Paths

Table of Contentst

Generate SBOM files as part of the build
Needs ReviewPublic
Actions

Authored by khorben on Apr 17 2026, 5:31 PM.

Details

Reviewers

bapt
emaste
ivy
gnn

Summary

This introduces the following option:

MK_SBOM: enables the generation of SBOM files during the build.

This option uses bomtool(1) from the pkgconf project, as provided by the MK_PKGCONF option. Consequently, MK_SBOM is automatically disabled when MK_PKGCONF is disabled.

The following parameters are available as well:

BOMTOOL: Path to bomtool(1) (for SPDX version 2 files)
SBOMDIR: Source directory for pkg-config files (release/sbom/pkgconfig)
SPDXDIR: Destination for SPDX version 2 files (/usr/share/sbom/spdx)

Another tool from the pkgconf project, spdxtool(1), is planned for import and will use the following options:

JSONLDDIR: Destination for SPDX version 3 files (/usr/share/sbom/jsonld)
SPDXTOOL: Path to spdxtool(1) (for SPDX version 3 files)

Sponsored by: Alpha-Omega, Sovereign Tech Agency, The FreeBSD Foundation

Test Plan

Now that the corresponding .pc files in release/sbom/pkgconfig were imported from https://github.com/illuusio/freebsd-src/tree/sbom-pkgconfig:

$ make buildworld
[...]
$ ls obj/amd64.amd64/tmp/usr/share/sbom/spdx/*.spdx
lib80211.spdx           libelftc.spdx           libpfctl.spdx
lib9p.spdx              libevent1.spdx          libpjdlog.spdx
libalias.spdx           libexecinfo.spdx        libpmc.spdx
[...]

The SPDX files are also present in their respective packages:

$ make packages
[...]
$ pkg info -l -F /usr/obj/usr/src/repo/FreeBSD\:16\:amd64/latest/FreeBSD-zstd-lib-16.snap20260512151251.pkg
FreeBSD-zstd-lib-16.snap20260512151251:
      /usr/lib/libprivatezstd.so.5
      /usr/share/sbom/spdx/libzstd.spdx
$ pkg info -l -F /usr/obj/usr/src/repo/FreeBSD\:16\:amd64/latest/FreeBSD-zstd-16.snap20260512151251.pkg
FreeBSD-zstd-16.snap20260512151251:
      /usr/bin/unzstd
      /usr/bin/zstd
      /usr/bin/zstdcat
      /usr/bin/zstdmt
      /usr/share/man/man1/unzstd.1.gz
      /usr/share/man/man1/zstd.1.gz
      /usr/share/man/man1/zstdcat.1.gz
      /usr/share/man/man1/zstdmt.1.gz
      /usr/share/sbom/spdx/zstd.spdx

Also confirmed to work with CROSS_TOOLCHAIN=amd64-gcc14.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

khorben created this revision.Apr 17 2026, 5:31 PM

Herald added subscribers: ivy, imp, bdrewery. · View Herald TranscriptApr 17 2026, 5:31 PM

khorben requested review of this revision.Apr 17 2026, 5:31 PM

khorben added parent revisions: D56404: pkgconf: import into the base system, D56373: pkgconf: import 2.4.3 and 2.5.1.

khorben mentioned this in rGb8352da33f34: pkgconf: import into the base system.Apr 22 2026, 1:45 PM

The SPDX files are now placed in their respective base packages.
The source .pc files from illuusio were imported into release/sbom.

Herald added a reviewer: gnn. · View Herald TranscriptTue, May 12, 10:27 PM

Herald added subscribers: ziaee, jrtc27, dab, jonathan. · View Herald Transcript

khorben added inline comments.Tue, May 12, 10:30 PM

release/sbom/pkgconfig/FreeBSD.pc
9 ↗	(On Diff #177720)	This should probably be changed and set to 16.0 everywhere a library or binary is issued by FreeBSD. Note that illuusio is currently working on a patch for pkgconf that will allow us to set the version dynamically.

khorben edited the summary of this revision. (Show Details)Wed, May 13, 11:21 AM

guest-patmaddox added a subscriber: guest-patmaddox.Wed, May 13, 5:50 PM

a couple of comments:

i'm not sure this should be in release/, since it doesn't seem specific to building releases. iiuc, any src build will include the SBOM data if enabled.
this adds nearly 1,000 files which contain (among other things) manually listed shared library dependencies. who/what will be responsible for keeping these up to date?
we already have PCFILES set in bsd.lib.mk; adding another variable called PCFILE seems potentially confusing.

