In February 2022, the National Institute of Standards and Technology (NIST) published version 1.1 of the Secure Software Development Framework (SSDF), a set of comprehensive guidelines on secure software development practices in response to the 2021 Cybersecurity Executive Order (EO) 14028.
As part of these requirements, the US government might request a software bill of materials (SBOM), which lists components of a software release.
SBOMs are automatically generated for Android Continuous Integration (Android CI) builds. If you use one of the CI builds, use the following steps to obtain an SBOM for a build. Otherwise, follow the steps to generate a custom SBOM.
Obtain a pregenerated SBOM
To obtain a pregenerated SBOM:
In your browser, navigate to
ci.android.com.In the Enter a branch name field, type
aosp-android-latest-release.For any of the builds with green status, click the View artifacts down arrow. The Build artifacts screen appears.
In the Build artifacts screen, use a find command to locate the SBOM JSON folder (CTRL+F or CMD+F).
Generate a custom SBOM
For any additions to the platform, including any binary or build and release tool chains, you must provide a SBOM representation of your product that meets the Minimal Elements for a Software Bill of Materials (SBOM). To generate a custom SBOM:
Run the following commands to set up your environment and build the SBOM:
$ source build/envsetup.sh $ lunch TARGET $ m sbom # Generates an SBOMThe
TARGETrefers to the same build target that you are using to build Android, such asaosp_arm64-userdebug.To ensure the SBOM built correctly, execute:
$ ls out/dist/sbom*