In the context of a Linux software factory dedicated to building embedded software, we will discuss the choices and challenges we encountered in integrating SBOM file generation into a software supply chain involving many packages.

The talk will begin with a brief overview of the various formats (SPDX, CycloneDX, ...), tools and ecosystems surrounding SBOM, highlighting the essential knowledge required to integrate these features into a supply chain. Then, this presentation will address the challenges we faced in retrieving accurate and reliable information to generate various BOMs: How do we ensure the data is correct and up-to-date? What are the common pitfalls in data collection? Which format best suits your needs, and what are the trade-offs between different solutions? Finally, we will explore the importance of having SBOMs and the necessity of tracing and signing each element in the supply chain to ensure integrity (focusing here on SLSA).

More information about redpesk factory and redpesk OS: - redpesk documentation - Technical documentation of redpesk factory and redpesk OS - redpesk community edition - A free to use version of redpesk SaaS factory - redpesk OS - Security Framework and components sources on github