One thing we may want to investigate is building the SBOM files into the ELF headers instead. Sony has compiler extensions to do that -- https://github.com/sony/esstra/tree/poc/rust-llvm

ziaee added inline comments.Wed, May 20, 1:46 PM

release/sbom/pkgconfig/CC.pc
1 ↗	(On Diff #177720)	I don't understand how this works. This file makes it seem like we're claiming that Clang is copyright by the FreeBSD Foundation?

ivy added inline comments.Wed, May 20, 2:03 PM

release/sbom/pkgconfig/CC.pc
1 ↗	(On Diff #177720)	the copyright header applies to the file it's in. `CC.pc`, which is not part of clang, was written by the Foundation, who therefore own the copyright on it.

In D56474#1309051, @ziaee wrote:

One thing we may want to investigate is building the SBOM files into the ELF headers instead. Sony has compiler extensions to do that -- https://github.com/sony/esstra/tree/poc/rust-llvm

I wasn't aware of this project and approach; it's a possible avenue indeed. It doesn't seem to support the SPDX format nor LLVM yet though.

In D56474#1308969, @ivy wrote:

a couple of comments:

i'm not sure this should be in release/, since it doesn't seem specific to building releases. iiuc, any src build will include the SBOM data if enabled.

That's correct, and thank you for clarifying the distinction. Should we move it to e.g., share/sbom?

this adds nearly 1,000 files which contain (among other things) manually listed shared library dependencies. who/what will be responsible for keeping these up to date?

That is also a good point; at the moment there is no magic solution, and this information has to be maintained manually.
However, we could progressively switch to .pc files for storing compilation rules (outside of each Makefile) and merge that upstream when it is not us.
The same issue goes with version numbers, which we are working on automating already.

we already have PCFILES set in bsd.lib.mk; adding another variable called PCFILE seems potentially confusing.

That's also a valid concern; suggestions welcome. SBOMFILE comes to mind but AFAICT pkgconf expects the .pc extension, which could also be confusing.

stephane.rochoy_stormshield.eu added a subscriber: stephane.rochoy_stormshield.eu.Thu, May 28, 3:20 PM

stephane.rochoy_stormshield.eu added inline comments.

release/sbom/pkgconfig/libmd.pc

10 ↗

(On Diff #177720)

This is invalid according to the SPDX Python Tools[1]:

ERROR:root:The document is invalid. The following issues have been found:
Unrecognized license reference: Beeware. license_expression must only use IDs from the license list or extracted licensing info, but is: BSD-4-Clause AND BSD-2-Clause AND Beeware AND RSA-MD

[1] https://github.com/spdx/tools-python

stephane.rochoy_stormshield.eu added inline comments.Fri, May 29, 6:46 AM

release/sbom/pkgconfig/libmd.pc
10 ↗	(On Diff #177720)	s/Beeware/Beerware should be enough as PHK registered this license on SPDX.org ;)

For info, I reported a few minor problems to the pkgconf project: #516.

Avoid file conflicts in the -lib32 base packages (no duplicate installation of SPDX files)
Rename the PCFILE variable to SBOMFILE to avoid confusion with PCFILES
Fix typo in libmd.pc (thanks stephane.rochoy_stormshield.eu for the heads up!)

Large Diff

This large diff affects 908 files. Files without inline comments have been collapsed. Expand All Files

