Hey Folks,
We (Canonical + Ubuntu) are working on generating SBOMs for Debian binary packages, but there are a few problems that we'd like to discuss with y'all.
Currently, there is no out-of-the-box tooling support in Debian to generate SBOMs. Hence, we were experimenting with two approaches:
1. SBOM Generation at Build Time
This approach is basically recording the list of DEBs downloaded during the phase of a source package being used to produce binary packages. However, since Debian builds can be one-to-many, i.e. one source package produces multiple binary packages, producing SBOMs per '.deb' file is not possible using this approach.
2. SBOM Generation using buildinfo, '.deb' package and the source Debian package.
This approach uses the 'Installed-Build-Depends:' field in the buildinfo file to determine the ingredients, but similar to the previous approach, this list is per Debian source package build and not per Debian binary package.
Problems identifying the license of a Debian binary package:
Using the copyright file inside the Debian source package to tag the Debian binary package with a license. The problem with this approach is that certain files with a non-permissive license may not end up in all the Debian binary packages. Copyright information is per file, and there is no way to track which files went into which .deb package to have accurate license information.
For other metadata, we parse the control file. However, two major problems we have are:
1. Per '.deb' Installed-Build-Depends (or other *-depends).
2. Per '.deb' license/copyright information.
Do you folks have any suggestions on this?
For the first point, I was thinking whether it would be possible to add that to the Debian toolchain (we're happy to contribute), as that is similar to buildinfo in nature.
For the second point, we're open to suggestions and investigating them.
Thanks,
Vyom Yadav
Software Engineer - Security Team
Canonical