SBOM - Software Bill of Materials

I discovered seL4 at a conference I’m currently attending and it looks really interesting. Seems it would play nicely with usecases proposed around SBOMs (software bill of materials) at https://www.ntia.gov/sbom. Any possibility a cycloneDX (or SWID or SPDX) SBOM has been created for any version of seL4, or better yet that it is built into the build process? If so, I’d like to include in the corpus being built up by that group. If not, would anyone consider add SBOM as a feature?

Hey @sfractal, sorry for not seeing this message earlier. seL4 is using SPDX, so if you download the seL4 repo from GitHub - seL4/seL4: The seL4 microkernel and run the command

reuse spdx

will generate a full bill of materials. The reuse tool is available from GitHub - fsfe/reuse-tool: The tool for checking and helping with compliance with the REUSE recommendations

The same is now true for the other repositories under the seL4 GitHub organisation, i.e. the libraries and component platform on top of seL4 that the seL4 foundation provides. The SPDX information is checked as part of the build process, i.e. all repositories should be compliant and be able to generate that bill of materials.