[PATCH v6 00/15] add SPDX SBOM generation script

[PATCH v6 00/15] add SPDX SBOM generation script

[Luis]

This patch series introduces a Python-based script for generating SBOM
documents in the SPDX 3.0.1 format for kernel builds.

A Software Bill of Materials (SBOM) describes the individual components
of a software product. For the kernel, the goal is to describe the
distributable build outputs (typically the kernel image and modules),
the source files involved in producing these outputs, and the build
process that connects the source and output files.

To achieve this, the sbom script generates three SPDX documents:

- sbom-output.spdx.json
  Describes the final build outputs together with high-level
  build metadata.

- sbom-source.spdx.json
  Describes all source files involved in the build, including
  licensing information and additional file metadata.

- sbom-build.spdx.json
  Describes the entire build process, linking source files
  from the source SBOM to output files in the output SBOM.

The sbom script is optional. It can be invoked via the `make sbom` target.
This target depends on `all` and triggers a standard kernel build. Once all
output artifacts have been generated, starting from the kernel image and
modules as root nodes, the script reconstructs the dependency graph up
to the original source files. Build dependencies are primarily derived from
the `.cmd` files generated by Kbuild, which record the full command used
to build each output file.

Currently, the script only supports x86 and arm64 architectures.

This series was developed with assistance from AI tools, namely Cursor
with Claude Sonnet 4.5 and OpenCode with GLM-4.7. The AI was used for
documentation, exploring the repository, and iterating on design
questions and implementation details such as regex patterns.

Assisted-by: Cursor:claude-sonnet-4-5
Assisted-by: OpenCode:GLM-4-7
Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
---
Changes in v6:
- parsers: add support for cp and vdsomunge commands
- sashiko:
  - bugfix: resolve symlinked relative paths correctly to avoid duplicate SBOM entries
  - bugfix: use timezone-aware UTC timestamps for SBOM creation metadata
  - bugfix: classify external files outside source and object trees correctly
  - robustness: several minor improvements to make the script more robust against 
    unexpected inputs, uncommon build setups, and invalid assumptions
---
Luis Augenstein (15):
  scripts/sbom: add documentation
  scripts/sbom: integrate script in make process
  scripts/sbom: setup sbom logging
  scripts/sbom: add command parsers
  scripts/sbom: add cmd graph generation
  scripts/sbom: add additional dependency sources for cmd graph
  scripts/sbom: add SPDX classes
  scripts/sbom: add JSON-LD serialization
  scripts/sbom: add shared SPDX elements
  scripts/sbom: collect file metadata
  scripts/sbom: add SPDX output graph
  scripts/sbom: add SPDX source graph
  scripts/sbom: add SPDX build graph
  scripts/sbom: add unit tests for command parsers
  scripts/sbom: add unit tests for SPDX-License-Identifier parsing

