Re: [PATCH v2 00/14] Add SPDX SBOM generation tool
From: Greg KH
Date: Tue Jan 20 2026 - 10:40:29 EST
On Tue, Jan 20, 2026 at 12:53:38PM +0100, Luis Augenstein wrote:
> This patch series introduces a Python-based tool for generating SBOM
> documents in the SPDX 3.0.1 format for kernel builds.
>
> A Software Bill of Materials (SBOM) describes the individual components
> of a software product. For the kernel, the goal is to describe the
> distributable build outputs (typically the kernel image and modules),
> the source files involved in producing these outputs, and the build
> process that connects the source and output files.
>
> To achieve this, the SBOM tool generates three SPDX documents:
>
> - sbom-output.spdx.json
> Describes the final build outputs together with high-level
> build metadata.
>
> - sbom-source.spdx.json
> Describes all source files involved in the build, including
> licensing information and additional file metadata.
>
> - sbom-build.spdx.json
> Describes the entire build process, linking source files
> from the source SBOM to output files in the output SBOM.
>
> The sbom tool is optional and runs only when CONFIG_SBOM is enabled. It
> is invoked after the build, once all output artifacts have been
> generated. Starting from the kernel image and modules as root nodes,
> the tool reconstructs the dependency graph up to the original source
> files. Build dependencies are primarily derived from the .cmd files
> generated by Kbuild, which record the full command used to build
> each output file.
>
> Currently, the tool only supports x86 and arm64 architectures.
>
> Co-developed-by: Maximilian Huber <maximilian.huber@xxxxxxxxxxx>
> Signed-off-by: Maximilian Huber <maximilian.huber@xxxxxxxxxxx>
> Signed-off-by: Luis Augenstein <luis.augenstein@xxxxxxxxxxx>
> ---
> Changes in v2:
> - regenerate sbom documents when build configuration changes
I'm still getting:
make[3]: Nothing to be done for 'sbom'.
When rebuilding the kernel and nothing needs to be done for the sbom.
That message should not be there, right?
thanks,
greg k-h