Questions about SBOM of Chromium

[Shuaike Dong]

Hello,

As supply chain security becomes increasingly important, I am looking for efficient and accurate methods to obtain the Software Bill of Materials (SBOM) for Chromium. During my research, I have explored a few methods:

1. Extracting information from the insights tab of the Chromium mirror project on GitHub. However, this method only provides the latest version's information, which can be limiting. ( I'm also not sure whether it produces compact results. )
2. Using the `chrome://credits` webpage. Unfortunately, this page focuses more on the copyright aspects of open-source components rather than security-related information.
3. Considering whether the GN build system can automatically generate SBOM information.

I'm seeking insights and suggestions on more effective ways to obtain comprehensive SBOM data for Chromium. Has anyone found a reliable solution or tool that addresses these needs? Your input would be greatly appreciated.

[Joe Mason]

For a public chromium browser, you should be able to extract this from the source code. I would write a script instead of using GN:

chrome://version includes a "revision" tag that points to the specific revision at https://chromium.googlesource.com/chromium/src.git. For instance, my copy of Chrome is 128.0.6601.2 - dev channel - and revision is 4c4607abed17994cab05006cc3a0d69f77e99dc5-refs/branch-heads/6601@{#5}. That's https://chromium.googlesource.com/chromium/src.git/+/4c4607abed17994cab05006cc3a0d69f77e99dc5, so start there.

The DEPS file in the root dir has a list of additional packages that are pulled in, in the "deps" section. Each has a source link and revision. Some of them are used as build tools and some are additional library source code that's downloaded into a subdir and used in the build. You could cross-reference with chrome://credits to verify which deps are included in the build, and then use the DEPS file to find their version.

There's also a "recursedeps" section listing subdirs that have their own DEPS files which can be parsed in a similar way.

Some of the deps are toggled on and off by variables in the "vars" section, which build machines use to choose a build configuration, so you'd also need to know what vars are set when the package is produced. And for Google-branded Chrome builds (and similar chromium-based browsers like Edge), some of those deps will point at internal repos that aren't published, so you wouldn't be able to see the versions of any of those components beyond what's published in chrome://credits. (Examples are licensed video codecs.) But for something like the fully open-source chromium package produced by a Linux distro, the build vars should be published somewhere, and none of the non-public deps would be enabled.

Chromium actually now uses git submodules to download source code, instead of getting them directly from DEPS, but there's a safety check to be sure the revision specified in DEPS matches the revision from submodules. (I forget if it's part of the build or a presubmit.) I don't think there's any plan to remove the revision data from DEPS, but I don't work in that area so not 100% sure.

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/84f55c72-7a0a-45a6-9ffd-e0be2250d624n%40chromium.org.

[Shuaike Dong]

Thank you Joe! It's a comprehensive guidance for generating a SBOM. I will try this.