 .gitignore                                    |   1 +
 Documentation/tools/index.rst                 |   1 +
 Documentation/tools/sbom/sbom.rst             | 206 ++++++++
 MAINTAINERS                                   |   6 +
 Makefile                                      |  28 +-
 scripts/sbom/sbom.py                          | 129 +++++
 scripts/sbom/sbom/__init__.py                 |   0
 scripts/sbom/sbom/cmd_graph/__init__.py       |   7 +
 scripts/sbom/sbom/cmd_graph/cmd_file.py       | 162 ++++++
 scripts/sbom/sbom/cmd_graph/cmd_graph.py      |  46 ++
 scripts/sbom/sbom/cmd_graph/cmd_graph_node.py | 142 +++++
 scripts/sbom/sbom/cmd_graph/deps_parser.py    |  52 ++
 .../sbom/cmd_graph/hardcoded_dependencies.py  |  87 ++++
 scripts/sbom/sbom/cmd_graph/incbin_parser.py  |  42 ++
 .../cmd_graph/savedcmd_parser/__init__.py     |   6 +
 .../command_parser_registry.py                | 491 ++++++++++++++++++
 .../savedcmd_parser/command_splitter.py       | 124 +++++
 .../savedcmd_parser/savedcmd_parser.py        |  67 +++
 .../cmd_graph/savedcmd_parser/tokenizer.py    |  92 ++++
 scripts/sbom/sbom/config.py                   | 321 ++++++++++++
 scripts/sbom/sbom/environment.py              | 192 +++++++
 scripts/sbom/sbom/path_utils.py               |  22 +
 scripts/sbom/sbom/sbom_logging.py             |  90 ++++
 scripts/sbom/sbom/spdx/__init__.py            |   7 +
 scripts/sbom/sbom/spdx/build.py               |  17 +
 scripts/sbom/sbom/spdx/core.py                | 170 ++++++
 scripts/sbom/sbom/spdx/serialization.py       |  62 +++
 scripts/sbom/sbom/spdx/simplelicensing.py     |  20 +
 scripts/sbom/sbom/spdx/software.py            |  69 +++
 scripts/sbom/sbom/spdx/spdxId.py              |  36 ++
 scripts/sbom/sbom/spdx_graph/__init__.py      |   7 +
 .../sbom/sbom/spdx_graph/build_spdx_graphs.py |  83 +++
 scripts/sbom/sbom/spdx_graph/kernel_file.py   | 314 +++++++++++
 .../sbom/spdx_graph/shared_spdx_elements.py   |  32 ++
 .../sbom/sbom/spdx_graph/spdx_build_graph.py  | 319 ++++++++++++
 .../sbom/sbom/spdx_graph/spdx_graph_model.py  |  36 ++
 .../sbom/sbom/spdx_graph/spdx_output_graph.py | 187 +++++++
 .../sbom/sbom/spdx_graph/spdx_source_graph.py | 130 +++++
 scripts/sbom/tests/__init__.py                |   0
 scripts/sbom/tests/cmd_graph/__init__.py      |   0
 .../tests/cmd_graph/test_savedcmd_parser.py   | 425 +++++++++++++++
 scripts/sbom/tests/spdx_graph/__init__.py     |   0
 .../sbom/tests/spdx_graph/test_kernel_file.py |  33 ++
 43 files changed, 4259 insertions(+), 2 deletions(-)
 create mode 100644 Documentation/tools/sbom/sbom.rst
 create mode 100644 scripts/sbom/sbom.py
 create mode 100644 scripts/sbom/sbom/__init__.py
 create mode 100644 scripts/sbom/sbom/cmd_graph/__init__.py
 create mode 100644 scripts/sbom/sbom/cmd_graph/cmd_file.py
 create mode 100644 scripts/sbom/sbom/cmd_graph/cmd_graph.py
 create mode 100644 scripts/sbom/sbom/cmd_graph/cmd_graph_node.py
 create mode 100644 scripts/sbom/sbom/cmd_graph/deps_parser.py
 create mode 100644 scripts/sbom/sbom/cmd_graph/hardcoded_dependencies.py
 create mode 100644 scripts/sbom/sbom/cmd_graph/incbin_parser.py
 create mode 100644 scripts/sbom/sbom/cmd_graph/savedcmd_parser/__init__.py
 create mode 100644 scripts/sbom/sbom/cmd_graph/savedcmd_parser/command_parser_registry.py
 create mode 100644 scripts/sbom/sbom/cmd_graph/savedcmd_parser/command_splitter.py
 create mode 100644 scripts/sbom/sbom/cmd_graph/savedcmd_parser/savedcmd_parser.py
 create mode 100644 scripts/sbom/sbom/cmd_graph/savedcmd_parser/tokenizer.py
 create mode 100644 scripts/sbom/sbom/config.py
 create mode 100644 scripts/sbom/sbom/environment.py
 create mode 100644 scripts/sbom/sbom/path_utils.py
 create mode 100644 scripts/sbom/sbom/sbom_logging.py
 create mode 100644 scripts/sbom/sbom/spdx/__init__.py
 create mode 100644 scripts/sbom/sbom/spdx/build.py
 create mode 100644 scripts/sbom/sbom/spdx/core.py
 create mode 100644 scripts/sbom/sbom/spdx/serialization.py
 create mode 100644 scripts/sbom/sbom/spdx/simplelicensing.py
 create mode 100644 scripts/sbom/sbom/spdx/software.py
 create mode 100644 scripts/sbom/sbom/spdx/spdxId.py
 create mode 100644 scripts/sbom/sbom/spdx_graph/__init__.py
 create mode 100644 scripts/sbom/sbom/spdx_graph/build_spdx_graphs.py
 create mode 100644 scripts/sbom/sbom/spdx_graph/kernel_file.py
 create mode 100644 scripts/sbom/sbom/spdx_graph/shared_spdx_elements.py
 create mode 100644 scripts/sbom/sbom/spdx_graph/spdx_build_graph.py
 create mode 100644 scripts/sbom/sbom/spdx_graph/spdx_graph_model.py
 create mode 100644 scripts/sbom/sbom/spdx_graph/spdx_output_graph.py
 create mode 100644 scripts/sbom/sbom/spdx_graph/spdx_source_graph.py
 create mode 100644 scripts/sbom/tests/__init__.py
 create mode 100644 scripts/sbom/tests/cmd_graph/__init__.py
 create mode 100644 scripts/sbom/tests/cmd_graph/test_savedcmd_parser.py
 create mode 100644 scripts/sbom/tests/spdx_graph/__init__.py
 create mode 100644 scripts/sbom/tests/spdx_graph/test_kernel_file.py