Revision Contents
Changeset List

Path

Size

Makefile.inc1

9 lines

etc/

mtree/

BSD.usr.dist

4 lines

share/

mk/

1 line

1 line

1 line

49 lines

1 line

sbom/

pkgconfig/

13 lines

12 lines

14 lines

12 lines

13 lines

14 lines

14 lines

14 lines

10 lines

14 lines

14 lines

14 lines

14 lines

14 lines

11 lines

14 lines

14 lines

13 lines

14 lines

14 lines

14 lines

14 lines

11 lines

13 lines

13 lines

14 lines

14 lines

14 lines

11 lines

14 lines

11 lines

11 lines

11 lines

14 lines

14 lines

11 lines

11 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

11 lines

11 lines

11 lines

14 lines

14 lines

14 lines

11 lines

11 lines

11 lines

13 lines

13 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

12 lines

14 lines

13 lines

14 lines

14 lines

12 lines

13 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

13 lines

13 lines

13 lines

13 lines

12 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

11 lines

14 lines

14 lines

14 lines

14 lines

11 lines

13 lines

14 lines

14 lines

11 lines

14 lines

14 lines

14 lines

14 lines

12 lines

14 lines

14 lines

10 lines

14 lines

11 lines

11 lines

11 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

11 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

11 lines

13 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

10 lines

15 lines

11 lines

14 lines

14 lines

14 lines

14 lines

14 lines

11 lines

14 lines

14 lines

10 lines

12 lines

14 lines

11 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

11 lines

13 lines

14 lines

12 lines

14 lines

11 lines

13 lines

14 lines

12 lines

14 lines

13 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

13 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

11 lines

13 lines

14 lines

14 lines

11 lines

11 lines

14 lines

14 lines

14 lines

14 lines

11 lines

13 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

11 lines

12 lines

14 lines

14 lines

12 lines

14 lines

14 lines

14 lines

12 lines

14 lines

14 lines

13 lines

14 lines

14 lines

14 lines

14 lines

14 lines

13 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

12 lines

14 lines

14 lines

14 lines

14 lines

11 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

10 lines

14 lines

12 lines

12 lines

12 lines

12 lines

12 lines

12 lines

12 lines

12 lines

14 lines

14 lines

14 lines

14 lines

14 lines

12 lines

12 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

11 lines

11 lines

11 lines

14 lines

14 lines

14 lines

14 lines

11 lines

14 lines

14 lines

14 lines

14 lines

11 lines

11 lines

11 lines

11 lines

11 lines

14 lines

14 lines

11 lines

11 lines

11 lines

14 lines

14 lines

14 lines

13 lines

13 lines

14 lines

14 lines

14 lines

14 lines

12 lines

12 lines

12 lines

12 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

10 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

13 lines

11 lines

11 lines

11 lines

10 lines

11 lines

libcasper.services.cap_dns.pc

11 lines

libcasper.services.cap_fileargs.pc

11 lines

libcasper.services.cap_grp.pc

11 lines

libcasper.services.cap_net.pc

11 lines

libcasper.services.cap_netdb.pc

11 lines

libcasper.services.cap_pwd.pc

11 lines

libcasper.services.cap_sysctl.pc

11 lines

libcasper.services.cap_syslog.pc

11 lines

13 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

13 lines

11 lines

10 lines

11 lines

13 lines

12 lines

11 lines

11 lines

11 lines

11 lines

12 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

13 lines

13 lines

11 lines

11 lines

11 lines

11 lines

11 lines

12 lines

12 lines

11 lines

11 lines

11 lines

11 lines

12 lines

10 lines

11 lines

11 lines

11 lines

10 lines

10 lines

12 lines

11 lines

11 lines

11 lines

10 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

12 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

14 lines

14 lines

12 lines

12 lines

13 lines

13 lines

12 lines

13 lines

13 lines

12 lines

13 lines

13 lines

13 lines

12 lines

12 lines

12 lines

11 lines

11 lines

13 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

12 lines

11 lines

14 lines

14 lines

14 lines

14 lines

13 lines

11 lines

11 lines

11 lines

14 lines

14 lines

14 lines

11 lines

11 lines

11 lines

14 lines

14 lines

12 lines

14 lines

11 lines

10 lines

10 lines

10 lines

10 lines

12 lines

14 lines

14 lines

14 lines

14 lines

12 lines

14 lines

13 lines

13 lines

14 lines

11 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

13 lines

12 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

11 lines

14 lines

14 lines

13 lines

11 lines

11 lines

14 lines

14 lines

12 lines

14 lines

14 lines

14 lines

12 lines

14 lines

14 lines

14 lines

14 lines

14 lines

11 lines

14 lines

14 lines

14 lines

13 lines

11 lines

14 lines

12 lines

12 lines

14 lines

12 lines

13 lines

14 lines

11 lines

11 lines

14 lines

14 lines

14 lines

11 lines

14 lines

14 lines

14 lines

14 lines

14 lines

13 lines

13 lines

14 lines

