diff options
| author | Michael Opdenacker <michael.opdenacker@bootlin.com> | 2022-11-24 17:50:52 +0100 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-12-01 19:20:29 +0000 |
| commit | 945c669138a76be18c6b4da4f8f907d2a5cfd83f (patch) | |
| tree | cebff3cae5021d4fcceb5aa51fce1c2aead97ed2 /documentation/dev-manual/sbom.rst | |
| parent | 6fe3143800925463279d0664fc7f3372b53c6c52 (diff) | |
| download | poky-945c669138a76be18c6b4da4f8f907d2a5cfd83f.tar.gz | |
manuals: split dev-manual/common-tasks.rst
A 500 KB source file is always harder to manage,
and can have section title conflicts.
So, the "Common Tasks" document is gone and all
its constituents are moved up one level.
You now have 40 chapters in the Development Tasks Manual.
(From yocto-docs rev: 8a45bc469411410020b8e688c137395fcaf3761b)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'documentation/dev-manual/sbom.rst')
| -rw-r--r-- | documentation/dev-manual/sbom.rst | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst new file mode 100644 index 0000000000..f80e81279a --- /dev/null +++ b/documentation/dev-manual/sbom.rst | |||
| @@ -0,0 +1,68 @@ | |||
| 1 | .. SPDX-License-Identifier: CC-BY-SA-2.0-UK | ||
| 2 | |||
| 3 | Creating a Software Bill of Materials | ||
| 4 | ************************************* | ||
| 5 | |||
| 6 | Once you are able to build an image for your project, once the licenses for | ||
| 7 | each software component are all identified (see | ||
| 8 | ":ref:`dev-manual/licenses:working with licenses`") and once vulnerability | ||
| 9 | fixes are applied (see ":ref:`dev-manual/vulnerabilities:checking | ||
| 10 | for vulnerabilities`"), the OpenEmbedded build system can generate | ||
| 11 | a description of all the components you used, their licenses, their dependencies, | ||
| 12 | the changes that were applied and the known vulnerabilities that were fixed. | ||
| 13 | |||
| 14 | This description is generated in the form of a *Software Bill of Materials* | ||
| 15 | (:term:`SBOM`), using the :term:`SPDX` standard. | ||
| 16 | |||
| 17 | When you release software, this is the most standard way to provide information | ||
| 18 | about the Software Supply Chain of your software image and SDK. The | ||
| 19 | :term:`SBOM` tooling is often used to ensure open source license compliance by | ||
| 20 | providing the license texts used in the product which legal departments and end | ||
| 21 | users can read in standardized format. | ||
| 22 | |||
| 23 | :term:`SBOM` information is also critical to performing vulnerability exposure | ||
| 24 | assessments, as all the components used in the Software Supply Chain are listed. | ||
| 25 | |||
| 26 | The OpenEmbedded build system doesn't generate such information by default. | ||
| 27 | To make this happen, you must inherit the | ||
| 28 | :ref:`create-spdx <ref-classes-create-spdx>` class from a configuration file:: | ||
| 29 | |||
| 30 | INHERIT += "create-spdx" | ||
| 31 | |||
| 32 | You then get :term:`SPDX` output in JSON format as an | ||
| 33 | ``IMAGE-MACHINE.spdx.json`` file in ``tmp/deploy/images/MACHINE/`` inside the | ||
| 34 | :term:`Build Directory`. | ||
| 35 | |||
| 36 | This is a toplevel file accompanied by an ``IMAGE-MACHINE.spdx.index.json`` | ||
| 37 | containing an index of JSON :term:`SPDX` files for individual recipes, together | ||
| 38 | with an ``IMAGE-MACHINE.spdx.tar.zst`` compressed archive containing all such | ||
| 39 | files. | ||
| 40 | |||
| 41 | The :ref:`create-spdx <ref-classes-create-spdx>` class offers options to include | ||
| 42 | more information in the output :term:`SPDX` data, such as making the generated | ||
| 43 | files more human readable (:term:`SPDX_PRETTY`), adding compressed archives of | ||
| 44 | the files in the generated target packages (:term:`SPDX_ARCHIVE_PACKAGED`), | ||
| 45 | adding a description of the source files handled by the target recipes | ||
| 46 | (:term:`SPDX_INCLUDE_SOURCES`) and adding archives of these source files | ||
| 47 | themselves (:term:`SPDX_ARCHIVE_SOURCES`). | ||
| 48 | |||
| 49 | Though the toplevel :term:`SPDX` output is available in | ||
| 50 | ``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`, ancillary | ||
| 51 | generated files are available in ``tmp/deploy/spdx/MACHINE`` too, such as: | ||
| 52 | |||
| 53 | - The individual :term:`SPDX` JSON files in the ``IMAGE-MACHINE.spdx.tar.zst`` | ||
| 54 | archive. | ||
| 55 | |||
| 56 | - Compressed archives of the files in the generated target packages, | ||
| 57 | in ``packages/packagename.tar.zst`` (when :term:`SPDX_ARCHIVE_PACKAGED` | ||
| 58 | is set). | ||
| 59 | |||
| 60 | - Compressed archives of the source files used to build the host tools | ||
| 61 | and the target packages in ``recipes/recipe-packagename.tar.zst`` | ||
| 62 | (when :term:`SPDX_ARCHIVE_SOURCES` is set). Those are needed to fulfill | ||
| 63 | "source code access" license requirements. | ||
| 64 | |||
| 65 | See the `tools page <https://spdx.dev/resources/tools/>`__ on the :term:`SPDX` | ||
| 66 | project website for a list of tools to consume and transform the :term:`SPDX` | ||
| 67 | data generated by the OpenEmbedded build system. | ||
| 68 | |||