Generate SBOM with Yocto on Linux

Generate your .zst file using Yocto on Linux

1. Inherit create-spdx class: Ensure that your Yocto configuration file inherits the create-spdx class by adding the following line:

   Copy

   INHERIT += "create-spdx"

2. Build the image: Proceed with building the image using the standard Yocto build process.

3. Locate the SBOM files: After the build process, you'll see three different outputs. All are provided here to guide you, but you must only use the third one (in bold). These items are copied directly from Yocto documentation.

• SPDX output in JSON format as in IMAGE-MACHINE.spdx.json in tmp/deploy/images/MACHINE in your build directory.

• This top-level file also has an IMAGE-MACHINE.spdx.index.json containing an index of SPDX files for individual recipes

• The compressed archive IMAGE-MACHINE.spdx.tar.zst, which contains the index and files for the single recipes.

Convert your .zst file to a zipped format (.tar.gz or .zip)

1. Navigate to the directory that has the .zst file.

2. Run this command to unzip this file, which contains your individual SBOM files. Replace filename with your actual file name (in the bullets above from Yocto's docs, this is their IMAGE-MACHINE).

tar --zstd -xvf filename.zst

2. Create a directory with the name of what you want to name your zip file.

3. Navigate into that directory, then create the subdirectory, packages, in this directory.

4. Copy the individual SBOM files into this directory.

5. Run this command to zip the parent directory. In this example, we've used zst_sbom as the file name.

Create .tar.gz

COPYFILE_DISABLE=1 tar -zcvf zst_sbom.tar.gz zst_sbom -x 

Create .zip

zip -r zst_sbom.zip zst_sbom -x '**/.*'

When creating a .zip for Mac, add: -x '**/__MACOSX' after the command. This does not work for creating a .tar.gz.

6. Once you've converted the file to either .tar.gz or .zip, you can upload your SBOM to Helm.