| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8b756b72-36f1-43d2-96a6-159165faedd6@tngtech.com> Date: Thu, 22 Jan 2026 21:32:25 +0100 From: Luis Augenstein <luis.augenstein@...tech.com> To: Miguel Ojeda <miguel.ojeda.sandonis@...il.com> Cc: nathan@...nel.org, nsc@...nel.org, linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org, akpm@...ux-foundation.org, gregkh@...uxfoundation.org, maximilian.huber@...tech.com Subject: Re: [PATCH v2 00/14] Add SPDX SBOM generation tool > it seems to require a fair amount of hardcoding, e.g. > it seems we may need to list every generator tool in > `SINGLE_COMMAND_PARSERS`? Yes. Optimally, the cmd files would contain the full list of input files, such that parsing the commands would no longer be necessary. However, that was considered out of scope for this project. > But if it is meant to accurately match everything, then it will > require keeping those lists in sync with Kbuild, right? Yes. The goal should be to keep the parser functions complete, that is, to add new ones as soon as unsupported commands are discovered. It is quite likely that the current list of parser functions is not complete. When unsupported commands are encountered, KernelSbom is still able to generate the SBOM as much as possible, as explained in the last section of the README. > Unknown Build Commands > ---------------------- > > Because the kernel supports a wide range of configurations and versions, > KernelSbom may encounter build commands in `.cmd` files that it does > not yet support. By default, KernelSbom will fail if an unknown build > command is encountered. > > If you still wish to generate SPDX documents despite unsupported > commands, you can use the `--do-not-fail-on-unknown-build-command` > option. KernelSbom will continue and produce the documents, although > the resulting SBOM will be incomplete. > > This option should only be used when the missing portion of the > dependency graph is small and an incomplete SBOM is acceptable for > your use case. > In addition, why does this need to be a `CONFIG_` option? Should this > be a separate tool or at most a target that supports whatever config > happens to be, rather than part of the config itself? The main reason to run the SBOM tool within the main make process is to gain direct access to the make/environment variables used during the build. The `KERNEL_BUILD_VARIABLES_ALLOWLIST` defines which environment variables should be included in the SBOM if they are available. When the tool is run outside of the main build, this information is no longer accessible. We are looking for a better place for the CONFIG_SBOM option though, as `lib/Kconfig.debug` may not be the most appropriate place? Best, Luis -- Luis Augenstein * luis.augenstein@...tech.com * +49-152-25275761 TNG Technology Consulting GmbH, Beta-Str. 13, 85774 Unterföhring Geschäftsführer: Henrik Klagges, Dr. Robert Dahlke, Thomas Endres Aufsichtsratsvorsitzender: Christoph Stock Sitz: Unterföhring * Amtsgericht München * HRB 135082 Download attachment "OpenPGP_0x795C8ACACDDCFB34.asc" of type "application/pgp-keys" (3156 bytes) Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (841 bytes)
Powered by blists - more mailing lists