Software Bill of Materials (SBOM) for FreeBSD Project

Commissioned by the Sovereign Tech Agency, the Foundation is pleased to share that work began in April 2025 on a new project to enable Software Bill of Materials (SBOMs) for FreeBSD. This effort is part of a broader set of five strategic initiatives focused on advancing Zero Trust builds, SBOM adoption, CI/CD automation, enhanced security in Ports and Packages, and reducing technical debt.

The project runs from April to December 2025, aiming to improve existing and implement new tooling and processes for FreeBSD SBOMs.

SBOMs are becoming an industry standard for improving visibility of the “software supply chain” for codebases. This visibility can enable efforts to:

• Improve relationships and support for upstream projects and overall open source ecosystem. 
• Understand and respond to security risks in the supply chain. 
• Understand and manage licence compliance in the supply chain.

The FreeBSD Project will also benefit from taking a rigorous, structured approach to understanding its dependencies, their ownership and maintenance, which an SBOM would help to deliver.

Goals of the project include:

• Develop tooling that merges individual provenance data and markers from the entire tree into a comprehensive overview.
• Develop tooling to parse, review and inspect the FreeBSD source tree and produce a comprehensive/holistic report to act as a SBOM for the full software stack.
• Extend pkg to enable this capability for software installed from packages and ports.
• The Project can produce an SBOM for any build through CI.
• The Project produces an SBOM for each release as a release artifact.

The Foundation has received feedback from enterprise users expressing a clear need for SBOMs across all parts of their software supply chain. This demand is being driven largely by emerging regulations in the U.S. and other regions.

To meet user needs, our goal is to produce SBOMs in a widely adopted, easily accessible format that requires no human intervention. To meet the FreeBSD Project’s needs, we must identify a long-term owner for the tooling and processes developed—and automate the system as much as possible.

As with all Foundation-managed projects, we will share periodic updates with the community as the project progresses. If you have questions, please let us know.