Add sbom generation tooling (#2232)

[Lukasz-Juranek]

This PR adds basic sbom bazel rules for details see

https://github.com/Lukasz-Juranek/score-tooling/blob/8e9cb957c32b7b2da9b4faf607be172ba9b14a6f/sbom/SBOM_Readme.md

Here are generated SBOMs for reference_integration targets:

sbom_kyron.cdx.json
sbom_kyron.spdx.json
sbom_orch_per.cdx.json
sbom_orch_per.spdx.json

Here is SBOM target definition: eclipse-score/reference_integration#83
Sbom is automatically generated no modiffications are needed for SCORE

Depending-on: eclipse-score/score-crates#24

This is not full solution but rather sth to begin with.
Happy to discuss this in details.

[AlexanderLanin]

@Lukasz-Juranek this looks interesting! Can you describe a little why we need custom code? No native bazel support etc.

[Lukasz-Juranek]

Hi right now i'm not aware of any out of box support for bazel that would really cover all c++ imports and rust code.

But IMO tooling itself is not important that much, this can be replaced later on with anything

What is important is to start getting the SBOM data for 3rd party dependencies in any meaningful format when there is not much deps, and to build in SCORE developers this behavior that when you import some stuff to your project you think about SBOM.

If SBOM data will be available then you can do conversion to some mature solution.

[Lukasz-Juranek]

Updated PR according discussion that we had https://github.com/orgs/eclipse-score/discussions/2226#discussioncomment-15669973

Now manual generation of is removed , sbom data is generated via

• cdxgen for C++
• for rust @score_crates//:MODULE.bazel.lock is used

Added mandatory fields from

• CISA 2025 Element Coverage for CycloneDX

For details see updated readme https://github.com/Lukasz-Juranek/score-tooling/blob/8e9cb957c32b7b2da9b4faf607be172ba9b14a6f/sbom/SBOM_Readme.md

@masc2023 you asked for list of tools here it is https://github.com/Lukasz-Juranek/score-tooling/blob/8e9cb957c32b7b2da9b4faf607be172ba9b14a6f/sbom/SBOM_Readme.md#core-tools

[AlexanderLanin]

Which of these actually depend on bazel? Can we use this tool without bazel?

[Lukasz-Juranek]

@AlexanderLanin thx for review.

cyclonedx/cdxgen you can use without bazel, both NPM and cdxgen are currently required on system to be installed on system they are not deployed via bazel.

Bazel is only needed to collect dependencies that are needed to build the target,
This data is then hold in sbom_aspect then tool is matching data from this structure to data from cdxgen and bazel lockfile

But if you have all data that is needed in dash-license-scan then we should use this as source of data, not cdxgen and bazel lockfile

Maybe lets make some short sync on this just ping me on slack when you will have time

For think that we can't use only the dash-licensese-scan but we can extract license data from it

Field	crates_metadata.json provides	dash-license-scan provides
version	Yes	Yes (from Cargo.lock parse)
license	Yes (from crates.io API)	Yes (from Eclipse/ClearlyDefined)
checksum (SHA-256)	Yes	No
purl	Yes (pkg:cargo/name@ver)	No (uses crate/cratesio/-/ format)
repository	Yes (from crates.io API)	No

[AlexanderLanin]

cargo.lock parsing has also been implemented in dash-license-scan. Probably needs alignment.

[AlexanderLanin]

how do you know which version to use? Thats the main reason I have not implemented bazel lockfile parsing in dash-license-scan, since there is no way to know which version is actually relevant?!

[Lukasz-Juranek]

no i was not aware of this problem

[AlexanderLanin]

would you consider pytest? I don't know if its better or worse. But we use pytest everywhere.

[Lukasz-Juranek]

ok i will change framework

[AlexanderLanin]

note that different versions can have different licenses

[Lukasz-Juranek]

this file is not used ,

The actual license data now comes from crates_metadata.json (generated by the cache script from crates.io API + MODULE.bazel.lock).

i need to clean this trash

[AlexanderLanin]

this is where dash-license-scan could somehow fit it. It collects verified license information.

[Lukasz-Juranek]

i will check it if we can match get license field from dash output makes sense.

[AlexanderLanin]

we should use dash-licene-scan and not write hand collected license infos

[Lukasz-Juranek]

@AlexanderLanin i've updated SBOM tooling to get license from dash you can take a look at some generated files

sbom_communication.cdx.json
sbom_kyron_module.cdx.json
sbom_baselibs.cdx.json

Two things to confirm

1. Dash only supports rust right ? I could not get cpp licenses
2. License ids like this are expected right ?

 "id": "Apache-2.0 AND MIT AND Apache-2.0 AND MIT"

[evinoth1206]

Thanks for the work on the SBOM generation! I reviewed the CycloneDX output and have some feedback:

Must fix:

• Invalid license format for compound SPDX expressions: When a component has multiple licenses combined with AND/OR, the current format uses "license": { "id": "Apache-2.0 AND MIT" }, which fails schema validation. The id field only accepts a single SPDX identifier. Compound expressions must use the expression field instead:
  // ❌ Current (invalid):
  "licenses": [{ "license": { "id": "Apache-2.0 AND MIT" } }]

// ✅ Correct:
"licenses": [{ "expression": "Apache-2.0 AND MIT" }]

• Missing description field on all components. Every component should have at least a short description for SBOM usability

Nice to have (can be addressed in a follow-up):

• Missing cpe identifiers for OSS components. Adding CPE entries (e.g. cpe:2.3:a:google:flatbuffers:25.2.10:::::::*) would improve vulnerability matching against the NVD.

• Flat dependency graph. Currently all dependsOn arrays are empty except for the root component, which lists everything as a direct dependency. Ideally the graph should reflect actual transitive relationships (e.g. serde-derive depends on syn, quote, proc-macro2).

[Lukasz-Juranek]

Thanks for the work on the SBOM generation! I reviewed the CycloneDX output and have some feedback:

Must fix:

• Invalid license format for compound SPDX expressions: When a component has multiple licenses combined with AND/OR, the current format uses "license": { "id": "Apache-2.0 AND MIT" }, which fails schema validation. The id field only accepts a single SPDX identifier. Compound expressions must use the expression field instead:
  // ❌ Current (invalid):
  "licenses": [{ "license": { "id": "Apache-2.0 AND MIT" } }]

// ✅ Correct: "licenses": [{ "expression": "Apache-2.0 AND MIT" }]

• Missing description field on all components. Every component should have at least a short description for SBOM usability

Nice to have (can be addressed in a follow-up):

• Missing cpe identifiers for OSS components. Adding CPE entries (e.g. cpe:2.3:a:google:flatbuffers:25.2.10:::::::*) would improve vulnerability matching against the NVD.
• Flat dependency graph. Currently all dependsOn arrays are empty except for the root component, which lists everything as a direct dependency. Ideally the graph should reflect actual transitive relationships (e.g. serde-derive depends on syn, quote, proc-macro2).

Updated PR fixed licenses you can check this i've validated it using https://tools.spdx.org/app/ntia_checker/ and it passed

sbom_kyron_module.cdx.json
sbom_kyron_module.spdx.json