Re: [PATCH v4 00/15] add SPDX SBOM generation script

[Greg KH <gregkh@linuxfoundation.org>]

On Tue, Feb 10, 2026 at 09:54:09PM +0100, Luis Augenstein wrote:
> This patch series introduces a Python-based script for generating SBOM
> documents in the SPDX 3.0.1 format for kernel builds.
> 
> A Software Bill of Materials (SBOM) describes the individual components
> of a software product. For the kernel, the goal is to describe the
> distributable build outputs (typically the kernel image and modules),
> the source files involved in producing these outputs, and the build
> process that connects the source and output files.
> 
> To achieve this, the sbom script generates three SPDX documents:
> 
> - sbom-output.spdx.json
>   Describes the final build outputs together with high-level
>   build metadata.
> 
> - sbom-source.spdx.json
>   Describes all source files involved in the build, including
>   licensing information and additional file metadata.
> 
> - sbom-build.spdx.json
>   Describes the entire build process, linking source files
>   from the source SBOM to output files in the output SBOM.
> 
> The sbom script is optional. It can be invoked via the `make sbom` target.
> This target depends on `all` and triggers a standard kernel build. Once all
> output artifacts have been generated, starting from the kernel image and
> modules as root nodes, the script reconstructs the dependency graph up
> to the original source files. Build dependencies are primarily derived from
> the `.cmd` files generated by Kbuild, which record the full command used
> to build each output file.
> 
> Currently, the script only supports x86 and arm64 architectures.
> 
> This series was developed with assistance from AI tools, namely Cursor
> with Claude Sonnet 4.5 and OpenCode with GLM-4.7. The AI was used for
> documentation, exploring the repository, and iterating on design
> questions and implementation details such as regex patterns.
> 
> Assisted-by: Claude Sonnet 4.5
> Assisted-by: GLM-4.7
> Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
> Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
> Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
> ---
> Changes in v4:
> - move sbom script from tools/ to scripts/ and simplify Makefile
> - use $(Q), $(PYTHON3) in scripts/sbom/Makefile
> - replace README with Documentation/tools/sbom/sbom.rst
> - add Assisted-by tags to document usage of AI tools
> ---
> Luis Augenstein (15):
>   scripts/sbom: add documentation
>   scripts/sbom: integrate script in make process
>   scripts/sbom: setup sbom logging
>   scripts/sbom: add command parsers
>   scripts/sbom: add cmd graph generation
>   scripts/sbom: add additional dependency sources for cmd graph
>   scripts/sbom: add SPDX classes
>   scripts/sbom: add JSON-LD serialization
>   scripts/sbom: add shared SPDX elements
>   scripts/sbom: collect file metadata
>   scripts/sbom: add SPDX output graph
>   scripts/sbom: add SPDX source graph
>   scripts/sbom: add SPDX build graph
>   scripts/sbom: add unit tests for command parsers
>   scripts/sbom: add unit tests for SPDX-License-Identifier parsing

Nathan and Nicolas, any objection from me taking this through my
char/misc tree, or is there something remaining to be done here that
would require another respin, or do you want to take it through the
kbuild tree?

thanks,

greg k-h