2 files changed, 122 insertions, 0 deletions
diff --git a/documentation/ref-manual/terms.rst b/documentation/ref-manual/terms.rst
index 1e3f718a8f..7e5295a646 100644
--- a/documentation/ref-manual/terms.rst
+++ b/documentation/ref-manual/terms.rst
@@ -323,6 +323,23 @@ universal, the list includes them just in case:
      :term:`build host<Build Host>` and other components, that can
      work on specific hardware.
+   :term:`SBOM`
+      This term means *Software Bill of Materials*. When you distribute
+      software, it offers a description of all the components you used,
+      their corresponding licenses, their dependencies, the changes that were
+      applied and the known vulnerabilities that were fixed.
+      This can be used by the recipients of the software to assess
+      their exposure to license compliance and security vulnerability issues.
+      See the :wikipedia:`Software Supply Chain <Software_supply_chain>`
+      article on Wikipedia for more details.
+      The OpenEmbedded Build System can generate such documentation for your
+      project, in :term:`SPDX` format, based on all the metadata it used to
+      build the software images. See the ":ref:`dev-manual/common-tasks:creating
+      a software bill of materials`" section of the Development Tasks manual.
   :term:`Source Directory`
     This term refers to the directory structure
     created as a result of creating a local copy of the ``poky`` Git
@@ -383,6 +400,17 @@ universal, the list includes them just in case:
     ":ref:`overview-manual/development-environment:repositories, tags, and branches`"
     section in the Yocto Project Overview and Concepts Manual.
+   :term:`SPDX`
+      This term means *Software Package Data Exchange*, and is used as a open
+      standard for providing a *Software Bill of Materials* (:term:`SBOM`).
+      This standard is developed through a `Linux Foundation project
+      <https://spdx.dev/>`__ and is used by the OpenEmbedded Build System to
+      provide an :term:`SBOM` associated to each a software image.
+      For details, see Wikipedia's :wikipedia:`SPDX page <Software_Package_Data_Exchange>`
+      and the ":ref:`dev-manual/common-tasks:creating a software bill of materials`"
+      section of the Development Tasks manual.
   :term:`Sysroot`
      When cross-compiling, the target file system may be differently laid
      out and contain different things compared to the host system. The concept
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index 71e8c272a7..f17960e0e9 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -1508,6 +1508,18 @@ system and gives an overview of their function and contents.
         CVE_PRODUCT = "vendor:package"
+   :term:`CVE_VERSION`
+      In a recipe, defines the version used to match the recipe version
+      against the version in the `NIST CVE database <https://nvd.nist.gov/>`__
+      when usign :ref:`cve-check <ref-classes-cve-check>`.
+      The default is ${:term:`PV`} but if recipes use custom version numbers
+      which do not map to upstream software component release versions and the versions
+      used in the CVE database, then this variable can be used to set the
+      version number for :ref:`cve-check <ref-classes-cve-check>`. Example::
+          CVE_VERSION = "2.39"
   :term:`CVSDIR`
      The directory in which files checked out under the CVS system are
      stored.
@@ -7278,6 +7290,88 @@ system and gives an overview of their function and contents.
         You can specify only a single URL in :term:`SOURCE_MIRROR_URL`.
+   :term:`SPDX_ARCHIVE_PACKAGED`
+      This option allows to add to :term:`SPDX` output compressed archives
+      of the files in the generated target packages.
+      Such archives are available in
+      ``tmp/deploy/spdx/MACHINE/packages/packagename.tar.zst``
+      under the :term:`Build Directory`.
+      Enable this option as follows::
+         SPDX_ARCHIVE_PACKAGED = "1"
+      According to our tests on release 4.1 "langdale", building
+      ``core-image-minimal`` for the ``qemux86-64`` machine, enabling this
+      option multiplied the size of the ``tmp/deploy/spdx`` directory by a
+      factor of 13 (+1.6 GiB for this image), compared to just using the
+      :ref:`create-spdx <ref-classes-create-spdx>` class with no option.
