We are seeing requirements for having an SBOM as recently mandated by the US government. Does anybody know where I can get an SBOM for FreeRTOS or the libraries?
SBOMs are added to the releases, so appear in the release tags. For example, here is the kernel’s SBOM for the V10.6.0 release: https://github.com/FreeRTOS/FreeRTOS-Kernel/blob/V10.6.0/sbom.spdx
It appears SBOMs were only added as of 10.5.0 (well, that is the tag at which this file first appears, but the PackageVersion is 10.4.6!?).
Unfortunately, our product is still using 10.3.1 (I know…).
Is there a simple way to generate an SBOM for an older release?
The SBOM is generated on releases by GitHub actions. The script which generates the SBOM can be found here:
sbom-generator/scan_dir.py on FreeRTOS/CI-CD-Github-Actions
There are other files in this folder to look at, but this looks like a directory crawler which is used in all FreeRTOS repos which generate an SBOM.
Not sure, however, if V10.3.1 meets all of the structural requirements for this script.