I’ve been exploring practical ways to improve software transparency for industrial automation projects, especially with growing expectations around compliance and traceability.
As a small engineering contribution, I put together a Python-based SBOM generator for B&R Automation Studio 6 projects.
It scans an AS6 project and produces CycloneDX 1.5 JSON SBOMs per configuration, using project metadata plus installation/runtime library information where available. Referencing all used B&R components.
What it currently does:
Reads project information from Logical, Physical, and APJ data
Generates one SBOM file per configuration
Supports optional export of additional technology and system libraries
Marks uncertain entries so they can be reviewed manually
Run on the included example:
python src/automation_sbom_parserV1.py example/Repro6
Important:
After generation, please search for “TO BE CHECKED BY USER” in the SBOM and review/update those entries manually.
I would be very happy to get feedback from others:
Does it work well on your AS6 projects?
Any missing components or metadata you would expect?
Suggestions for AS4 compatibility and parser improvements are very welcome.
not “out-of-the-box” as I know.
Unfortunately I’m not familiar with python, but as the project data and also the installation structure of AS4 and AS6 are quite similar, I could imagine that it would be possible by adapting/extending the script by your own (or maybe someone else?), as the sourcecode is available.
I wrote a script which analyzes (AS6 migration & SBOM export) all B&R project in several git repos.
SBOM was exported for most of them and I think <10% are AS6.
So: Yes
But it depends what you want to do with this SBOM… Some (hw module, AR, etc.) versions in B&R AS4 projects have letters in their ‘version’ → AFAIK many tools which use SBOM can only handle “correct versions” (like 1.2.3.4)
currently the linked script is not able to work properly with AS4 projects.
There are some things missing. As Alexander Hefner wrote, the installation directory is similar, but not identical.
Initiallay I planned the next steps to have AS4 support but currently there was not really a demand for that.
You can open an issue on github and anyone can take care about it.