 1 + packaging/sbom.cdx.json | 44 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 packaging/sbom.cdx.json diff --git a/.reuse/dep5 b/.reuse/dep5 index a6696ce4..cb066372 100644 --- a/.reuse/dep5 +++ b/.reuse/dep5 @@ -23,6 +23,7 @@ Files: .github/* .clang-format .clang-format-ignore packaging/pkcs11-provider.spec + packaging/sbom.cdx.json docs/* tests/lsan.supp tools/openssl*.cnf diff --git a/packaging/sbom.cdx.json b/packaging/sbom.cdx.json new file mode 100644 index 00000000..7508cf7c --- /dev/null +++ b/packaging/sbom.cdx.json @@ -0,0 +1,44 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "version": 1, + "metadata": { + "authors": [ + { + "name": "@VCS_SBOM_AUTHORS@" + } + ] + }, + "components": [ + { + "type": "library", + "bom-ref": "pkg:github/latchset/pkcs11-provider@@VCS_TAG@", + "cpe": "cpe:2.3:a:latchset:pkcs11-provider:@VCS_TAG@:*:*:*:*:*:*:*", + "name": "pkcs11-provider", + "version": "@VCS_VERSION@", + "description": + "OpenSSL 3.x provider to access Hardware and Software Tokens using the PKCS#11 Cryptographic Token Interface", + "supplier": { + "name": "pkcs11-provider developers" + }, + "authors": [ + { + "name": "@VCS_AUTHORS@" + } + ], + "licenses": [ + { + "license": { + "id": "Apache-2.0" + } + } + ], + "externalReferences": [ + { + "type": "vcs", + "url": "https://github.com/latchset/pkcs11-provider" + } + ] + } + ] +}