Creating a SBOM in Yocto
As software supply chain security becomes increasingly critical and the introduction of the Cyber Resilience Act generating a Software Bill of Materials (SBOM) is now a requirement for embedded Linux systems.
A SBOM is a detailed inventory of all software components, libraries, and dependencies included in a system. It helps developers, security teams, and auditors understand what’s inside a software package, enabling better vulnerability management and compliance.
Starting with Yocto 4.0 (Kirkstone) a SBOM, using the SPDX standard, can be generated during Build time.
To enable SBOM generation add the following line to your conf/local.conf or any other configuration file:
Start your build again by running the bitbake <your-image-name> command.
A compressed archive at tmp/deploy/images/<machine>/IMAGE-MACHINE.spdx.tar.zst will be created, which contains the index and files for each recipe in your image.
You can configure the SPDX generation by adding the following lines to your configuration file:
- # Make the json files more human readable, but increases SBOM size
- SPDX_PRETTY = "1"
- # Add compressed archives of the files in the generated target packages
- SPDX_ARCHIVE_PACKAGED = "1"
- # Add a description of the source files used to generate host tools and target packages
- SPDX_INCLUDE_SOURCES = "1"
- # Add archives of these source files themselves
- SPDX_ARCHIVE_SOURCES = "1"
The additional files and archives can be found at [tt]tmp/deploy/spdx/[/tt] such as:
- Compressed archives of the files in the generated target packages
- Compressed archives of the source files
Also, you can find the SPDX in JSON format for the U-boot in this directory. You will have to add it manually to your SBOM IMAGE-MACHINE.spdx.tar.zst, as it is not part of the Image by default, and will therefore not be added automatically.
Your F&S Support Team
