.. SPDX-License-Identifier: CC-BY-SA-2.0-UK Creating a Software Bill of Materials ************************************* Once you are able to build an image for your project, once the licenses for each software component are all identified (see ":ref:`dev-manual/licenses:working with licenses`") and once vulnerability fixes are applied (see ":ref:`security-manual/vulnerabilities:checking for vulnerabilities`"), the OpenEmbedded build system can generate a description of all the components you used, their licenses, their dependencies, their sources, the changes that were applied to them and the known vulnerabilities that were fixed. This description is generated in the form of a *Software Bill of Materials* (:term:`SBOM`), using the :term:`SPDX` standard. When you release software, this is the most standard way to provide information about the Software Supply Chain of your software image and SDK. The :term:`SBOM` tooling is often used to ensure open source license compliance by providing the license texts used in the product which legal departments and end users can read in standardized format. :term:`SBOM` information is also critical to performing vulnerability exposure assessments, as all the components used in the Software Supply Chain are listed. The OpenEmbedded build system generates such information by default (by inheriting the :ref:`ref-classes-create-spdx` class in :term:`INHERIT_DISTRO`). If needed, it can be disabled from a :term:`configuration file`:: INHERIT_DISTRO:remove = "create-spdx" There are two ways to generate SBOM metadata: - By building an image, you will then get the :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in ``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`. - By generating the SBOM document using the recipe metadata only: .. code-block:: console $ bitbake -c create_recipe_sbom Note that recipe SBOM is also included in the image SBOM document (for the recipes involved in the build of the image only). The :ref:`ref-classes-create-spdx` class offers options to include more information in the output :term:`SPDX` data: - Make the json files more human readable by setting (:term:`SPDX_PRETTY`). - Add a description of the source files used to generate host tools and target packages (:term:`SPDX_INCLUDE_SOURCES`) - Add a description of the **compiled** source files used to generate host tools and target packages (:term:`SPDX_INCLUDE_COMPILED_SOURCES`) - Export the Linux kernel configuration (``CONFIG_*`` parameters) into the SPDX document (:term:`SPDX_INCLUDE_KERNEL_CONFIG`). - Export the recipe's ``PACKAGECONFIG`` features (enabled/disabled) into the SPDX document (:term:`SPDX_INCLUDE_PACKAGECONFIG`). - Exclude specific files from the SPDX output using Python regular expressions (:term:`SPDX_FILE_EXCLUDE_PATTERNS`). - Attach supplier information to the image SBOM, SDK SBOM, or individual packages (:term:`SPDX_IMAGE_SUPPLIER`, :term:`SPDX_SDK_SUPPLIER`, :term:`SPDX_PACKAGE_SUPPLIER`). - Enrich source downloads with ecosystem-specific Package URLs (PURLs), using the :ref:`ref-classes-cargo_common`, :ref:`ref-classes-go-mod`, :ref:`ref-classes-pypi`, :ref:`ref-classes-npm`, and :ref:`ref-classes-cpan` classes to automatically populate PURL identifiers for the corresponding language ecosystems. - Record which agent invoked the build and on whose behalf it ran, enabling CI/CD traceability in the SBOM (:term:`SPDX_INCLUDE_BITBAKE_PARENT_BUILD`, :term:`SPDX_INVOKED_BY`, :term:`SPDX_ON_BEHALF_OF`). See also the :term:`SPDX_CUSTOM_ANNOTATION_VARS` variable which allows to associate custom notes to a recipe. See the `tools page `__ on the :term:`SPDX` project website for a list of tools to consume and transform the :term:`SPDX` data generated by the OpenEmbedded build system. See the definition of the variables starting with ``SPDX_`` in the :doc:`Yocto Project Reference Manual glossary ` for more information. See also Joshua Watt's presentations `Automated SBoM generation with OpenEmbedded and the Yocto Project `__ at FOSDEM 2023 and `SPDX in the Yocto Project `__ at FOSDEM 2024.