Generating a Buildroot SBOM

cvescan-buildroot allows you to generate .inventory.json SBOMs file for your Buildroot project starting from version 2022.02. Let's follow the instructions from CVEScan-Buildroot readme.

Add the cvescan-buildroot-external folder as a Buildroot external, as described in Buildroot manual:

make BR2_EXTERNAL=/path/to/cvescan-buildroot-external

If you already use some externals, using multiple externals is supported:

make BR2_EXTERNAL=/path/to/foo:/path/to/cvescan-buildroot-external

The inventory can be created using the cvescan-inventory target:

make BR2_EXTERNAL=/path/to/cvescan-buildroot-external cvescan-inventory

The inventory file will be created in your output folder (output/ by default), named as buildroot.inventory.json.

It can be fed to the CVEScan run subcommand as:

cvescan run --inventory buildroot.inventory.json