Check how to use SBOM

[ebail]

• SBoM information is essential for vulnerability and license
  compliance assessment

• The US government is pushing for having such information
  in all software it procures and will probably make it mandatory soon.

Debian FAI does not support SBOM.

[ebail]

A good reference to explain how it is done with Yocto: https://summit.yoctoproject.org/yocto-project-summit-2022-11/talk/NAENTD/

[watare]

I'm not sure I understand "Debian FAI does not support SBOM"
because a simple script seems to do the job
https://github.com/daald/dpkg-licenses
Am I missing something ?

[ebail]

I think that this could be more complicated.

The first question is to list what should be required.
According to the presentation:

● Sources
● Licenses
● Dependencies
● Applied changes
● Fixes for known vulnerabilities

Again we would need to discuss that.

[ebail]

Some LFEnergy discussions in 2021 regarding this topic: https://docs.google.com/presentation/d/1iSLCinJoZ_TsUjogeyTr-ypmyASho5R6YOCNzZSmEIk/edit#slide=id.gb62873e1e9_1_53