Software Bill of Materials in Embedded Development
Jaakkola, Jukka-Pekka (2026)
2026
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-202601312095
https://urn.fi/URN:NBN:fi:amk-202601312095
Tiivistelmä
The objective of this final year project was to help the software development team of ABB to meet the new regulatory requirements set by Cyber Resilience Act (CRA). One of these requirements, and the topic of this project, was the requirement to maintain a Software Bill of Material (SBOM) for digital products. An SBOM is a document in a standard format, which describes a software application and its third-party software components in detail.
Regulatory requirements, formats, and the structure of an SBOM were studied and analyzed first. Government officials, for example, from the USA and Germany, have published guidelines and recommendations for SBOMs. These formed the baseline requirements regarding the structure and the information that should be included in an SBOM.
The main goal of the project was to study existing processes and tools commonly used to generate an SBOM, and how suitable these are in embedded development where the C++ programming language is used. Unfortunately, existing tools in this area do not work well in legacy languages; therefore, this project explored alternative methods to generate an accurate SBOM that would work well in the embedded field.
Based on this project, an example process and example tools were taken into use for one software project. This works as an example of how to generate an accurate SBOM in embedded development, where traditional tools often used to generate an SBOM are insufficient and unreliable.
Regulatory requirements, formats, and the structure of an SBOM were studied and analyzed first. Government officials, for example, from the USA and Germany, have published guidelines and recommendations for SBOMs. These formed the baseline requirements regarding the structure and the information that should be included in an SBOM.
The main goal of the project was to study existing processes and tools commonly used to generate an SBOM, and how suitable these are in embedded development where the C++ programming language is used. Unfortunately, existing tools in this area do not work well in legacy languages; therefore, this project explored alternative methods to generate an accurate SBOM that would work well in the embedded field.
Based on this project, an example process and example tools were taken into use for one software project. This works as an example of how to generate an accurate SBOM in embedded development, where traditional tools often used to generate an SBOM are insufficient and unreliable.