CycloneDX 1.5 SBOM Generator for Automation Studio 6 Projects

Hi everyone,

I’ve been exploring practical ways to improve software transparency for industrial automation projects, especially with growing expectations around compliance and traceability.

As a small engineering contribution, I put together a Python-based SBOM generator for B&R Automation Studio 6 projects.

It scans an AS6 project and produces CycloneDX 1.5 JSON SBOMs per configuration, using project metadata plus installation/runtime library information where available. Referencing all used B&R components.

What it currently does:

  • Reads project information from Logical, Physical, and APJ data
  • Generates one SBOM file per configuration
  • Supports optional export of additional technology and system libraries
  • Marks uncertain entries so they can be reviewed manually

Run on the included example:
python src/automation_sbom_parserV1.py example/Repro6

Important:
After generation, please search for “TO BE CHECKED BY USER” in the SBOM and review/update those entries manually.

I would be very happy to get feedback from others:

  • Does it work well on your AS6 projects?
  • Any missing components or metadata you would expect?
  • Suggestions for AS4 compatibility and parser improvements are very welcome.

Feel free to check it out on br-automation-community/ASW6_Application_SBOM

Also check out CycloneDX 1.5 SBOM from SDM system dump - Share Info & Ideas / Code & Libraries - B&R Community for a different approach.

Best regards
Fabian

Thanks for supporting :+1:
@alexander.hefner @kovarj @werner1m @patricthysell

16 Likes

You make my day, thanks for sharing. Happy to be a member of the B&R Community together with all of you :slight_smile:

First impression:

  • just download python file ( I have already python installed on my PC)
  • in readme file there are syntax samples
  • select project and run script, in output window you have nice overview as well as path to SBOM report

For me, it worked out of the box without problem. well done.

1 Like

Hi,

just tried it: great, works like charm!
Thanks a lot for providing this!

BG Alex

Regarding your “TODO” list:

  1. Add robust path handling for Automation Studio 4 installation directories.

→ Registry “HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node” → BR_AS_AS…

Note that the registry key names are not quite correct (mixed up):

My topic about automatic install of upgrades in AS install directories

Thank you so much for this little neat script.

Just tested it on our current AS6 project, no errors, output looks fine.

For a TODO or request: Maybe the ability to manually set the output path? (but might be just me)

1 Like

Is it possible to use this tool for project developed with Automation Studio 4?

Hi,

not “out-of-the-box” as I know.
Unfortunately I’m not familiar with python, but as the project data and also the installation structure of AS4 and AS6 are quite similar, I could imagine that it would be possible by adapting/extending the script by your own (or maybe someone else?), as the sourcecode is available.

Best regards!

@fabian.pries can you help answer this question?

I wrote a script which analyzes (AS6 migration & SBOM export) all B&R project in several git repos.

SBOM was exported for most of them and I think <10% are AS6.

So: Yes

But it depends what you want to do with this SBOM… Some (hw module, AR, etc.) versions in B&R AS4 projects have letters in their ‘version’ → AFAIK many tools which use SBOM can only handle “correct versions” (like 1.2.3.4)

1 Like

Hi all,

currently the linked script is not able to work properly with AS4 projects.
There are some things missing. As Alexander Hefner wrote, the installation directory is similar, but not identical.

Initiallay I planned the next steps to have AS4 support but currently there was not really a demand for that.
You can open an issue on github and anyone can take care about it.

BR Fabian