chore(docs): add a SBOM template in CycloneDX format
Improve supply chain security by including a SBOM file with substituted
values.
This will be used to construct a composite platform SBOM.
Change-Id: Ia34338854a0eaa4f3a8799c23e46aae382792252
Signed-off-by: Richard Hughes <richard@hughsie.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
(cherry picked from commit 5e04d63612d9e77cba94da94f5f5f7fa1ea6d42c)
diff --git a/docs/sbom.cdx.json b/docs/sbom.cdx.json
new file mode 100644
index 0000000..795e5d5
--- /dev/null
+++ b/docs/sbom.cdx.json
@@ -0,0 +1,47 @@
+{
+ "bomFormat": "CycloneDX",
+ "specVersion": "1.6",
+ "version": 1,
+ "metadata": {
+ "authors": [
+ {
+ "name": "@VCS_SBOM_AUTHORS@"
+ }
+ ]
+ },
+ "components": [
+ {
+ "type": "library",
+ "bom-ref": "pkg:github/TrustedFirmware-A/trusted-firmware-a@@VCS_TAG@",
+ "cpe": "cpe:2.3:a:trustedfirmware.org:trusted-firmware-a:@VCS_TAG@:*:*:*:*:*:*:*",
+ "name": "trusted-firmware-a",
+ "version": "@VCS_VERSION@",
+ "description": "Reference implementation of secure software for Arm A-Profile architectures",
+ "authors": [
+ {
+ "name": "@VCS_AUTHORS@"
+ }
+ ],
+ "supplier": {
+ "name": "trustedfirmware.org"
+ },
+ "licenses": [
+ {
+ "license": {
+ "id": "BSD-3-Clause"
+ }
+ }
+ ],
+ "externalReferences": [
+ {
+ "type": "vcs",
+ "url": "https://review.trustedfirmware.org/TF-A/trusted-firmware-a"
+ },
+ {
+ "type": "vcs",
+ "url": "https://github.com/TrustedFirmware-A/trusted-firmware-a"
+ }
+ ]
+ }
+ ]
+}