+      Note that this option doesn't increase the size of :term:`SPDX`
+      files in ``tmp/deploy/images/MACHINE``.
+   :term:`SPDX_ARCHIVE_SOURCES`
+      This option allows to add to :term:`SPDX` output compressed archives
+      of the sources for packages installed on the target. It currently
+      only works when :term:`SPDX_INCLUDE_SOURCES` is set.
+      This is one way of fulfilling "source code access" license
+      requirements.
+      Such source archives are available in
+      ``tmp/deploy/spdx/MACHINE/recipes/recipe-packagename.tar.zst``
+      under the :term:`Build Directory`.
+      Enable this option as follows::
+         SPDX_INCLUDE_SOURCES = "1"
+         SPDX_ARCHIVE_SOURCES = "1"
+      According to our tests on release 4.1 "langdale", building
+      ``core-image-minimal`` for the ``qemux86-64`` machine, enabling
+      these options multiplied the size of the ``tmp/deploy/spdx``
+      directory by a factor of 11 (+1.4 GiB for this image),
+      compared to just using the :ref:`create-spdx <ref-classes-create-spdx>`
+      class with no option.
+      Note that using this option only marginally increases the size
+      of the :term:`SPDX` output in ``tmp/deploy/images/MACHINE/``
+      (+ 0.07\% with the tested image), compared to just enabling
+      :term:`SPDX_INCLUDE_SOURCES`.
+   :term:`SPDX_INCLUDE_SOURCES`
+      This option allows to add a description of the source files used to build
+      the host tools and the target packages, to the ``spdx.json`` files in
+      ``tmp/deploy/spdx/MACHINE/recipes/`` under the :term:`Build Directory`.
+      As a consequence, the ``spdx.json`` files under the ``by-namespace`` and
+      ``packages`` subdirectories in ``tmp/deploy/spdx/MACHINE`` are also
+      modified to include references to such source file descriptions.
+      Enable this option as follows::
+         SPDX_INCLUDE_SOURCES = "1"
+      According to our tests on release 4.1 "langdale", building
+      ``core-image-minimal`` for the ``qemux86-64`` machine, enabling
+      this option multiplied the total size of the ``tmp/deploy/spdx``
+      directory by a factor of 3  (+291 MiB for this image),
+      and the size of the ``IMAGE-MACHINE.spdx.tar.zst`` in
+      ``tmp/deploy/images/MACHINE`` by a factor of 130 (+15 MiB for this
+      image), compared to just using the
+      :ref:`create-spdx <ref-classes-create-spdx>` class with no option.
+   :term:`SPDX_PRETTY`
+      This option makes the SPDX output more human-readable, using
+      identation and newlines, instead of the default output in a
+      single line::
+         SPDX_PRETTY = "1"
+      The generated SPDX files are approximately 20% bigger, but
+      this option is recommended if you want to inspect the SPDX
+      output files with a text editor.
   :term:`SPDXLICENSEMAP`
      Maps commonly used license names to their SPDX counterparts found in
      ``meta/files/common-licenses/``. For the default :term:`SPDXLICENSEMAP`

diff --git a/documentation/ref-manual/terms.rst b/documentation/ref-manual/terms.rst index 1e3f718a8f..7e5295a646 100644 --- a/documentation/ref-manual/terms.rst +++ b/documentation/ref-manual/terms.rst
@@ -323,6 +323,23 @@ universal, the list includes them just in case:
323	:term:`build host<Build Host>` and other components, that can	323	:term:`build host<Build Host>` and other components, that can
324	work on specific hardware.	324	work on specific hardware.
325		325
		326	:term:`SBOM`
		327	This term means Software Bill of Materials. When you distribute
		328	software, it offers a description of all the components you used,
		329	their corresponding licenses, their dependencies, the changes that were
		330	applied and the known vulnerabilities that were fixed.
		331
		332	This can be used by the recipients of the software to assess
		333	their exposure to license compliance and security vulnerability issues.