12 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

13 lines

13 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

13 lines

14 lines

14 lines

14 lines

14 lines

12 lines

14 lines

14 lines

14 lines

13 lines

14 lines

10 lines

14 lines

12 lines

14 lines

12 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

12 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

12 lines

14 lines

14 lines

14 lines

12 lines

12 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

11 lines

11 lines

14 lines

12 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

11 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

11 lines

11 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

11 lines

14 lines

11 lines

14 lines

13 lines

11 lines

14 lines

14 lines

14 lines

13 lines

11 lines

14 lines

14 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

11 lines

14 lines

14 lines

14 lines

11 lines

11 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

11 lines

14 lines

14 lines

14 lines

14 lines

11 lines

14 lines

10 lines

10 lines

14 lines

12 lines

14 lines

14 lines

14 lines

11 lines

12 lines

14 lines

12 lines

14 lines

14 lines

14 lines

12 lines

13 lines

14 lines

12 lines

14 lines

14 lines

14 lines

13 lines

14 lines

14 lines

14 lines

11 lines

12 lines

14 lines

14 lines

14 lines

14 lines

14 lines

13 lines

12 lines

12 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

13 lines

14 lines

14 lines

14 lines

14 lines

14 lines

11 lines

11 lines

14 lines

13 lines

14 lines

11 lines

14 lines

12 lines

14 lines

11 lines

14 lines

14 lines

14 lines

13 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

12 lines

14 lines

12 lines

14 lines

14 lines

12 lines

11 lines

14 lines

virtual_bt_speaker.pc

13 lines

13 lines

13 lines

12 lines

14 lines

14 lines

14 lines

14 lines

13 lines

14 lines

14 lines

14 lines

14 lines

14 lines

11 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

13 lines

12 lines

12 lines

12 lines

12 lines

14 lines

14 lines

11 lines

14 lines

11 lines

11 lines

11 lines

11 lines

14 lines

14 lines

14 lines

12 lines

11 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

14 lines

10 lines

14 lines

10 lines

14 lines

14 lines

14 lines

13 lines

14 lines

10 lines

14 lines

10 lines

10 lines

10 lines

12 lines

11 lines

14 lines

14 lines

14 lines

13 lines

11 lines

14 lines

14 lines

14 lines

14 lines

12 lines

11 lines

10 lines

10 lines

10 lines

11 lines

usr.bin/

bomtool/

Makefile

4 lines

Generate SBOM files as part of the buildNeeds ReviewPublicActions

Details

Diff Detail

Event Timeline

Large Diff

Revision ContentsChangeset List

Diff 178892

Makefile.inc1

etc/mtree/BSD.usr.dist

share/mk/bsd.README

share/mk/bsd.lib.mk

share/mk/bsd.prog.mk

share/mk/bsd.sbom.mk

share/mk/src.opts.mk

share/sbom/pkgconfig/CC.pc

share/sbom/pkgconfig/FreeBSD.pc

share/sbom/pkgconfig/Mail.pc

share/sbom/pkgconfig/[.pc

share/sbom/pkgconfig/addr2line.pc

share/sbom/pkgconfig/adjkerntz.pc

share/sbom/pkgconfig/alias.pc

share/sbom/pkgconfig/apply.pc

share/sbom/pkgconfig/apropos.pc

share/sbom/pkgconfig/ar.pc

share/sbom/pkgconfig/asa.pc

share/sbom/pkgconfig/at.pc

share/sbom/pkgconfig/atq.pc

share/sbom/pkgconfig/atrm.pc

share/sbom/pkgconfig/awk.pc

share/sbom/pkgconfig/b64decode.pc

share/sbom/pkgconfig/b64encode.pc

share/sbom/pkgconfig/backlight.pc

share/sbom/pkgconfig/banner.pc

share/sbom/pkgconfig/base64.pc

share/sbom/pkgconfig/basename.pc

share/sbom/pkgconfig/batch.pc

share/sbom/pkgconfig/bc.pc

share/sbom/pkgconfig/bectl.pc

share/sbom/pkgconfig/beep.pc

share/sbom/pkgconfig/bg.pc

share/sbom/pkgconfig/biff.pc

share/sbom/pkgconfig/bintrans.pc

share/sbom/pkgconfig/bmake.pc

share/sbom/pkgconfig/brandelf.pc

share/sbom/pkgconfig/bsdcat.pc

share/sbom/pkgconfig/bsdcpio.pc

share/sbom/pkgconfig/bsddialog.pc

share/sbom/pkgconfig/bsdiff.pc

share/sbom/pkgconfig/bsdlabel.pc

share/sbom/pkgconfig/bsdtar.pc

share/sbom/pkgconfig/bsdunzip.pc

share/sbom/pkgconfig/bsnmpget.pc

share/sbom/pkgconfig/bsnmpset.pc

share/sbom/pkgconfig/bsnmpwalk.pc

share/sbom/pkgconfig/bspatch.pc

share/sbom/pkgconfig/bthost.pc

share/sbom/pkgconfig/btsockstat.pc

share/sbom/pkgconfig/bunzip2.pc

share/sbom/pkgconfig/byacc.pc

share/sbom/pkgconfig/bzcat.pc

share/sbom/pkgconfig/bzegrep.pc

share/sbom/pkgconfig/bzfgrep.pc

share/sbom/pkgconfig/bzgrep.pc

share/sbom/pkgconfig/bzip2.pc

share/sbom/pkgconfig/bzip2recover.pc

share/sbom/pkgconfig/bzless.pc

share/sbom/pkgconfig/c++.pc

share/sbom/pkgconfig/c++filt.pc

share/sbom/pkgconfig/c89.pc

share/sbom/pkgconfig/c99.pc

share/sbom/pkgconfig/caesar.pc

share/sbom/pkgconfig/cal.pc

share/sbom/pkgconfig/calendar.pc

share/sbom/pkgconfig/camcontrol.pc

share/sbom/pkgconfig/cap_mkdb.pc

share/sbom/pkgconfig/captoinfo.pc

share/sbom/pkgconfig/cat.pc

share/sbom/pkgconfig/cc.pc

share/sbom/pkgconfig/ccdconfig.pc

share/sbom/pkgconfig/cd.pc

Generate SBOM files as part of the build
Needs ReviewPublic
Actions

Revision Contents
Changeset List