2022-11-30 –, Langdale
Practical details for generating an SPDX SBoM with the Yocto Project
The Yocto Project has been having a "create-spdx" class since version 3.4 ("Honister"). This class allows to generate a "Software Bill of Materials" (SBOM) through the SPDX standard format, which device manufacturers and end users can use, typically for license compliance and security vulnerability exposure assessments.
However, this class wasn't documented until very recently. Presentations on the topic have also been done, but more with a contributor focus than from a Yocto Project user perspective.
This quick presentation will therefore quickly explain how to use the class and describe the associated variables to control the contents and volume of the output SPDX, all this without having to look at the code and generated files. I already did that for you.
Michael Opdenacker is the current maintainer of the BitBake and Yocto Project Manuals. He started using OpenEmbedded in 2004, being blessed by guidance from some of the Founding Fathers, in particular Mickey Lauer and Phil Blundell. After a long pause, he is back and happy to see what has changed, and what hasn't.