Bug#1122577: ITP: debsbom -- Software Bill of Materials generator for distributions based on Debian

[MOESSBAUER, Felix]

On Thu, 2025-12-11 at 15:32 +0000, Holger Levsen wrote:
> On Thu, Dec 11, 2025 at 03:32:26PM +0100, Felix Moessbauer wrote:
> > * Package name    : debsbom
> > * License         : MIT
> > debsbom generates SBOMs (Software Bill of Materials) for distributions based on Debian in the two standard formats SPDX and CycloneDX.
> > The generated SBOM includes all installed binary packages and also contains Debian Source packages.
> 
> awesome! kudos & thank you! <3

I'm happy to hear that!

> 
> Disclaimer: I haven't looked at it yet and *I* don't need it but we have discussed
> this for many years already so I'm glad someone/you finally wrote this!

Please have a look at our documentation, where we describe how we map
the package metadata onto the field of the SBOM [1].

[1] https://siemens.github.io/debsbom/design-decisions.html

> 
> Does it download/include .buildinfo files into the SBOMs?

debsbom has a multi-stage approach, where the first stage is generating
the SBOM with all the data we have (dpkg-status, apt cache for
checksums).The output is the SBOM (either CycloneDX or SPDX).

The "debsbom download" reads such an SBOM and the takes care of looking
up the binary and source packages on snapshot.d.o (or others), based on
<name> <version> <arch> and the checksum. Currently we don't download
the .buildinfo files, but this can easily be extended.

For details, please have a look at our examples in [2].

[2] https://siemens.github.io/debsbom/examples.html

Christoph and me just gave a presentation about the tool which also
provides a brief overview of where we are coming from and what the tool
is capable of [3].

[3]
https://opensource.siemens.com/meetups/2025isar/slides/08_Generating-SBOMs-With-isar_Steiger_Moessbauer.pdf

Best regards,
Felix

-- 
Siemens AG
Linux Expert Center
Friedrich-Ludwig-Bauer-Str. 3
85748 Garching, Germany