dev-manual: common-tasks.rst: add section about SPDX / SBOM generation

Also stop refering to the meta-spdxscanner class, no longer relevant. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Michael Opdenacker <michael.opdenacker@bootlin.com> 2022-10-28 11:17:55 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-11-07 21:31:32 +0000
commit: a4dee23387839ec5c995f1508851f964a622cf69 (patch)
tree: ca5a24163fce79807e9ccdd6179e3a4b208ca6bd /documentation
parent: a6f7c43e9229031483af906d5c119f3a9346b9b2 (diff)
download: poky-a4dee23387839ec5c995f1508851f964a622cf69.tar.gz
1 files changed, 66 insertions, 35 deletions
diff --git a/documentation/dev-manual/common-tasks.rst b/documentation/dev-manual/common-tasks.rst
index d99d327937..21215d1203 100644
--- a/documentation/dev-manual/common-tasks.rst
+++ b/documentation/dev-manual/common-tasks.rst
@@ -11200,8 +11200,6 @@ to be covered by assuming that there are three main areas of concern:
 -  Compilation scripts and modifications to the source code must be
   provided.
-  spdx files can be provided.
 There are other requirements beyond the scope of these three and the
 methods described in this section (e.g. the mechanism through which
 source code is distributed).
@@ -11392,39 +11390,6 @@ layers (recipes, configuration files, and so forth) enables you to meet
 your requirements to include the scripts to control compilation as well
 as any modifications to the original source.
-Providing spdx files
-~~~~~~~~~~~~~~~~~~~~~~~~~
-The spdx module has been integrated to a layer named meta-spdxscanner.
-meta-spdxscanner provides several kinds of scanner. If you want to enable
-this function, you have to follow the following steps:
-1. Add meta-spdxscanner layer into ``bblayers.conf``.
-2. Refer to the README in meta-spdxscanner to setup the environment (e.g,
-   setup a fossology server) needed for the scanner.
-3. Meta-spdxscanner provides several methods within the bbclass to create spdx files.
-   Please choose one that you want to use and enable the spdx task. You have to
-   add some config options in ``local.conf`` file in your :term:`Build Directory`.
-   Here is an example showing how to generate spdx files during BitBake using the
-   fossology-python.bbclass::
-      # Select fossology-python.bbclass.
-      INHERIT += "fossology-python"
-      # For fossology-python.bbclass, TOKEN is necessary, so, after setup a
-      # Fossology server, you have to create a token.
-      TOKEN = "eyJ0eXAiO..."
-      # The fossology server is necessary for fossology-python.bbclass.
-      FOSSOLOGY_SERVER = "http://xx.xx.xx.xx:8081/repo"
-      # If you want to upload the source code to a special folder:
-      FOLDER_NAME = "xxxx" //Optional
-      # If you don't want to put spdx files in tmp/deploy/spdx, you can enable:
-      SPDX_DEPLOY_DIR = "${DEPLOY_DIR}" //Optional
-For more usage information refer to :yocto_git:`the meta-spdxscanner repository
-</meta-spdxscanner/>`.
 Compliance Limitations with Executables Built from Static Libraries
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -11674,6 +11639,72 @@ When analyzing CVEs, it is recommended to:
 -  follow public `open source security mailing lists <https://oss-security.openwall.org/wiki/mailing-lists>`__ for
   discussions and advance notifications of CVE bugs and software releases with fixes.
+Creating a Software Bill of Materials
+=====================================
+Once you are able to build an image for your project, once the licenses for
+each software component are all identified (see
+":ref:`dev-manual/common-tasks:working with licenses`") and once vulnerability
+fixes are applied (see ":ref:`dev-manual/common-tasks:checking
+for vulnerabilities`"), the OpenEmbedded build system can generate
+a description of all the components you used, their licenses, their dependencies,
+the changes that were applied and the known vulnerabilities that were fixed.
+This description is generated in the form of a *Software Bill of Materials*
+(:term:`SBOM`), using the :term:`SPDX` standard.
+When you release software, this is the most standard way to provide information
+about the Software Supply Chain of your software image and SDK. The
+:term:`SBOM` tooling is often used to ensure open source license compliance by
+providing the license texts used in the product which legal departments and end
+users can read in standardized format.
+:term:`SBOM` information is also critical to performing vulnerability exposure
+assessments, as all the components used in the Software Supply Chain are listed.
+The OpenEmbedded build system doesn't generate such information by default.
+To make this happen, you must inherit the
+:ref:`create-spdx <ref-classes-create-spdx>` class from a configuration file::
+   INHERIT += "create-spdx"
+You then get :term:`SPDX` output in JSON format as an
+``IMAGE-MACHINE.spdx.json`` file in ``tmp/deploy/images/MACHINE/`` inside the
+:term:`Build Directory`.
+This is a toplevel file accompanied by an ``IMAGE-MACHINE.spdx.index.json``
+containing an index of JSON :term:`SPDX` files for individual recipes, together
+with an ``IMAGE-MACHINE.spdx.tar.zst`` compressed archive containing all such
+files.
+The :ref:`create-spdx <ref-classes-create-spdx>` class offers options to include
+more information in the output :term:`SPDX` data, such as making the generated
+files more human readable (:term:`SPDX_PRETTY`), adding compressed archives of
+the files in the generated target packages (:term:`SPDX_ARCHIVE_PACKAGED`),
+adding a description of the source files handled by the target recipes
+(:term:`SPDX_INCLUDE_SOURCES`) and adding archives of these source files
+themselves (:term:`SPDX_ARCHIVE_SOURCES`).
+Though the toplevel :term:`SPDX` output is available in
+``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`, ancillary
+generated files are available in ``tmp/deploy/spdx/MACHINE`` too, such as:
+-  The individual :term:`SPDX` JSON files in the ``IMAGE-MACHINE.spdx.tar.zst``
+   archive.
+-  Compressed archives of the files in the generated target packages,
+   in ``packages/packagename.tar.zst`` (when :term:`SPDX_ARCHIVE_PACKAGED`
+   is set).
+-  Compressed archives of the source files used to build the host tools
+   and the target packages in ``recipes/recipe-packagename.tar.zst``
+   (when :term:`SPDX_ARCHIVE_SOURCES` is set). Those are needed to fulfill
+   "source code access" license requirements.
+See the `tools page <https://spdx.dev/resources/tools/>`__ on the :term:`SPDX`
+project website for a list of tools to consume and transform the :term:`SPDX`
+data generated by the OpenEmbedded build system.
 Using the Error Reporting Tool
 ==============================
author	Michael Opdenacker <michael.opdenacker@bootlin.com>	2022-10-28 11:17:55 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-11-07 21:31:32 +0000
commit	a4dee23387839ec5c995f1508851f964a622cf69 (patch)
tree	ca5a24163fce79807e9ccdd6179e3a4b208ca6bd /documentation
parent	a6f7c43e9229031483af906d5c119f3a9346b9b2 (diff)
download	poky-a4dee23387839ec5c995f1508851f964a622cf69.tar.gz

diff --git a/documentation/dev-manual/common-tasks.rst b/documentation/dev-manual/common-tasks.rst index d99d327937..21215d1203 100644 --- a/documentation/dev-manual/common-tasks.rst +++ b/documentation/dev-manual/common-tasks.rst
@@ -11200,8 +11200,6 @@ to be covered by assuming that there are three main areas of concern:
11200	- Compilation scripts and modifications to the source code must be	11200	- Compilation scripts and modifications to the source code must be
11201	provided.	11201	provided.
11202		11202
11203	- spdx files can be provided.
11204
11205	There are other requirements beyond the scope of these three and the	11203	There are other requirements beyond the scope of these three and the
11206	methods described in this section (e.g. the mechanism through which	11204	methods described in this section (e.g. the mechanism through which
11207	source code is distributed).	11205	source code is distributed).
@@ -11392,39 +11390,6 @@ layers (recipes, configuration files, and so forth) enables you to meet
11392	your requirements to include the scripts to control compilation as well	11390	your requirements to include the scripts to control compilation as well
11393	as any modifications to the original source.	11391	as any modifications to the original source.
11394		11392
11395	Providing spdx files
11396	~~~~~~~~~~~~~~~~~~~~~~~~~
11397
11398	The spdx module has been integrated to a layer named meta-spdxscanner.
11399	meta-spdxscanner provides several kinds of scanner. If you want to enable
11400	this function, you have to follow the following steps:
11401
11402	1. Add meta-spdxscanner layer into ``bblayers.conf``.
11403
11404	2. Refer to the README in meta-spdxscanner to setup the environment (e.g,
11405	setup a fossology server) needed for the scanner.
11406
11407	3. Meta-spdxscanner provides several methods within the bbclass to create spdx files.
11408	Please choose one that you want to use and enable the spdx task. You have to
11409	add some config options in ``local.conf`` file in your :term:`Build Directory`.
11410	Here is an example showing how to generate spdx files during BitBake using the
11411	fossology-python.bbclass::
11412
11413	# Select fossology-python.bbclass.
11414	INHERIT += "fossology-python"
11415	# For fossology-python.bbclass, TOKEN is necessary, so, after setup a
11416	# Fossology server, you have to create a token.
11417	TOKEN = "eyJ0eXAiO..."
11418	# The fossology server is necessary for fossology-python.bbclass.
