Add CycloneDX SBOM and generation script

- Add sbom/sbom.cdx.json generated via Syft - Add scripts/gen-sbom.sh for regenerating SBOM - Add sbom/README.md with disclaimer - Update .gitignore to track gen-sbom.sh
2026-01-27 01:45:42 +00:00
parent f6f7f1b551
commit 55de32d925
4 changed files with 31 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -285,6 +285,7 @@ docs/apps/linkdin/debug*/
 docs/apps/linkdin/samples/insights/*

 scripts/
+!scripts/gen-sbom.sh


 # Databse files
--- a/sbom/README.md
+++ b/sbom/README.md
@@ -0,0 +1,13 @@
+# Software Bill of Materials (SBOM)
+
+This directory contains the CycloneDX SBOM for the project.
+
+## Disclaimer
+
+This SBOM is generated on a best-effort basis from project metadata and reflects dependencies at the time of generation. It is not a guarantee of completeness or accuracy.
+
+## Regenerating
+
+```bash
+./scripts/gen-sbom.sh
+```
--- a/sbom/sbom.cdx.json
+++ b/sbom/sbom.cdx.json
--- a/scripts/gen-sbom.sh
+++ b/scripts/gen-sbom.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Generate CycloneDX JSON SBOM using Syft
+# Output: sbom.cdx.json in project root
+
+cd "$(dirname "$0")/.."
+
+if ! command -v syft &> /dev/null; then
+    echo "Error: syft is not installed. Install from https://github.com/anchore/syft" >&2
+    exit 1
+fi
+
+syft . -o cyclonedx-json=sbom/sbom.cdx.json
+
+echo "SBOM generated: sbom/sbom.cdx.json"