Pull SPDX updates from Greg KH:
"Here is a "big" set of SPDX-like patches for 7.2-rc1. It is the
addition of the ability for the kernel build process to generate a
Software Bill of Materials (SBOM) in the SPDX format, that matches up
exactly with just the files that are actually built for the specific
kernel image generated.
To generate a sbom, after the kernel has been built, just do:
make sbom
and marvel at the JSON file that is generated...
This is needed by users for environments in which a SBOM is required
(medical, automotive, anything shipped in the EU, etc.) and cuts down
by a massive size the "naive" SBOM solution that many vendors have
done by just including _all_ of the kernel files in the resulting
document.
This result is still a giant JSON file, that I am told parses
properly, so we just have to trust that it is properly inclusive as
attempting to parse that thing by hand is impossible.
The scripts here are self-contained python scripts, no additional
libraries or tools to create the SBOM are needed, which is important
for many build systems. Overall it's just a bit over 4000 lines of
"simple" python code, the most complex part is the regex matching
lines, but those are nothing compared to what we maintain in
scripts/checkpatch.pl today...
The various parts where the tool touches the kbuild subsystem have
been acked by the kbuild maintainer, so all should be good here.
All of these patches have been in linux-next for weeks with no
reported problems"
* tag 'spdx-7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/spdx:
scripts/sbom: add unit tests for SPDX-License-Identifier parsing
scripts/sbom: add unit tests for command parsers
scripts/sbom: add SPDX build graph
scripts/sbom: add SPDX source graph
scripts/sbom: add SPDX output graph
scripts/sbom: collect file metadata
scripts/sbom: add shared SPDX elements
scripts/sbom: add JSON-LD serialization
scripts/sbom: add SPDX classes
scripts/sbom: add additional dependency sources for cmd graph
scripts/sbom: add cmd graph generation
scripts/sbom: add command parsers
scripts/sbom: setup sbom logging
scripts/sbom: integrate script in make process
scripts/sbom: add documentation
CLEAN_FILES += vmlinux.symvers modules-only.symvers \
modules.builtin modules.builtin.modinfo modules.nsdeps \
modules.builtin.ranges vmlinux.o.map vmlinux.unstripped \
+ vmlinux.thinlto-index builtin.order \
compile_commands.json rust/test \
rust-project.json .vmlinux.objs .vmlinux.export.c \
- .builtin-dtbs-list .builtin-dtbs.S
+ .builtin-dtbs-list .builtin-dtbs.S sbom-*.spdx.json
# Directories & files removed with 'make mrproper'
MRPROPER_FILES += include/config include/generated \
projects / thirdparty / kernel / linux.git / commitdiff