		334
		335	See the :wikipedia:`Software Supply Chain <Software_supply_chain>`
		336	article on Wikipedia for more details.
		337
		338	The OpenEmbedded Build System can generate such documentation for your
		339	project, in :term:`SPDX` format, based on all the metadata it used to
		340	build the software images. See the ":ref:`dev-manual/common-tasks:creating
		341	a software bill of materials`" section of the Development Tasks manual.
		342
326	:term:`Source Directory`	343	:term:`Source Directory`
327	This term refers to the directory structure	344	This term refers to the directory structure
328	created as a result of creating a local copy of the ``poky`` Git	345	created as a result of creating a local copy of the ``poky`` Git
@@ -383,6 +400,17 @@ universal, the list includes them just in case:
383	":ref:`overview-manual/development-environment:repositories, tags, and branches`"	400	":ref:`overview-manual/development-environment:repositories, tags, and branches`"
384	section in the Yocto Project Overview and Concepts Manual.	401	section in the Yocto Project Overview and Concepts Manual.
385		402
		403	:term:`SPDX`
		404	This term means Software Package Data Exchange, and is used as a open
		405	standard for providing a Software Bill of Materials (:term:`SBOM`).
		406	This standard is developed through a `Linux Foundation project
		407	<https://spdx.dev/>`__ and is used by the OpenEmbedded Build System to
		408	provide an :term:`SBOM` associated to each a software image.
		409
		410	For details, see Wikipedia's :wikipedia:`SPDX page <Software_Package_Data_Exchange>`
		411	and the ":ref:`dev-manual/common-tasks:creating a software bill of materials`"
		412	section of the Development Tasks manual.
		413
386	:term:`Sysroot`	414	:term:`Sysroot`
387	When cross-compiling, the target file system may be differently laid	415	When cross-compiling, the target file system may be differently laid
388	out and contain different things compared to the host system. The concept	416	out and contain different things compared to the host system. The concept


diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index 71e8c272a7..f17960e0e9 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst
@@ -1508,6 +1508,18 @@ system and gives an overview of their function and contents.
1508		1508
1509	CVE_PRODUCT = "vendor:package"	1509	CVE_PRODUCT = "vendor:package"
1510		1510
		1511	:term:`CVE_VERSION`
		1512	In a recipe, defines the version used to match the recipe version
		1513	against the version in the `NIST CVE database <https://nvd.nist.gov/>`__
		1514	when usign :ref:`cve-check <ref-classes-cve-check>`.
		1515
		1516	The default is ${:term:`PV`} but if recipes use custom version numbers
		1517	which do not map to upstream software component release versions and the versions
		1518	used in the CVE database, then this variable can be used to set the
		1519	version number for :ref:`cve-check <ref-classes-cve-check>`. Example::
		1520
		1521	CVE_VERSION = "2.39"
		1522
1511	:term:`CVSDIR`	1523	:term:`CVSDIR`
1512	The directory in which files checked out under the CVS system are	1524	The directory in which files checked out under the CVS system are
1513	stored.	1525	stored.
@@ -7278,6 +7290,88 @@ system and gives an overview of their function and contents.
7278		7290
7279	You can specify only a single URL in :term:`SOURCE_MIRROR_URL`.	7291	You can specify only a single URL in :term:`SOURCE_MIRROR_URL`.
7280		7292
		7293	:term:`SPDX_ARCHIVE_PACKAGED`
		7294	This option allows to add to :term:`SPDX` output compressed archives
		7295	of the files in the generated target packages.
		7296
		7297	Such archives are available in
		7298	``tmp/deploy/spdx/MACHINE/packages/packagename.tar.zst``
		7299	under the :term:`Build Directory`.
