Add a SBOM file in CycloneDX format
Improve supply chain security by including a SBOM file with substituted values.
This will be used to construct a composite platform SBOM.
Signed-off-by: Richard Hughes <richard@hughsie.com>
diff --git a/scripts/sbom.cdx.json b/scripts/sbom.cdx.json
new file mode 100644
index 0000000..59798d9
--- /dev/null
+++ b/scripts/sbom.cdx.json
@@ -0,0 +1,48 @@
+{
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.6",
+ "version": 1,
+ "metadata": {
+ "authors": [
+ {
+ "name": "@VCS_SBOM_AUTHORS@"
+ }
+ ]
+ },
+ "components": [
+ {
+ "type": "library",
+ "bom-ref": "pkg:github/Mbed-TLS/mbedtls@@VCS_TAG@",
+ "cpe": "cpe:2.3:a:trustedfirmware:mbed_tls:@VCS_TAG@:*:*:*:*:*:*:*",
+ "name": "mbedtls",
+ "version": "@VCS_VERSION@",
+ "description": "Implements cryptographic primitives, X.509 certificate manipulation and SSL/TLS and DTLS protocols",
+ "authors": [
+ {
+ "name": "@VCS_AUTHORS@"
+ }
+ ],
+ "supplier": {
+ "name": "Trusted Firmware"
+ },
+ "licenses": [
+ {
+ "license": {
+ "id": "Apache-2.0"
+ }
+ },
+ {
+ "license": {
+ "id": "GPL-2.0-or-later"
+ }
+ }
+ ],
+ "externalReferences": [
+ {
+ "type": "vcs",
+ "url": "https://github.com/Mbed-TLS/mbedtls"
+ }
+ ]
+ }
+ ]
+}