A tool to generate SPDX SBoMs from buildstream projects
Project description
BuildStream SBOM generator
This tool can be used to produce an SBoM (Software Bill of Materials) describing a BuildStream element and its dependencies. It currently generates SPDX version 2.3.
The manifest contains useful information, such as the package name, version, source locations and dependencies.
Source provenance data
This tool relies on the Source Provenance API introduced in BuildStream 2.5. This API is implemented by buildstream-plugins version 2.5.0 and buildstream-plugins-community 2.1.0. Please make sure your project is using those (or more recent) versions. If your project uses custom source plugins, please make sure that they also implement this API.
Version guessing is handled by individual source plugins, please check the individual plugin documentation for details. Most plugins that implement it do something similar to what DownloadableFileSource does, so it is a good starting point for understanding how this works.
The list of currently supported source provenance attributes that can be specified and used for a Buildstream project is as follows:
| Attribute name | Corresponding SPDX attribute |
|---|---|
| concluded-license | licenseConcluded |
| copyright-text | copyrightText |
| declared-license | licenseDeclared |
| description | summary |
| homepage | homepage |
| name | name |
| originator | originator |
| supplier | supplier |
These can be used in projects by use of the source-provenance-attributes
field in the project.conf, this is described in the provenance section of
the BuildStream documentation.
source-provenance-attributes snippet
# project.conf
source-provenance-attributes:
concluded-license: The license as determined by the evidence provided by the source project
copyright-text: Copyright text defined by the source project
declared-license: The license of the source project as decided by the authors
description: Description of the source project
homepage: The URL of the source project's homepage
name: The name of the source project
originator: The name of the person or organisation that created the source package originally
supplier: The name of the person or organisation that provided the source package
Should any BuildStream plugins implement tracking for source provenance attributes, similar to source tracking, it is recommended for all projects and plugins to use the attribute names exactly as seen above. This ensures the source provenance attributes are always generated identically between different plugins and makes sure they align with projects' definitions in the same way.
Usage
To install, clone this repository and install it using pip (or preferably a
tool like uv tool or
pipx which install it in a virtual
environment).
To use, run buildstream-sbom in a buildstream project passing in the name of
elements like you would pass to bst. There are two additional required
arguments --spdx-name and --spdx-namespace, to set the SPDX document name
and document namespace respectively. See the SPDX specification
for details.
buildstream-sbom also accepts some buildstream options, notably -o/--option
to set buildstream options, -C/--directory to set the directory containing
the buildstream project, and --deps to choose whether to include only runtime
dependencies or all dependencies.
On the topic of runtime dependencies, two BuildStream core plugins are treated
specially: filter and compose. All build dependencies of elements using
these plugins are considered runtime dependencies. You can set the depends-on
key in the sbom public domain data to a list of build dependencies to have
buildstream-sbom treat these build dependencies as runtime dependencies. This
is useful for a script or manual element that copies artifacts from a build
dependency into its own artifact.
You can also include licenses that have been extracted from the element's
artifacts using --include-licenses. This uses license information installed
with tooling such as Freedesktop-SDK's install-extra script. This option can
also be used in conjunction with --artifact-checkout-directory (-A), to
control where element artifacts are checked out to during processing; useful
for if you are checking out larger artifacts and want to specify a different
part of a filesystem with more available space (note that artifacts are removed
once processed anyway to minimise required storage space).
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file buildstream_sbom-1.1.tar.gz.
File metadata
- Download URL: buildstream_sbom-1.1.tar.gz
- Upload date:
- Size: 16.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.2.0 CPython/3.14.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f43a4b15e725cf59b9eec78319fdab99fc684ffe3957b2554d791ed7d103fffc
|
|
| MD5 |
9434494e0ceb618fea601de3ca61811c
|
|
| BLAKE2b-256 |
65dc76d13c8b20da85f93df2aab46c77337ac480df61d1540f55a91052f2e3c4
|
File details
Details for the file buildstream_sbom-1.1-py3-none-any.whl.
File metadata
- Download URL: buildstream_sbom-1.1-py3-none-any.whl
- Upload date:
- Size: 11.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.2.0 CPython/3.14.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9e90fdfdb10c56906e2c29a343f9b1ba9896d5837124e9f839fe44bb56140004
|
|
| MD5 |
cff85c18d2b6a8d8d43f96c3421d2a09
|
|
| BLAKE2b-256 |
ba866ed641917810d8d36a7754a32eb79962771757c91bc08160f2f772b5c895
|