		7300
		7301	Enable this option as follows::
		7302
		7303	SPDX_ARCHIVE_PACKAGED = "1"
		7304
		7305	According to our tests on release 4.1 "langdale", building
		7306	``core-image-minimal`` for the ``qemux86-64`` machine, enabling this
		7307	option multiplied the size of the ``tmp/deploy/spdx`` directory by a
		7308	factor of 13 (+1.6 GiB for this image), compared to just using the
		7309	:ref:`create-spdx <ref-classes-create-spdx>` class with no option.
		7310
		7311	Note that this option doesn't increase the size of :term:`SPDX`
		7312	files in ``tmp/deploy/images/MACHINE``.
		7313
		7314	:term:`SPDX_ARCHIVE_SOURCES`
		7315	This option allows to add to :term:`SPDX` output compressed archives
		7316	of the sources for packages installed on the target. It currently
		7317	only works when :term:`SPDX_INCLUDE_SOURCES` is set.
		7318
		7319	This is one way of fulfilling "source code access" license
		7320	requirements.
		7321
		7322	Such source archives are available in
		7323	``tmp/deploy/spdx/MACHINE/recipes/recipe-packagename.tar.zst``
		7324	under the :term:`Build Directory`.
		7325
		7326	Enable this option as follows::
		7327
		7328	SPDX_INCLUDE_SOURCES = "1"
		7329	SPDX_ARCHIVE_SOURCES = "1"
		7330
		7331	According to our tests on release 4.1 "langdale", building
		7332	``core-image-minimal`` for the ``qemux86-64`` machine, enabling
		7333	these options multiplied the size of the ``tmp/deploy/spdx``
		7334	directory by a factor of 11 (+1.4 GiB for this image),
		7335	compared to just using the :ref:`create-spdx <ref-classes-create-spdx>`
		7336	class with no option.
		7337
		7338	Note that using this option only marginally increases the size
		7339	of the :term:`SPDX` output in ``tmp/deploy/images/MACHINE/``
		7340	(+ 0.07\% with the tested image), compared to just enabling
		7341	:term:`SPDX_INCLUDE_SOURCES`.
		7342
		7343	:term:`SPDX_INCLUDE_SOURCES`
		7344	This option allows to add a description of the source files used to build
		7345	the host tools and the target packages, to the ``spdx.json`` files in
		7346	``tmp/deploy/spdx/MACHINE/recipes/`` under the :term:`Build Directory`.
		7347	As a consequence, the ``spdx.json`` files under the ``by-namespace`` and
		7348	``packages`` subdirectories in ``tmp/deploy/spdx/MACHINE`` are also
		7349	modified to include references to such source file descriptions.
		7350
		7351	Enable this option as follows::
		7352
		7353	SPDX_INCLUDE_SOURCES = "1"
		7354
		7355	According to our tests on release 4.1 "langdale", building
		7356	``core-image-minimal`` for the ``qemux86-64`` machine, enabling
		7357	this option multiplied the total size of the ``tmp/deploy/spdx``
		7358	directory by a factor of 3 (+291 MiB for this image),
		7359	and the size of the ``IMAGE-MACHINE.spdx.tar.zst`` in
		7360	``tmp/deploy/images/MACHINE`` by a factor of 130 (+15 MiB for this
		7361	image), compared to just using the
		7362	:ref:`create-spdx <ref-classes-create-spdx>` class with no option.
		7363
		7364	:term:`SPDX_PRETTY`
		7365	This option makes the SPDX output more human-readable, using
		7366	identation and newlines, instead of the default output in a
		7367	single line::
		7368
		7369	SPDX_PRETTY = "1"
		7370
		7371	The generated SPDX files are approximately 20% bigger, but
		7372	this option is recommended if you want to inspect the SPDX
		7373	output files with a text editor.
		7374
7281	:term:`SPDXLICENSEMAP`	7375	:term:`SPDXLICENSEMAP`
7282	Maps commonly used license names to their SPDX counterparts found in	7376	Maps commonly used license names to their SPDX counterparts found in
7283	``meta/files/common-licenses/``. For the default :term:`SPDXLICENSEMAP`	7377	``meta/files/common-licenses/``. For the default :term:`SPDXLICENSEMAP`