The Evolution of SBOMs in AlmaLinux – Matthias Kruk, Cybertrust Japan Co., Ltd.
The Evolution of SBOMs in AlmaLinux – Matthias Kruk, Cybertrust Japan Co., Ltd.
AlmaLinux has been providing SBOMs for every released package for more than a year by now. The generation of SBOMs is supported by two components: the build system, which stores metadata about each package in an immutable database, and a SBOM generation tool that retrieves metadata from the database and converts it into an SBOM. When Cybertrust Japan joined the AlmaLinux Foundation, the SBOM generator could only generate SBOMs in CycloneDX format, so one of our first contributions was to add SPDX support to the SBOM generator. In doing so, it became clear that the current SBOM generator does not meet the requirements of NTIA’s Minimum Elements, which are requirements set forth by the US National Telecommunications and Information Administration and which need to be met by entities wishing to supply software to the US government. In order to meet these requirements in AlmaLinux, we investigated how the necessary data can be collected, and what changes to the build system and database schema are necessary. While our investigation focuses on AlmaLinux, the lessons that we learned apply equally to all RPM-based Linux distributions.
by The Linux Foundation
linux foundation
