Skip to main content

Introducing SBOM Management

· 2 min read
CI/CD
CI/CD
HexDroid
OTA
OTA
HexDroid

We're excited to announce that HexDroid now supports Software Bill of Materials (SBOMs), empowering you with greater visibility and control over your software components.

A Software Bill of Materials (SBOM) serves as a comprehensive inventory of all components (e.g., dependencies) used to build a software artifact.

Commonly used and standardized formats for SBOMs include: CycloneDX, SPDX, SWID. However, HexDroid gives you flexibility to use any standardized or proprietary formats.

While SBOMs are often associated with regulatory compliance, their value goes far beyond that. They provide deep insight into what goes into each release and help ensure builds can be reliably reproduced.

AOSP SBOM Example via AOSP Pinned Manifest

Unlocking the Potential

Reproducible builds

SBOMs are foundational to reproducible builds. By documenting the exact versions of all components, you can recreate a build with complete confidence.

For example, in AOSP (Android Open Source Project) development, it's common to pin the SHA of each project in the manifest file. This allows you to resynchronize the repo tree at any time, ensuring all components match the pinned versions exactly.

When using HexDroid CI and HexDroid OTA Release, SBOMs for AOSP projects are automatically uploaded.

Learn more about this feature

Enhanced Dependency Tracking

Tracking dependencies is crucial for both security and long-term maintainability.

For example, in Gradle (Android/JVM) projects, you can generate a dependency tree with: ./gradlew app:dependencies

You can then upload the output to HexDroid as an SBOM, giving you a complete snapshot of your project's dependencies for each release.

Gradle SBOM Example via dependencies command

Integrations

HexDroid CI/CD

HexDroid CI/CD makes it simple to attach SBOMs to your releases. Here's an example configuration:

steps:
  - release:
      meta: # omitted for brevity
      sboms:
        - sbom:
            type: "app_dependencies"
            value:
              type: exec
              command: ./gradlew app:dependencies

HexDroid will run the command and attach its output as your release's SBOM automatically.

HexDroid CLI

You can also upload SBOMs using the HexDroid CLI:

From standard input:

./gradlew app:dependencies | java -jar hexdroid-cli.jar ota add-sbom --stdin --versionCode=1 --target=smart_oven --type="gradle"

Or from a file:

java -jar hexdroid-cli.jar ota add-sbom --versionCode=1 --target=smart_oven --file=/build/aosp/aosp_pinned_manifest.xml --type="aosp_manifest"

Get Started

🚀 Get Started: SBOM Documentation.