Home > On-Demand Archives > Theatre Talks >
Practical SBOM Management with Zephyr and SPDX
Benjamin Cabé - Watch Now - EOC 2024 - Duration: 34:35
Writing secure embedded software is a challenging task. What's more, what might be considered secure today may not be secure tomorrow. A Zephyr application is composed of many components, from the Zephyr kernel, to device drivers, to vendor HALs, to application code, and it can be difficult to exactly identify the components you're depending on to be able to assess whether you're vulnerable to a particular CVE or not.
This talk will show you in very practical terms how to leverage state of the art standards and tools to precisely identify the "manifest" (a.k.a. Software Bill of Materials, SBOM) of your Zephyr application, and how to use that information to assess your security posture and to respond to security incidents.
We will demo a variety of tools that you may want to add to your development workflow to generate Zephyr SBOMs, visualize the information they contain, check them against known vulnerabilities, and more.
Hi!
Twisted is used to run unit tests, so could you elaborate on what you exactly mean as I am not sure I understand the question :) Cheers!
You can also build projects with Twister. In the *.yaml file, you can indicate that twister should create several binary files based on the configuration indicated there (additional kconfigs, additional shelids, various programming libraries, etc.). Therefore, it would be easier if twister could have the option to generate SBOM files. It is easier to integrate it on CI where we require that an SBOM be generated for each binary in my company. I may have mixed something up.
Do you plan to add the ability to generate SBOM to the west twister command?