SBOM in Debian and sbom-toolkit

Speaker: Walter Lozano

Track: Standards and Procedures

Type: Short talk (20 minutes)

Room: Aula Magna - FADU

Time: Jul 24 (Fri): 11:30

Duration: 0:20

Software Bills of Materials (SBOMs) have become an increasingly important topic, especially in the embedded systems domain, where products must comply with different regulatory and market requirements depending on their target regions.

This trend has intensified in recent years, particularly with the introduction of the Cyber Resilience Act, which places greater responsibilities on product manufacturers regarding the security and transparency of the software included in their products.

In this context, providing accurate and complete information about the software running on a system is essential for several reasons:

Licensing and copyright: Software is subject to licensing obligations and copyright regulations. Manufacturers must be able to identify the licenses that apply to the software components they distribute, as well as the corresponding copyright holders.

Security: New vulnerabilities are discovered every day. Accurately identifying the exact versions of software components used in a product is critical to assessing exposure to known vulnerabilities and understanding potential security risks.

An SBOM provides the structured information required to address these concerns by listing the software components included in a system along with relevant metadata such as versions, licenses, and dependencies.

In this context, Debian already provides tooling to generate SBOMs, in particular sbom toolkit which provides a debhelper add-on and scripts to help developers to prepare such reports.

URLs