From eed3e6c2c83a9ad71bebb863e80e36c822bdd3e3 Mon Sep 17 00:00:00 2001 From: Mikko Rapeli Date: Mon, 10 Mar 2025 17:31:08 +0200 Subject: [PATCH] sbom.rst: how to disable SPDX generation Generating SPDX is enabled by default in poky but it can take a lot of build time resources so document how to disable it. (From yocto-docs rev: d26a3f2ed8f24e1b72f58ecb8b7cdba7007ba77b) Signed-off-by: Mikko Rapeli Signed-off-by: Antonin Godard (cherry picked from commit bcd58b7a9455fbb0ea5944089d663e327f0eb38f) Signed-off-by: Antonin Godard Signed-off-by: Steve Sakoman --- documentation/dev-manual/sbom.rst | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst index b72bad1554..eba07b7832 100644 --- a/documentation/dev-manual/sbom.rst +++ b/documentation/dev-manual/sbom.rst @@ -24,12 +24,20 @@ users can read in standardized format. :term:`SBOM` information is also critical to performing vulnerability exposure assessments, as all the components used in the Software Supply Chain are listed. -The OpenEmbedded build system doesn't generate such information by default. -To make this happen, you must inherit the -:ref:`ref-classes-create-spdx` class from a configuration file:: +The OpenEmbedded build system doesn't generate such information by default, +though the `:term:`Poky` reference distribution has it enabled out of the box. + +To enable it, inherit the :ref:`ref-classes-create-spdx` class from a +configuration file:: INHERIT += "create-spdx" +In the `:term:`Poky` reference distribution, :term:`SPDX` generation does +consume some build time resources and thus if needed it can be disabled from a +:term:`configuration file`:: + + INHERIT:remove = "create-spdx" + Upon building an image, you will then get: - :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in