| Andrew Geissler | 517393d | 2023-01-13 08:55:19 -0600 | [diff] [blame^] | 1 | .. SPDX-License-Identifier: CC-BY-SA-2.0-UK |
| 2 | |
| 3 | Creating a Software Bill of Materials |
| 4 | ************************************* |
| 5 | |
| 6 | Once you are able to build an image for your project, once the licenses for |
| 7 | each software component are all identified (see |
| 8 | ":ref:`dev-manual/licenses:working with licenses`") and once vulnerability |
| 9 | fixes are applied (see ":ref:`dev-manual/vulnerabilities:checking |
| 10 | for vulnerabilities`"), the OpenEmbedded build system can generate |
| 11 | a description of all the components you used, their licenses, their dependencies, |
| 12 | their sources, the changes that were applied to them and the known |
| 13 | vulnerabilities that were fixed. |
| 14 | |
| 15 | This description is generated in the form of a *Software Bill of Materials* |
| 16 | (:term:`SBOM`), using the :term:`SPDX` standard. |
| 17 | |
| 18 | When you release software, this is the most standard way to provide information |
| 19 | about the Software Supply Chain of your software image and SDK. The |
| 20 | :term:`SBOM` tooling is often used to ensure open source license compliance by |
| 21 | providing the license texts used in the product which legal departments and end |
| 22 | users can read in standardized format. |
| 23 | |
| 24 | :term:`SBOM` information is also critical to performing vulnerability exposure |
| 25 | assessments, as all the components used in the Software Supply Chain are listed. |
| 26 | |
| 27 | The OpenEmbedded build system doesn't generate such information by default. |
| 28 | To make this happen, you must inherit the |
| 29 | :ref:`ref-classes-create-spdx` class from a configuration file:: |
| 30 | |
| 31 | INHERIT += "create-spdx" |
| 32 | |
| 33 | You then get :term:`SPDX` output in JSON format as an |
| 34 | ``IMAGE-MACHINE.spdx.json`` file in ``tmp/deploy/images/MACHINE/`` inside the |
| 35 | :term:`Build Directory`. |
| 36 | |
| 37 | This is a toplevel file accompanied by an ``IMAGE-MACHINE.spdx.index.json`` |
| 38 | containing an index of JSON :term:`SPDX` files for individual recipes, together |
| 39 | with an ``IMAGE-MACHINE.spdx.tar.zst`` compressed archive containing all such |
| 40 | files. |
| 41 | |
| 42 | The :ref:`ref-classes-create-spdx` class offers options to include |
| 43 | more information in the output :term:`SPDX` data, such as making the generated |
| 44 | files more human readable (:term:`SPDX_PRETTY`), adding compressed archives of |
| 45 | the files in the generated target packages (:term:`SPDX_ARCHIVE_PACKAGED`), |
| 46 | adding a description of the source files used to generate host tools and target |
| 47 | packages (:term:`SPDX_INCLUDE_SOURCES`) and adding archives of these source |
| 48 | files themselves (:term:`SPDX_ARCHIVE_SOURCES`). |
| 49 | |
| 50 | Though the toplevel :term:`SPDX` output is available in |
| 51 | ``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`, ancillary |
| 52 | generated files are available in ``tmp/deploy/spdx/MACHINE`` too, such as: |
| 53 | |
| 54 | - The individual :term:`SPDX` JSON files in the ``IMAGE-MACHINE.spdx.tar.zst`` |
| 55 | archive. |
| 56 | |
| 57 | - Compressed archives of the files in the generated target packages, |
| 58 | in ``packages/packagename.tar.zst`` (when :term:`SPDX_ARCHIVE_PACKAGED` |
| 59 | is set). |
| 60 | |
| 61 | - Compressed archives of the source files used to build the host tools |
| 62 | and the target packages in ``recipes/recipe-packagename.tar.zst`` |
| 63 | (when :term:`SPDX_ARCHIVE_SOURCES` is set). Those are needed to fulfill |
| 64 | "source code access" license requirements. |
| 65 | |
| 66 | See the `tools page <https://spdx.dev/resources/tools/>`__ on the :term:`SPDX` |
| 67 | project website for a list of tools to consume and transform the :term:`SPDX` |
| 68 | data generated by the OpenEmbedded build system. |
| 69 | |