CaROS/poky
3
1
Fork 0
mirror of https://git.yoctoproject.org/git/poky synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
dbf5ddbdb5
poky/documentation/dev-manual/sbom.rst
Enrico Jörns dbf5ddbdb5 dev-manual/sbom.rst: reflect that create-spdx is enabled by default 
Since nanbield (b34032ec "defaultsetup: Inherit create-spdx by
default"), the create-spdx class is pulled in by default, not only by
poky.

Adapt the text to reflect this and also change INHERIT to INHERIT_DISTRO
since this is the more concrete variable to modify for disabling
create-spdx.

[AG: fix conflicts]

(From yocto-docs rev: 4c47eb98e096121d71663342dde86b8c9256c9b5)

Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 2b6228943443faf76c9869a0daeccfe7f93688ca)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-11-26 07:50:35 -08:00

78 lines
3.4 KiB
ReStructuredText
Raw Blame History

.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
Creating a Software Bill of Materials
*************************************
Once you are able to build an image for your project, once the licenses for
each software component are all identified (see
":ref:`dev-manual/licenses:working with licenses`") and once vulnerability
fixes are applied (see ":ref:`dev-manual/vulnerabilities:checking
for vulnerabilities`"), the OpenEmbedded build system can generate
a description of all the components you used, their licenses, their dependencies,
their sources, the changes that were applied to them and the known
vulnerabilities that were fixed.
This description is generated in the form of a *Software Bill of Materials*
(:term:`SBOM`), using the :term:`SPDX` standard.
When you release software, this is the most standard way to provide information
about the Software Supply Chain of your software image and SDK. The
:term:`SBOM` tooling is often used to ensure open source license compliance by
providing the license texts used in the product which legal departments and end
users can read in standardized format.
:term:`SBOM` information is also critical to performing vulnerability exposure
assessments, as all the components used in the Software Supply Chain are listed.
The OpenEmbedded build system generates such information by default (by
inheriting the :ref:`ref-classes-create-spdx` class in :term:`INHERIT_DISTRO`).
If needed, it can be disabled from a :term:`configuration file`::
INHERIT_DISTRO:remove = "create-spdx"
Upon building an image, you will then get the compressed archive
``IMAGE-MACHINE.spdx.tar.zst`` contains the index and the files for the single
recipes.
The :ref:`ref-classes-create-spdx` class offers options to include
more information in the output :term:`SPDX` data:
- Make the json files more human readable by setting (:term:`SPDX_PRETTY`).
- Add compressed archives of the files in the generated target packages by
setting (:term:`SPDX_ARCHIVE_PACKAGED`).
- Add a description of the source files used to generate host tools and target
packages (:term:`SPDX_INCLUDE_SOURCES`)
- Add archives of these source files themselves (:term:`SPDX_ARCHIVE_SOURCES`).
Though the toplevel :term:`SPDX` output is available in
``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`, ancillary
generated files are available in ``tmp/deploy/spdx`` too, such as:
- The individual :term:`SPDX` JSON files in the ``IMAGE-MACHINE.spdx.tar.zst``
archive.
- Compressed archives of the files in the generated target packages,
in ``packages/packagename.tar.zst`` (when :term:`SPDX_ARCHIVE_PACKAGED`
is set).
- Compressed archives of the source files used to build the host tools
and the target packages in ``recipes/recipe-packagename.tar.zst``
(when :term:`SPDX_ARCHIVE_SOURCES` is set). Those are needed to fulfill
"source code access" license requirements.
See also the :term:`SPDX_CUSTOM_ANNOTATION_VARS` variable which allows
to associate custom notes to a recipe.
See the `tools page <https://spdx.dev/resources/tools/>`__ on the :term:`SPDX`
project website for a list of tools to consume and transform the :term:`SPDX`
data generated by the OpenEmbedded build system.
See also Joshua Watt's presentations
`Automated SBoM generation with OpenEmbedded and the Yocto Project <https://youtu.be/Q5UQUM6zxVU>`__
at FOSDEM 2023 and
`SPDX in the Yocto Project <https://fosdem.org/2024/schedule/event/fosdem-2024-3318-spdx-in-the-yocto-project/>`__
at FOSDEM 2024.
Reference in New Issue View Git Blame Copy Permalink