Skip to main content

Module sbom

synth_core

Module sbom 

Source
Expand description

CycloneDX SBOM emission — a build-time Software Bill of Materials for a compiled ELF. Companion to safety_manifest.rs: where the safety manifest records how the binary is hardened, the SBOM records what went into it.

§Scope

synth is a compiler, not a linker, so this is a build SBOM — it documents the compilation transaction, not a transitive dependency graph:

  • metadata.tools — the synth compiler itself (“what built it”).
  • the input WASM module — a component with SHA-256 + byte size.
  • the output ELF binary — a component with SHA-256, size, target triple, and the backend that produced it.
  • the WASM module’s imports — each imported function/module/memory/etc. becomes a component, and the output ELF dependsOn each of them. This is the closest synth can get to “what’s in the software” without a full linker view.

Explicitly NOT in scope: full transitive scanning of the WASM module, AIBOM/ML-BOM. See docs/sbom.md.

§rivet #107 linkage

The emitted document is CycloneDX 1.5 JSON. The sibling PulseEngine repo rivet (issue #107) defines an sbom-record artifact type that ingests a CycloneDX SBOM:

- id: SBOM-vehicle-control-v1
  type: sbom-record
  format: cyclonedx
  sbom-ref: "sbom/vehicle-control-v1.0.0.cdx.json"
  component-count: 142

The file synth writes here is exactly what rivet import --format cyclonedx consumes, becoming one sbom-record in the rivet traceability chain.

§Determinism

For a fixed set of inputs the document is byte-stable except for metadata.timestamp, which is wall-clock by design (a CycloneDX SBOM records when the build happened). The serialNumber is derived deterministically from the output ELF’s SHA-256, so it too is stable for a given binary.

Path convention: when the compiler emits foo.elf, the SBOM is written to foo.cdx.json next to it.

Structs§

Component
A CycloneDX component.
CycloneDxSbom
A complete CycloneDX 1.5 SBOM document.
Dependency
A CycloneDX dependencies graph node.
Hash
A CycloneDX hashes entry.
Property
A CycloneDX properties entry — a namespaced key/value pair.
SbomInputs
Inputs needed to construct a build SBOM. Grouped into a struct so the constructor signature stays readable as the SBOM scope grows.
SbomMetadata
CycloneDX metadata block.
Tool
CycloneDX metadata.tools entry — “what built it”.

Functions§

now_rfc3339
RFC-3339 UTC timestamp for “now”, e.g. 2026-05-21T10:30:00Z.