From: Luis Augenstein <luis.augenstein@tngtech.com>
To: nathan@kernel.org, nsc@kernel.org
Cc: linux-kbuild@vger.kernel.org, linux-kernel@vger.kernel.org,
akpm@linux-foundation.org, gregkh@linuxfoundation.org,
maximilian.huber@tngtech.com,
Luis Augenstein <luis.augenstein@tngtech.com>
Subject: [PATCH v2 00/14] Add SPDX SBOM generation tool
Date: Tue, 20 Jan 2026 12:53:38 +0100 [thread overview]
Message-ID: <20260120115352.10910-1-luis.augenstein@tngtech.com> (raw)
This patch series introduces a Python-based tool for generating SBOM
documents in the SPDX 3.0.1 format for kernel builds.
A Software Bill of Materials (SBOM) describes the individual components
of a software product. For the kernel, the goal is to describe the
distributable build outputs (typically the kernel image and modules),
the source files involved in producing these outputs, and the build
process that connects the source and output files.
To achieve this, the SBOM tool generates three SPDX documents:
- sbom-output.spdx.json
Describes the final build outputs together with high-level
build metadata.
- sbom-source.spdx.json
Describes all source files involved in the build, including
licensing information and additional file metadata.
- sbom-build.spdx.json
Describes the entire build process, linking source files
from the source SBOM to output files in the output SBOM.
The sbom tool is optional and runs only when CONFIG_SBOM is enabled. It
is invoked after the build, once all output artifacts have been
generated. Starting from the kernel image and modules as root nodes,
the tool reconstructs the dependency graph up to the original source
files. Build dependencies are primarily derived from the .cmd files
generated by Kbuild, which record the full command used to build
each output file.
Currently, the tool only supports x86 and arm64 architectures.
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
---
Changes in v2:
- regenerate sbom documents when build configuration changes
---
Luis Augenstein (14):
tools/sbom: integrate tool in make process
tools/sbom: setup sbom logging
tools/sbom: add command parsers
tools/sbom: add cmd graph generation
tools/sbom: add additional dependency sources for cmd graph
tools/sbom: add SPDX classes
tools/sbom: add JSON-LD serialization
tools/sbom: add shared SPDX elements
tools/sbom: collect file metadata
tools/sbom: add SPDX output graph
tools/sbom: add SPDX source graph
tools/sbom: add SPDX build graph
tools/sbom: add unit tests for command parsers
tools/sbom: add unit tests for SPDX-License-Identifier parsing
.gitignore | 1 +
MAINTAINERS | 6 +
Makefile | 15 +-
lib/Kconfig.debug | 9 +
tools/Makefile | 3 +-
tools/sbom/Makefile | 42 ++
tools/sbom/README | 208 ++++++
tools/sbom/sbom.py | 129 ++++
tools/sbom/sbom/__init__.py | 0
tools/sbom/sbom/cmd_graph/__init__.py | 7 +
tools/sbom/sbom/cmd_graph/cmd_file.py | 149 ++++
tools/sbom/sbom/cmd_graph/cmd_graph.py | 46 ++
tools/sbom/sbom/cmd_graph/cmd_graph_node.py | 142 ++++
tools/sbom/sbom/cmd_graph/deps_parser.py | 52 ++
.../sbom/cmd_graph/hardcoded_dependencies.py | 83 +++
tools/sbom/sbom/cmd_graph/incbin_parser.py | 42 ++
tools/sbom/sbom/cmd_graph/savedcmd_parser.py | 664 ++++++++++++++++++
tools/sbom/sbom/config.py | 335 +++++++++
tools/sbom/sbom/environment.py | 164 +++++
tools/sbom/sbom/path_utils.py | 11 +
tools/sbom/sbom/sbom_logging.py | 88 +++
tools/sbom/sbom/spdx/__init__.py | 7 +
tools/sbom/sbom/spdx/build.py | 17 +
tools/sbom/sbom/spdx/core.py | 182 +++++
tools/sbom/sbom/spdx/serialization.py | 56 ++
tools/sbom/sbom/spdx/simplelicensing.py | 20 +
tools/sbom/sbom/spdx/software.py | 71 ++
tools/sbom/sbom/spdx/spdxId.py | 36 +
tools/sbom/sbom/spdx_graph/__init__.py | 7 +
.../sbom/sbom/spdx_graph/build_spdx_graphs.py | 82 +++
tools/sbom/sbom/spdx_graph/kernel_file.py | 310 ++++++++
.../sbom/spdx_graph/shared_spdx_elements.py | 32 +
.../sbom/sbom/spdx_graph/spdx_build_graph.py | 317 +++++++++
.../sbom/sbom/spdx_graph/spdx_graph_model.py | 36 +
.../sbom/sbom/spdx_graph/spdx_output_graph.py | 188 +++++
.../sbom/sbom/spdx_graph/spdx_source_graph.py | 126 ++++
tools/sbom/tests/__init__.py | 0
tools/sbom/tests/cmd_graph/__init__.py | 0
.../tests/cmd_graph/test_savedcmd_parser.py | 383 ++++++++++
tools/sbom/tests/spdx_graph/__init__.py | 0
.../sbom/tests/spdx_graph/test_kernel_file.py | 32 +
41 files changed, 4096 insertions(+), 2 deletions(-)
create mode 100644 tools/sbom/Makefile
create mode 100644 tools/sbom/README
