[GR-55715] Update SBOM documentation to include 'classpath' and 'expo…

…rt' options PullRequest: graal/18515
roberttoyonaga · Aug 8, 2024 · 2d0500c · 2d0500c
2 parents 67332a2 + 2154ec4
commit 2d0500c
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 6 deletions.
diff --git a/docs/reference-manual/native-image/BuildOutput.md b/docs/reference-manual/native-image/BuildOutput.md
@@ -256,10 +256,14 @@ This data typically contains internal information for Native Image and should no
 This shows whether Java deserialization is included in the native executable or not.
 If not included, the attack surface of the executable is reduced as the executable cannot be exploited with attacks based on Java deserialization.
 
-#### <a name="glossary-embedded-sbom"></a>Embedded SBOM
-Number of components and the size of the embedded Software Bill of Materials (SBOM).
-Use `--enable-sbom` to include an SBOM in the native executable.
-For more information, see [Inspection Tool](InspectTool.md)
+#### <a name="glossary-sbom"></a><a name="glossary-embedded-sbom"></a>Software Bill of Material (SBOM)
+This section indicates whether a SBOM was assembled and in what ways it was stored. 
+The storage formats include: `embed`, which embeds the SBOM in the binary; `classpath`, which saves the SBOM to the classpath; and `export`, which includes the SBOM as a JSON build artifact. 
+Use `--enable-sbom` to activate this feature which defaults to the `embed` option. 
+When embedded, the SBOM size is displayed. 
+The number of components is always displayed.
+
+For more information, see [Software Bill of Materials](../../security/native-image.md).
 
 #### <a name="glossary-backwards-edge-cfi"></a>Backwards-Edge Control-Flow Integrity (CFI)
 Control-Flow Integrity (CFI) can be enforced with the experimental `-H:CFI=HW` option.

diff --git a/docs/security/native-image.md b/docs/security/native-image.md
@@ -23,8 +23,9 @@ Developers should run the `native-image` builder in a dedicated environment, suc
 
 ## Software Bill of Materials
 
-GraalVM Native Image can embed a Software Bill of Materials (SBOM) at build time to detect any libraries that may be susceptible to known security vulnerabilities.
-Native Image provides the `--enable-sbom` option to embed an SBOM into a native executable (only available in Oracle GraalVM).
+GraalVM Native Image can assemble a Software Bill of Materials (SBOM) at build time to detect any libraries that may be susceptible to known security vulnerabilities.
+Native Image provides the `--enable-sbom` option to embed an SBOM into a native executable (only available in Oracle GraalVM). 
+In addition to being embedded, the SBOM can be added to the classpath or exported as a JSON by using `--enable-sbom=classpath,export`. 
 
 The CycloneDX format is supported and the default. 
 To embed a CycloneDX SBOM into a native executable, pass the `--enable-sbom` option to the `native-image` command.