11419	FOSSOLOGY_SERVER = "http://xx.xx.xx.xx:8081/repo"
11420	# If you want to upload the source code to a special folder:
11421	FOLDER_NAME = "xxxx" //Optional
11422	# If you don't want to put spdx files in tmp/deploy/spdx, you can enable:
11423	SPDX_DEPLOY_DIR = "${DEPLOY_DIR}" //Optional
11424
11425	For more usage information refer to :yocto_git:`the meta-spdxscanner repository
11426	</meta-spdxscanner/>`.
11427
11428	Compliance Limitations with Executables Built from Static Libraries	11393	Compliance Limitations with Executables Built from Static Libraries
11429	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~	11394	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
11430		11395
@@ -11674,6 +11639,72 @@ When analyzing CVEs, it is recommended to:
11674	- follow public `open source security mailing lists <https://oss-security.openwall.org/wiki/mailing-lists>`__ for	11639	- follow public `open source security mailing lists <https://oss-security.openwall.org/wiki/mailing-lists>`__ for
11675	discussions and advance notifications of CVE bugs and software releases with fixes.	11640	discussions and advance notifications of CVE bugs and software releases with fixes.
11676		11641
		11642	Creating a Software Bill of Materials
		11643	=====================================
		11644
		11645	Once you are able to build an image for your project, once the licenses for
		11646	each software component are all identified (see
		11647	":ref:`dev-manual/common-tasks:working with licenses`") and once vulnerability
		11648	fixes are applied (see ":ref:`dev-manual/common-tasks:checking
		11649	for vulnerabilities`"), the OpenEmbedded build system can generate
		11650	a description of all the components you used, their licenses, their dependencies,
		11651	the changes that were applied and the known vulnerabilities that were fixed.
		11652
		11653	This description is generated in the form of a Software Bill of Materials
		11654	(:term:`SBOM`), using the :term:`SPDX` standard.
		11655
		11656	When you release software, this is the most standard way to provide information
		11657	about the Software Supply Chain of your software image and SDK. The
		11658	:term:`SBOM` tooling is often used to ensure open source license compliance by
		11659	providing the license texts used in the product which legal departments and end
		11660	users can read in standardized format.
		11661
		11662	:term:`SBOM` information is also critical to performing vulnerability exposure
		11663	assessments, as all the components used in the Software Supply Chain are listed.
		11664
		11665	The OpenEmbedded build system doesn't generate such information by default.
		11666	To make this happen, you must inherit the
		11667	:ref:`create-spdx <ref-classes-create-spdx>` class from a configuration file::
		11668
		11669	INHERIT += "create-spdx"
		11670
		11671	You then get :term:`SPDX` output in JSON format as an
		11672	``IMAGE-MACHINE.spdx.json`` file in ``tmp/deploy/images/MACHINE/`` inside the
		11673	:term:`Build Directory`.
		11674
		11675	This is a toplevel file accompanied by an ``IMAGE-MACHINE.spdx.index.json``
		11676	containing an index of JSON :term:`SPDX` files for individual recipes, together
		11677	with an ``IMAGE-MACHINE.spdx.tar.zst`` compressed archive containing all such
		11678	files.
		11679
		11680	The :ref:`create-spdx <ref-classes-create-spdx>` class offers options to include
		11681	more information in the output :term:`SPDX` data, such as making the generated
		11682	files more human readable (:term:`SPDX_PRETTY`), adding compressed archives of
		11683	the files in the generated target packages (:term:`SPDX_ARCHIVE_PACKAGED`),
		11684	adding a description of the source files handled by the target recipes
		11685	(:term:`SPDX_INCLUDE_SOURCES`) and adding archives of these source files
		11686	themselves (:term:`SPDX_ARCHIVE_SOURCES`).
		11687
		11688	Though the toplevel :term:`SPDX` output is available in
		11689	``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`, ancillary
		11690	generated files are available in ``tmp/deploy/spdx/MACHINE`` too, such as:
		11691
		11692	- The individual :term:`SPDX` JSON files in the ``IMAGE-MACHINE.spdx.tar.zst``
		11693	archive.
		11694
		11695	- Compressed archives of the files in the generated target packages,
		11696	in ``packages/packagename.tar.zst`` (when :term:`SPDX_ARCHIVE_PACKAGED`
		11697	is set).
		11698
		11699	- Compressed archives of the source files used to build the host tools
		11700	and the target packages in ``recipes/recipe-packagename.tar.zst``
		11701	(when :term:`SPDX_ARCHIVE_SOURCES` is set). Those are needed to fulfill
		11702	"source code access" license requirements.
		11703
		11704	See the `tools page <https://spdx.dev/resources/tools/>`__ on the :term:`SPDX`
		11705	project website for a list of tools to consume and transform the :term:`SPDX`
		11706	data generated by the OpenEmbedded build system.
		11707
11677	Using the Error Reporting Tool	11708	Using the Error Reporting Tool
11678	==============================	11709	==============================
11679		11710