create mode 100644 tools/sbom/sbom.py
create mode 100644 tools/sbom/sbom/__init__.py
create mode 100644 tools/sbom/sbom/cmd_graph/__init__.py
create mode 100644 tools/sbom/sbom/cmd_graph/cmd_file.py
create mode 100644 tools/sbom/sbom/cmd_graph/cmd_graph.py
create mode 100644 tools/sbom/sbom/cmd_graph/cmd_graph_node.py
create mode 100644 tools/sbom/sbom/cmd_graph/deps_parser.py
create mode 100644 tools/sbom/sbom/cmd_graph/hardcoded_dependencies.py
create mode 100644 tools/sbom/sbom/cmd_graph/incbin_parser.py
create mode 100644 tools/sbom/sbom/cmd_graph/savedcmd_parser.py
create mode 100644 tools/sbom/sbom/config.py
create mode 100644 tools/sbom/sbom/environment.py
create mode 100644 tools/sbom/sbom/path_utils.py
create mode 100644 tools/sbom/sbom/sbom_logging.py
create mode 100644 tools/sbom/sbom/spdx/__init__.py
create mode 100644 tools/sbom/sbom/spdx/build.py
create mode 100644 tools/sbom/sbom/spdx/core.py
create mode 100644 tools/sbom/sbom/spdx/serialization.py
create mode 100644 tools/sbom/sbom/spdx/simplelicensing.py
create mode 100644 tools/sbom/sbom/spdx/software.py
create mode 100644 tools/sbom/sbom/spdx/spdxId.py
create mode 100644 tools/sbom/sbom/spdx_graph/__init__.py
create mode 100644 tools/sbom/sbom/spdx_graph/build_spdx_graphs.py
create mode 100644 tools/sbom/sbom/spdx_graph/kernel_file.py
create mode 100644 tools/sbom/sbom/spdx_graph/shared_spdx_elements.py
create mode 100644 tools/sbom/sbom/spdx_graph/spdx_build_graph.py
create mode 100644 tools/sbom/sbom/spdx_graph/spdx_graph_model.py
create mode 100644 tools/sbom/sbom/spdx_graph/spdx_output_graph.py
create mode 100644 tools/sbom/sbom/spdx_graph/spdx_source_graph.py
create mode 100644 tools/sbom/tests/__init__.py
create mode 100644 tools/sbom/tests/cmd_graph/__init__.py
create mode 100644 tools/sbom/tests/cmd_graph/test_savedcmd_parser.py
create mode 100644 tools/sbom/tests/spdx_graph/__init__.py
create mode 100644 tools/sbom/tests/spdx_graph/test_kernel_file.py
--
2.34.1
next reply other threads:[~2026-01-20 11:55 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-20 11:53 Luis Augenstein [this message]
2026-01-20 11:53 ` [PATCH v2 01/14] tools/sbom: integrate tool in make process Luis Augenstein
2026-01-20 11:53 ` [PATCH v2 02/14] tools/sbom: setup sbom logging Luis Augenstein
2026-01-20 11:53 ` [PATCH v2 03/14] tools/sbom: add command parsers Luis Augenstein
2026-01-20 11:53 ` [PATCH v2 04/14] tools/sbom: add cmd graph generation Luis Augenstein
2026-01-20 11:53 ` [PATCH v2 05/14] tools/sbom: add additional dependency sources for cmd graph Luis Augenstein
2026-01-20 11:53 ` [PATCH v2 06/14] tools/sbom: add SPDX classes Luis Augenstein
2026-01-20 11:53 ` [PATCH v2 07/14] tools/sbom: add JSON-LD serialization Luis Augenstein
2026-01-20 11:53 ` [PATCH v2 08/14] tools/sbom: add shared SPDX elements Luis Augenstein
2026-01-20 11:53 ` [PATCH v2 09/14] tools/sbom: collect file metadata Luis Augenstein
2026-01-20 11:53 ` [PATCH v2 10/14] tools/sbom: add SPDX output graph Luis Augenstein
2026-01-20 11:53 ` [PATCH v2 11/14] tools/sbom: add SPDX source graph Luis Augenstein
2026-01-20 11:53 ` [PATCH v2 12/14] tools/sbom: add SPDX build graph Luis Augenstein
2026-01-20 11:53 ` [PATCH v2 13/14] tools/sbom: add unit tests for command parsers Luis Augenstein
2026-01-22 6:00 ` Miguel Ojeda
2026-01-22 20:01 ` Luis Augenstein
2026-01-20 11:53 ` [PATCH v2 14/14] tools/sbom: add unit tests for SPDX-License-Identifier parsing Luis Augenstein
2026-01-20 15:40 ` [PATCH v2 00/14] Add SPDX SBOM generation tool Greg KH
2026-01-20 16:14 ` Luis Augenstein
2026-01-22 6:18 ` Miguel Ojeda
2026-01-22 6:35 ` Greg KH
2026-01-25 15:20 ` Miguel Ojeda
2026-01-25 15:33 ` Miguel Ojeda
2026-01-25 15:40 ` Greg KH
2026-01-25 15:34 ` Greg KH
2026-01-25 17:24 ` Miguel Ojeda
2026-01-27 8:03 ` Luis Augenstein
2026-01-27 23:10 ` Nathan Chancellor
2026-02-02 16:28 ` Luis Augenstein
2026-02-03 0:40 ` Nathan Chancellor
2026-02-03 14:41 ` Luis Augenstein
2026-02-03 20:51 ` Nathan Chancellor
2026-01-22 20:32 ` Luis Augenstein
2026-01-25 15:30 ` Miguel Ojeda
2026-01-26 6:46 ` Luis Augenstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260120115352.10910-1-luis.augenstein@tngtech.com \
--to=luis.augenstein@tngtech.com \
--cc=akpm@linux-foundation.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maximilian.huber@tngtech.com \
--cc=nathan@kernel.org \
--cc=nsc@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox