FuseSoC now supports SPDX for creating SBOMs, making it the first FPGA/ASIC IP management system with native SBOM capabilities. This advancement is crucial for supply chain security in FPGA device products and is essential for CRA compliance.
Open source software is key to modern software creation. With its increasing importance, the need grows to track open source parts and their versions in a project. This is needed both to ensure that the components comply with their licenses and that they don't contain any known security issues.
There are standardized ways of doing this analysis by creating an SBOM, Software Bill of Materials, or in some interpretations System Bill of Materials to indicate its applicability outside of traditional software development. The SBOM is essentially a detailed inventory that lists all the components in a piece of software. It typically includes the names, versions, and license information for all open source and proprietary pieces that make up the software, aiding in license compliance and vulnerability management.
The two leading SBOM standards are SPDX and CycloneDX, both having tools for automating the process of creating, visualizing or validating SBOM documents. Many software frameworks such as Yocto or Zephyr already contains built-in SPDX support, but up until now, there has been no such thing for chip design.
FuseSoC, being the world's most widely used package manager for IP cores is in the perfect position to remedy this. With thousands of FuseSoC-compatible packages, it provides a solid foundation for product development. Built-in SPDX support will now also make it easier to ensure license compliance and perform vulnerability scanning for FPGA-based products.
 |
| Visualization of an SBOM generated by FuseSoC |
The SPDX generation support in FuseSoC is implemented as a filter and can be enabled, like other filters, on the command-line or by registering it in the relevant core file targets or FuseSoC configuration file. The example above was generated by running
fusesoc run --target=verilator_tb --filter=spdxgen servant
In addition to SPDX generation, FuseSoC now supports the PURL standard for a unified way to reference FuseSoC packages, or cores as we call them in this domain. The PURL standard provides a standardized mapping between package names and a URI. For FuseSoC this means that the VLNV identifers gets translated to pkg:/fusesoc/vendor/library/name@version
For example, the currently latest version of the award-winning SERV, the world's smallest RISC-V CPU, has the VLNV identifer award-winning:serv:serv:1.40 which becomes pkg:fusesoc/award-winning/serv/serv@1.4.0 The PURL is used within the SPDX nodes to uniquely refer to an IP core.
So if you needed another reason to start using FuseSoC, you got one right here. Enjoy!
The work on adding SPDX support for FuseSoC was sponsored by NLNet Foundation and Qamcom.
