Sākums Izpētīt Palīdzība
Pierakstīties
crispAudio
/
poky
spogulis no git://git.yoctoproject.org/poky
5
0
Atdalīts 0
Faili Problēmas 0 Vikivietne
Koks: fe721fe574
Atzari Tagi
poky
/
documentation
/
dev-manual
/
sbom.rst

sbom.rst 4.0 KB
Vēsture Neapstrādāts

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091 
  1. .. SPDX-License-Identifier: CC-BY-SA-2.0-UK
    2. 

  2. 

  3. Creating a Software Bill of Materials
    4. 

  4. *************************************
    5. 

  5. 

  6. Once you are able to build an image for your project, once the licenses for
    7. 

  7. each software component are all identified (see
    8. 

  8. ":ref:`dev-manual/licenses:working with licenses`") and once vulnerability
    9. 

  9. fixes are applied (see ":ref:`dev-manual/vulnerabilities:checking
    10. 

  10. for vulnerabilities`"), the OpenEmbedded build system can generate
    11. 

  11. a description of all the components you used, their licenses, their dependencies,
    12. 

  12. their sources, the changes that were applied to them and the known
    13. 

  13. vulnerabilities that were fixed.
    14. 

  14. 

  15. This description is generated in the form of a *Software Bill of Materials*
    16. 

  16. (:term:`SBOM`), using the :term:`SPDX` standard.
    17. 

  17. 

  18. When you release software, this is the most standard way to provide information
    19. 

  19. about the Software Supply Chain of your software image and SDK. The
    20. 

  20. :term:`SBOM` tooling is often used to ensure open source license compliance by
    21. 

  21. providing the license texts used in the product which legal departments and end
    22. 

  22. users can read in standardized format.
    23. 

  23. 

  24. :term:`SBOM` information is also critical to performing vulnerability exposure
    25. 

  25. assessments, as all the components used in the Software Supply Chain are listed.
    26. 

  26. 

  27. The OpenEmbedded build system doesn't generate such information by default,
    28. 

  28. though the :term:`Poky` reference distribution has it enabled out of the box.
    29. 

  29. 

  30. To enable it, inherit the :ref:`ref-classes-create-spdx` class from a
    31. 

  31. configuration file::
    32. 

  32. 

  33.    INHERIT += "create-spdx"
    34. 

  34. 

  35. In the :term:`Poky` reference distribution, :term:`SPDX` generation does
    36. 

  36. consume some build time resources and thus if needed it can be disabled from a
    37. 

  37. :term:`configuration file`::
    38. 

  38. 

  39.    INHERIT:remove = "create-spdx"
    40. 

  40. 

  41. Upon building an image, you will then get:
    42. 

  42. 

  43. -  :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in
    44. 

  44.    ``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`.
    45. 

  45. 

  46. -  This toplevel file is accompanied by an ``IMAGE-MACHINE.spdx.index.json``
    47. 

  47.    containing an index of JSON :term:`SPDX` files for individual recipes.
    48. 

  48. 

  49. -  The compressed archive ``IMAGE-MACHINE.spdx.tar.zst`` contains the index
    50. 

  50.    and the files for the single recipes.
    51. 

  51. 

  52. The :ref:`ref-classes-create-spdx` class offers options to include
    53. 

  53. more information in the output :term:`SPDX` data:
    54. 

  54. 

  55. -  Make the json files more human readable by setting (:term:`SPDX_PRETTY`).
    56. 

  56. 

  57. -  Add compressed archives of the files in the generated target packages by
    58. 

  58.    setting (:term:`SPDX_ARCHIVE_PACKAGED`).
    59. 

  59. 

  60. -  Add a description of the source files used to generate host tools and target
    61. 

  61.    packages (:term:`SPDX_INCLUDE_SOURCES`)
    62. 

  62. 

  63. -  Add archives of these source files themselves (:term:`SPDX_ARCHIVE_SOURCES`).
    64. 

  64. 

  65. Though the toplevel :term:`SPDX` output is available in
    66. 

  66. ``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`, ancillary
    67. 

  67. generated files are available in ``tmp/deploy/spdx/MACHINE`` too, such as:
    68. 

  68. 

  69. -  The individual :term:`SPDX` JSON files in the ``IMAGE-MACHINE.spdx.tar.zst``
    70. 

  70.    archive.
    71. 

  71. 

  72. -  Compressed archives of the files in the generated target packages,
    73. 

  73.    in ``packages/packagename.tar.zst`` (when :term:`SPDX_ARCHIVE_PACKAGED`
    74. 

  74.    is set).
    75. 

  75. 

  76. -  Compressed archives of the source files used to build the host tools
    77. 

  77.    and the target packages in ``recipes/recipe-packagename.tar.zst``
    78. 

  78.    (when :term:`SPDX_ARCHIVE_SOURCES` is set). Those are needed to fulfill
    79. 

  79.    "source code access" license requirements.
    80. 

  80. 

  81. See also the :term:`SPDX_CUSTOM_ANNOTATION_VARS` variable which allows
    82. 

  82. to associate custom notes to a recipe.
    83. 

  83. See the `tools page <https://spdx.dev/resources/tools/>`__ on the :term:`SPDX`
    84. 

  84. project website for a list of tools to consume and transform the :term:`SPDX`
    85. 

  85. data generated by the OpenEmbedded build system.
    86. 

  86. 

  87. See also Joshua Watt's presentations
    88. 

  88. `Automated SBoM generation with OpenEmbedded and the Yocto Project <https://youtu.be/Q5UQUM6zxVU>`__
    89. 

  89. at FOSDEM 2023 and
    90. 

  90. `SPDX in the Yocto Project <https://fosdem.org/2024/schedule/event/fosdem-2024-3318-spdx-in-the-yocto-project/>`__
    91. 

  91. at FOSDEM 2024.
    92.