1. Introduction to SBOM
A Software Bill of Materials (SBOM) serves as a formal, machine-readable inventory that uniquely identifies software components and their contents. Beyond basic identification, it tracks copyright and licensing details. Organizations use SBOM to enhance supply chain transparency, and it is rapidly becoming a mandatory deliverable in software distribution.
2. SBOM Core Requirements
The National Telecommunications and Information Administration (NTIA) has established baseline requirements for SBOM implementation. These essential data elements enable component tracking throughout the software supply chain and serve as the foundation for extended features such as license tracking and vulnerability monitoring.
| Core Field | Definition |
|---|---|
| Supplier | Entity responsible for component creation and identification |
| Component | Official designation of the software unit |
| Version | Tracking identifier for component iterations |
| Other identifiers | Supplementary reference keys |
| Dependencies | Mapping of component relationships and inclusions |
| SBOM author | Entity generating the SBOM documentation |
| Timestamp | SBOM generation date and time |
| Recommended Optional Fields | |
| Component hash | Digital fingerprint for security verification |
| Lifecycle phase | Development stage at SBOM creation |
3. openEuler SBOM Implementation
openEuler's SBOM framework incorporates extensive metadata tracking through SPDX, including:
| Base Field | SPDX Path |
|---|---|
| Supplier | document->packages->supplier |
| Name | document->packages->name |
| Version | document->packages->versionInfo (epoch:version-release in openEuler) |
| Other identifiers | document->packages->externalRefs->purl |
| Dependencies | document->packages->externalRefs->purl |
| SBOM author | document->creationInfo->creators |
| Timestamp | document->creationInfo->created |
| Component hash | document->packages->checksums |
| Lifecycle phase | Not supported |
| Other relationships | Internal subcomponents: document->packages->externalRefs(category:PROVIDE_MANAGER)->purl Runtime dependencies: document->relationships(relationshipType:DEPENDS_ON) |
| License info | document->packages->licenseDeclared document->packages->licenseConcluded |
| Copyright info | document->packages->copyrightText |
| Upstream community | document->packages->externalRefs(category:SOURCE_MANAGER)->url |
| Patch information | Patch files: document->files(fileTypes:SOURCE) Patch relationships: document->relationships(relationshipType:PATCH_APPLIED) |
| Component source | document->packages->downloadLocation |
| Component details | document->packages->description document->packages->summary |
| Website/Blog | document->packages->homepage |
4. SBOM Structure
The system uses RPM packages as the fundamental unit for SBOM generation and analysis.
