1 files changed, 14 insertions, 3 deletions
diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst
index b72bad1554..ca0fc8b9d6 100644
--- a/documentation/dev-manual/sbom.rst
+++ b/documentation/dev-manual/sbom.rst
@@ -24,12 +24,20 @@ users can read in standardized format.
 :term:`SBOM` information is also critical to performing vulnerability exposure
 assessments, as all the components used in the Software Supply Chain are listed.
-The OpenEmbedded build system doesn't generate such information by default.
+The OpenEmbedded build system doesn't generate such information by default,
-To make this happen, you must inherit the
+though the :term:`Poky` reference distribution has it enabled out of the box.
-:ref:`ref-classes-create-spdx` class from a configuration file::
+To enable it, inherit the :ref:`ref-classes-create-spdx` class from a
+configuration file::
   INHERIT += "create-spdx"
+In the :term:`Poky` reference distribution, :term:`SPDX` generation does
+consume some build time resources and thus if needed it can be disabled from a
+:term:`configuration file`::
+   INHERIT:remove = "create-spdx"
 Upon building an image, you will then get:
 -  :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in
@@ -52,6 +60,9 @@ more information in the output :term:`SPDX` data:
 -  Add a description of the source files used to generate host tools and target
   packages (:term:`SPDX_INCLUDE_SOURCES`)
+-  Add a description of the **compiled** source files used to generate host tools
+   and target packages (:term:`SPDX_INCLUDE_COMPILED_SOURCES`)
 -  Add archives of these source files themselves (:term:`SPDX_ARCHIVE_SOURCES`).
 Though the toplevel :term:`SPDX` output is available in

diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst index b72bad1554..ca0fc8b9d6 100644 --- a/documentation/dev-manual/sbom.rst +++ b/documentation/dev-manual/sbom.rst
@@ -24,12 +24,20 @@ users can read in standardized format.
24	:term:`SBOM` information is also critical to performing vulnerability exposure	24	:term:`SBOM` information is also critical to performing vulnerability exposure
25	assessments, as all the components used in the Software Supply Chain are listed.	25	assessments, as all the components used in the Software Supply Chain are listed.
26		26
27	The OpenEmbedded build system doesn't generate such information by default.	27	The OpenEmbedded build system doesn't generate such information by default,
28	To make this happen, you must inherit the	28	though the :term:`Poky` reference distribution has it enabled out of the box.
29	:ref:`ref-classes-create-spdx` class from a configuration file::	29
		30	To enable it, inherit the :ref:`ref-classes-create-spdx` class from a
		31	configuration file::
30		32
31	INHERIT += "create-spdx"	33	INHERIT += "create-spdx"
32		34
		35	In the :term:`Poky` reference distribution, :term:`SPDX` generation does
		36	consume some build time resources and thus if needed it can be disabled from a
		37	:term:`configuration file`::
		38
		39	INHERIT:remove = "create-spdx"
		40
33	Upon building an image, you will then get:	41	Upon building an image, you will then get:
34		42
35	- :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in	43	- :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in
@@ -52,6 +60,9 @@ more information in the output :term:`SPDX` data:
52	- Add a description of the source files used to generate host tools and target	60	- Add a description of the source files used to generate host tools and target
53	packages (:term:`SPDX_INCLUDE_SOURCES`)	61	packages (:term:`SPDX_INCLUDE_SOURCES`)
54		62
		63	- Add a description of the compiled source files used to generate host tools
		64	and target packages (:term:`SPDX_INCLUDE_COMPILED_SOURCES`)
		65
55	- Add archives of these source files themselves (:term:`SPDX_ARCHIVE_SOURCES`).	66	- Add archives of these source files themselves (:term:`SPDX_ARCHIVE_SOURCES`).
56		67
57	Though the toplevel :term:`SPDX` output is available in	68	Though the toplevel :term:`SPDX` output is available in