Re: Regarding Software Bill of Materials (SBOM) plans for NetBSD

I think most of the necessary SBOM information is held in the metadata in pkgsrc, so it's not that difficult to pull it out with the pkg_* tools.

On a completely different tangent, I've just added pkgsrc/pkgtools/depgraph which produces dependency graphs for a package, or number of packages. This gives dependency information in graphical form (i.e. prerequisite), license information for each package, metadata for the machine the report is run on, and can output in standard format or in JSON (this is meant for the ingest engines and data analytics of larger places which just scoop that kind of data up), and could easily be used with the package metadata to produce SBOMs.

% depgraph -a -j clang
{"Report version":"20260309","metadata":"NetBSD agc-vm-20250222.localdomain 11.99.5 NetBSD 11.99.5 (GENERIC64) #0: Sun Mar 8 23:54:17 PDT 2026 agc@agc-vm-20250222.localdomain:/usr/build/obj/usr/src/sys/arch/evbarm/compile/GENERIC64 evbarm","date":"Wed Mar 11 22:36:11 UTC 2026","localbase":"/usr/pkg","uptime":" 3:36PM up 2 days, 2:53, 5 users, load averages: 0.03, 0.04, 1.02"}{"package":"clang-19.1.7nb2","license":"apache-2.0","prereq0":{"package":"libxml2-2.14.6nb2","license":"modified-bsd","prereq0":{"package":"xmlcatmgr-2.2nb1","license":"modified-bsd"}},"prereq1":{"package":"llvm-19.1.7nb1","license":"apache-2.0","prereq0":{"package":"libxml2-2.14.6nb2","license":"modified-bsd","prereq0":{"package":"xmlcatmgr-2.2nb1","license":"modified-bsd"}},"prereq1":{"package":"python313-3.13.12","license":"python-software-foundation","prereq0":{"package":"libffi-3.5.2","license":"mit"},"prereq1":{"package":"libuuid-2.40.2","license":"modified-bsd"},"prereq2":
{"package":"mpdecimal-4.0.1","license":"2-clause-bsd"},"prereq3":{"package":"readline-8.3nb1","license":"gnu-gpl-v3"},"prereq4":{"package":"sqlite3-3.51.2","license":"public-domain"}},"prereq2":{"package":"zstd-1.5.7","license":"modified-bsd OR gnu-gpl-v2","prereq0":{"package":"lz4-1.10.0","license":"2-clause-bsd"}}},"prereq2":{"package":"perl-5.42.0nb1","license":"gnu-gpl-v2 OR artistic"},"prereq3":{"package":"python313-3.13.12","license":"python-software-foundation","prereq0":{"package":"libffi-3.5.2","license":"mit"},"prereq1":{"package":"libuuid-2.40.2","license":"modified-bsd"},"prereq2":{"package":"mpdecimal-4.0.1","license":"2-clause-bsd"},"prereq3":{"package":"readline-8.3nb1","license":"gnu-gpl-v3"},"prereq4":{"package":"sqlite3-3.51.2","license":"public-domain"}}}%

If we want, we could overload the data produced by depgraph with the hashes of any patches used in package building

% pkg_info -b clang
Information for clang-19.1.7nb2:

Build version:
lang/clang/DESCR: a5d0b1e908c6dbc44729dccac868d32b02e1c974c86eff4fb46f1e132c582b60
lang/clang/Makefile.common: d48c41ad8eedf4b307d024c76da8727542e09e76c5b3c8bcfe01dd9055251292
lang/clang/Makefile: bed45ff954559339ffea51dedaec97d34824d3ceb26c0d48d7efb41fede63abb
lang/clang/PLIST.Darwin: b851447ad202ff2846bfead0a0e4d90d2e06442d46ba3aabdd1339f2e4b28b64
lang/clang/PLIST: 761a0bb80ee4d2ff179f9f6cb48f56a947b98fa7c958615be2e6e31fac395a89
lang/clang/buildlink3.mk: 2664ed8ea061bdccbdf4a9014da2c274be977ee1c85e4a8d4bd6a86b952d6f09
lang/clang/distinfo: 45f155504e86d1f9a4323e978ca19ed3246c0f0502072b6d7b54e46b7d34b772
lang/clang/patches/patch-lib_Basic_Targets_OSTargets.h: d02044b5704f280fa77a791d43e6ddac34cb2bc538d8811e2319be03f4cfb8f9
lang/clang/patches/patch-lib_Driver_ToolChain.cpp: 9159c5f397cdfc6e8b6b125abb34f8303ae0f8044882dd60e18fc7c9c0be2cce
lang/clang/patches/patch-lib_Driver_ToolChains_Gnu.cpp: f3452530bddca17d86361fbdf66973042674fd1f11ca89c1ca0cf528b2caf733
lang/clang/patches/patch-lib_Interpreter_IncrementalParser.cpp: 0affc5f8e8701a1bacbc98af91f30f5b9cacdda581788a57cad79ae8a3d04810

or the compiler used, the environment etc, (they're all available with pkg_info -B) but for me, that's overkill rn, and I'm not really willing to overburden a small script just to duplicate that kind of information - bloat and duplication of information isn't very appealing to me.

As for the base system, the hashes of all the base system files are kept on the machine at installation or update time, so the base system seems to be a fair bit along in this process too. I suppose we could make more effort to store license info with the set lists, but that information is held in other places too, and I'm really wary of duplicating things like that.

% l /etc/mtree
total 8178
drwxr-xr-x 2 root wheel 512 Mar 9 12:38 .
drwxr-xr-x 30 root wheel 2560 Mar 9 12:39 ..
-r--r--r-- 1 root wheel 69428 Feb 1 16:02 NetBSD.dist
-r--r--r-- 1 root wheel 825949 Mar 8 23:58 set.base
-r--r--r-- 1 root wheel 3108319 Mar 8 23:58 set.comp
-r--r--r-- 1 root wheel 81701 Jan 18 19:34 set.dtb
-r--r--r-- 1 root wheel 48310 Feb 1 17:19 set.etc
-r--r--r-- 1 root wheel 46832 Mar 8 23:58 set.games
-r--r--r-- 1 root wheel 109885 Mar 8 23:58 set.gpufw
-r--r--r-- 1 root wheel 443337 Mar 8 23:58 set.man
-r--r--r-- 1 root wheel 450401 Mar 8 23:58 set.manhtml
-r--r--r-- 1 root wheel 97081 Mar 8 23:58 set.misc
-r--r--r-- 1 root wheel 70066 Mar 8 23:58 set.modules
-r--r--r-- 1 root wheel 22866 Mar 8 23:58 set.rescue
-r--r--r-- 1 root wheel 933748 Mar 8 23:58 set.tests
-r--r--r-- 1 root wheel 93128 Mar 8 23:58 set.text
-r--r--r-- 1 root wheel 215189 Mar 8 23:58 set.xbase
-r--r--r-- 1 root wheel 672079 Mar 8 23:58 set.xcomp
-r--r--r-- 1 root wheel 14337 Mar 8 23:58 set.xetc
-r--r--r-- 1 root wheel 808136 Mar 8 23:58 set.xfont
-r--r--r-- 1 root wheel 16078 Mar 8 23:58 set.xserver
-r--r--r-- 1 root wheel 20275 Feb 21 2025 special

From what I could see, though, most of the detailed information required for the CRA is guess work rn, so please let me know if I've overlooked something

Thanks,

Alistair