Software Bill of Materials (SBoM) By example

This project is creating a Software Bill of Materials (SBOM) for a nerves project running on a Raspberry Pi.

It starts with some SBOM background (mainly referring to elsewhere); gives some some simple C, python, and elixir SBOM examples; and then builds thru several phases a fairly sophisticated IoT device SBOM. The phases include both increasing complexity of the device software, and showing various issues with building SBOMs.

Add annotated Table of Contents here

1. What is an SBOM? Why would I have one?

blah blah, link to SBOM background material

2. “Hello World”

blah blah

2.1 C “Hello World”

There is a repo, add link to sbe_c1

add some hello world history

add pic of signed first edition book and screen shot of hello world page

build blah blah

make release blah blah

sbom at blah blah

2.2 Python “Hello World”

blah blah about python, interpeter, pyc

There is a repo, add link to sbe_p1

run interactively blah blah

compile .pyc blah blah

make (github, not executable) release blah blah

sbom at blah blah

2.3 Elixir “Hello World”

blah blah about Elixir, interpeter, beam vm with .beam “binaries” which are not executables (as executable in section blah) Package managers (eg HEX - add link) and build systems (eg Mix - add link) use machine independent .beam files. Link to issues with interpreter, vm code, executables in later sections

There is a repo, add link to https://github.com/sparrell/SBE-HelloWorld-elixir

build blah blah

make release blah blah

sbom at blah blah

3. Elixir Blinky

blah blah

3.1 Base Elixir Blinky 0-hop

blah blah

3.2 Base Elixir Blinky 1-hop

blah blah

3.3 Add LED Matrix

blah blah

3.4 Add MQTT OpenC2

add in tortoise API server, and OpenC2 MQTT API

3.5 Replace MQTT with HTTP API (no HTML)

3.6 Add HTML webserver with javascript

note explosion of SBOM

4. Add in more SBOM hops

4.1 on raspberry pi - nerves OS

4.2 on cloud - docker image, debian linux OS

Cruft to clean up later

Table of Contents