-- 
2.43.0

Re: [PATCH v6 00/15] add SPDX SBOM generation script

[Bird, Tim]

Hey KernelSBom people,

I got the following error message when using KernelSBom (both with the v5 release and the recent v6 release)

I was doing a an arm64 defconfig build.  I can work around the problem using your handy
"--do-not-fail-on-unknown-build-command" option to the sbom generator, but thought I
should report the issue.

==== error message ====
...
  GEN     sbom-source.spdx.json sbom-build.spdx.json sbom-output.spdx.json
[ERROR] File "/home/tbird/work/torvalds/linux/scripts/sbom/sbom/cmd_graph/savedcmd_parser/savedcmd_parser.py", line 33, in log_error_or_warning
Skipped parsing command /bin/sh -e /home/tbird/work/torvalds/linux/arch/arm64/tools/gen-kernel-hwcaps.sh /home/tbird/work/torvalds/linux/arch/arm64/include/uapi/asm/hwcap.h > arch/arm64/include/generated/asm/kernel-hwcap.h because no matching parser was found
=====================

arch/arm64/tools/gen-kernel-hwcaps.sh is a simple scripts that does some simple
transformations (using sed) on lines from the input file.  As you can see, the build command takes
arch/arm64/include/uapi/asm/hwcap.h and transforms it into $KBUILD_OUTPUT/arch/arm64/include/generated/asm/kernel-hwcap.h

I think this should be easy to add to your command line parser.  Just wanted to bring it to your attention.

Great tool, by the way.  I'm talking about it at OSSNA next week, and was just doing some testing on different
platforms.

Regards,
 -- Tim

Re: [PATCH v6 00/15] add SPDX SBOM generation script

[Luis Augenstein]

[-- Attachment #1.1: Type: text/plain, Size: 2037 bytes --]


On 5/13/26 20:25, Bird, Tim wrote:
> Hey KernelSBom people,
> 
> I got the following error message when using KernelSBom (both with the v5 release and the recent v6 release)
> 
> I was doing a an arm64 defconfig build.  I can work around the problem using your handy
> "--do-not-fail-on-unknown-build-command" option to the sbom generator, but thought I
> should report the issue.
> 
> ==== error message ====
> ...
>    GEN     sbom-source.spdx.json sbom-build.spdx.json sbom-output.spdx.json
> [ERROR] File "/home/tbird/work/torvalds/linux/scripts/sbom/sbom/cmd_graph/savedcmd_parser/savedcmd_parser.py", line 33, in log_error_or_warning
> Skipped parsing command /bin/sh -e /home/tbird/work/torvalds/linux/arch/arm64/tools/gen-kernel-hwcaps.sh /home/tbird/work/torvalds/linux/arch/arm64/include/uapi/asm/hwcap.h > arch/arm64/include/generated/asm/kernel-hwcap.h because no matching parser was found
> =====================
> 
> arch/arm64/tools/gen-kernel-hwcaps.sh is a simple scripts that does some simple
> transformations (using sed) on lines from the input file.  As you can see, the build command takes
> arch/arm64/include/uapi/asm/hwcap.h and transforms it into $KBUILD_OUTPUT/arch/arm64/include/generated/asm/kernel-hwcap.h
> 
> I think this should be easy to add to your command line parser.  Just wanted to bring it to your attention.
> 

Yes, thanks a lot for reporting the issue.
gen-kernel-hwcaps.sh is a new script that was added a month ago.
I will add a corresponding command parser with the next version.

> Great tool, by the way.  I'm talking about it at OSSNA next week, and was just doing some testing on different
> platforms.

Cool! Happy to hear that :)

Best,
Luis

-- 
Luis Augenstein * luis.augenstein@tngtech.com * +4915225275761
TNG Technology Consulting GmbH, Beta-Str. 13, 85774 Unterföhring
Geschäftsführer: Henrik Klagges, Dr. Robert Dahlke, Thomas Endres
Aufsichtsratsvorsitzender: Moritz Prinz
Sitz: Unterföhring * Amtsgericht München * HRB 135082


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]