From ac0a735d99ddc9f595bc46d763677f6627a5c510 Mon Sep 17 00:00:00 2001 From: Thomas Perale Date: Wed, 19 Nov 2025 22:34:20 +0100 Subject: [PATCH] docs/manual: add information on CycloneDX This patch adds information on how to generate a CycloneDX SBOM in Buildroot. It also mentions how to track CVEs with that given SBOM. Signed-off-by: Thomas Perale [Peter: reword slightly] Signed-off-by: Peter Korsgaard (cherry picked from commit e09bf9e9511c28f5d35e3a5ae7a09f1aec57874d) Signed-off-by: Thomas Perale --- docs/manual/common-usage.adoc | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/docs/manual/common-usage.adoc b/docs/manual/common-usage.adoc index 43caa3a9bc..7437a7c3c0 100644 --- a/docs/manual/common-usage.adoc +++ b/docs/manual/common-usage.adoc @@ -180,6 +180,34 @@ a newer upstream version for those packages. make pkg-stats ---- +=== Generating CycloneDX SBOM + +Based on the output of +show-info+ Buildroot can generate a SBOM in +the CycloneDX format. While it doesn't offer any additional +information, CycloneDX is a format specification that can be consumed +by other projects. + +---- +make show-info | utils/generate-cyclonedx +---- + +For more information check the help of the +generate-cyclonedx+ script, the +script call can be tailored to your project. + +---- +utils/generate-cyclonedx --help +---- + +Similarly to +pkg-stats+, CycloneDX SBOM's can be enriched with vulnerability +analysis from the NVD database. + +---- +make show | utils/generate-cyclonedx > sbom.cdx.json +cat sbom.cdx.json | support/scripts/cve-check --nvd-path dl/buildroot-nvd/ +---- + +For more information about CycloneDX see https://cyclonedx.org/[]. + === Graphing the dependencies between packages [[graph-depends]]