37 Creating a Software Bill of Materials
Once you are able to build an image for your project, once the licenses for each software component are all identified (see “Working With Licenses”) and once vulnerability fixes are applied (see “Checking for Vulnerabilities”), the OpenEmbedded build system can generate a description of all the components you used, their licenses, their dependencies, their sources, the changes that were applied to them and the known vulnerabilities that were fixed.
This description is generated in the form of a Software Bill of Materials (SBOM), using the SPDX standard.
When you release software, this is the most standard way to provide information about the Software Supply Chain of your software image and SDK. The SBOM tooling is often used to ensure open source license compliance by providing the license texts used in the product which legal departments and end users can read in standardized format.
SBOM information is also critical to performing vulnerability exposure assessments, as all the components used in the Software Supply Chain are listed.
The OpenEmbedded build system doesn’t generate such information by default. To make this happen, you must inherit the create-spdx class from a configuration file:
INHERIT += "create-spdx"
You then get SPDX output in JSON format as an
IMAGE-MACHINE.spdx.json
file in tmp/deploy/images/MACHINE/
inside the
Build Directory.
This is a toplevel file accompanied by an IMAGE-MACHINE.spdx.index.json
containing an index of JSON SPDX files for individual recipes, together
with an IMAGE-MACHINE.spdx.tar.zst
compressed archive containing all such
files.
The create-spdx class offers options to include more information in the output SPDX data, such as making the generated files more human readable (SPDX_PRETTY), adding compressed archives of the files in the generated target packages (SPDX_ARCHIVE_PACKAGED), adding a description of the source files used to generate host tools and target packages (SPDX_INCLUDE_SOURCES) and adding archives of these source files themselves (SPDX_ARCHIVE_SOURCES).
Though the toplevel SPDX output is available in
tmp/deploy/images/MACHINE/
inside the Build Directory, ancillary
generated files are available in tmp/deploy/spdx/MACHINE
too, such as:
The individual SPDX JSON files in the
IMAGE-MACHINE.spdx.tar.zst
archive.Compressed archives of the files in the generated target packages, in
packages/packagename.tar.zst
(when SPDX_ARCHIVE_PACKAGED is set).Compressed archives of the source files used to build the host tools and the target packages in
recipes/recipe-packagename.tar.zst
(when SPDX_ARCHIVE_SOURCES is set). Those are needed to fulfill “source code access” license requirements.
See also the SPDX_CUSTOM_ANNOTATION_VARS variable which allows to associate custom notes to a recipe.
See the tools page on the SPDX project website for a list of tools to consume and transform the SPDX data generated by the OpenEmbedded build system.
See also Joshua Watt’s Automated SBoM generation with OpenEmbedded and the Yocto Project presentation at FOSDEM 2023.