CycloneDX-Buildroot 2.0.0

Create a software bill of materials from the direct dependencies of a Buildroot generated project

CycloneDX Buildroot

---

This python application generates CycloneDX Software Bill of Materials (SBOM) containing all direct dependencies of a Buildroot generated project. It also supports projects that provide a comma-separated-values (.csv) file as a manifest of the software bill of materials. Thus an embedded project or any other project that has a CSV file containing the column information below, can be used with this project.

PACKAGE,VERSION,LICENSE,LICENSE FILES,SOURCE ARCHIVE,SOURCE SITE,DEPENDENCIES WITH LICENSES

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. Buildroot provides a build target named "legal-info" which produces a set of files including manifest.csv. The legal-info is a general "make" target for a Buildroot project. Additionally and optionally Buildroot supports a "make" target named "show-info" to produce CPE data for your build.

Requirements

• python >= 3.8

Installation

Install this from Python Package Index (PyPI) using your preferred Python package manager.

install via one of commands:

python -m pip install CycloneDX-Buildroot   # install via pip
pipx install CycloneDX-Buildroot            # install via pipx
poetry add CycloneDX-Buildroot              # install via poetry
uv tool install CycloneDX-Buildroot         # install via uv
# ... you get the hang

Usage

Call via one of commands:

cyclonedx-buildroot            # call script
python -m cyclonedx_buildroot  # call python module CLI

Help page

$ cyclonedx-buildroot --help
usage: cyclonedx-buildroot [-h] [-i INPUT_FILE] [-o OUTPUT_FILE] [-n PRODUCT_NAME] [-v PRODUCT_VERSION] [-m MANUFACTURER_NAME] [-c CPE_INPUT_FILE]

CycloneDX BOM Generator

options:
  -h, --help            show this help message and exit
  -i INPUT_FILE         comma separated value (csv) file of buildroot manifest data
  -o OUTPUT_FILE        SBOM output file name for json and xml
  -n PRODUCT_NAME       name of the product
  -v PRODUCT_VERSION    product version string
  -m MANUFACTURER_NAME  name of product manufacturer
  -c CPE_INPUT_FILE     cpe file from make show-info

Example

By default, manifest.csv will be read from the current working directory and the resulting bom.json will also be created in the current working directory.
This can be overwritten as follows:

cyclonedx-buildroot -i <path>/manifest.csv -n "My Project" -v "1.2.3.4" -m "your manufacturing company name" -c cpe.json

Integration

Diagram depicting where this project fits into the pipeline of secure development activities. Note that while the diagram depicts a linear sequence of activities, the entire sequence is typically cyclical. The end state of SBOM management receives the SBOM files for the product versions to properly manage the state of vulnerabilities over time.

CycloneDX Schema Support

The following table provides information on the version of this module, the CycloneDX schema version supported, as well as the output format options. Use the latest possible version of this module that is compatible with the CycloneDX version supported by the target system.

Version	Schema Version	Format(s)
2.0	CycloneDX v1.6	XML/JSON

Internals

This tool utilizes the CycloneDX Python library to generate the actual data structures, and serialize and validate them.

This tool does not expose any additional public API or symbols - all code is intended to be internal and might change without any notice during version upgrades.
However, the CLI is stable - you might call it programmatically, like so:

from sys import executable
from subprocess import run
run((executable, '-m', 'cyclonedx_buildroot', '--help'))

Copyright & License

CycloneDX Buildroot is Copyright (c) OWASP Foundation. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.