# Generate SBOM with Yocto on Linux

## Generate your .zst file using Yocto on Linux

{% hint style="info" %}
Although we try to ensure that 3rd-party information is still accurate, you should check [Yocto's SBOM documentation](https://docs.yoctoproject.org/dev/dev-manual/sbom.html) to make sure there haven't been any changes since we last checked this.
{% endhint %}

1. **Inherit `create-spdx` class**: Ensure that your Yocto configuration file inherits the `create-spdx` class by adding the following line:

   ```makefile
   INHERIT += "create-spdx"
   ```
2. **Build the image**: Proceed with building the image using the standard Yocto build process.&#x20;
3. **Locate the SBOM files**: After the build process, you'll see three different outputs. All are provided here to guide you, but you must only **use the third one (in bold)**. These items are copied directly from Yocto documentation. &#x20;

* SPDX output in JSON format as in `IMAGE-MACHINE.spdx.json` in `tmp/deploy/images/MACHINE` in your build directory.
* This top-level file also has an `IMAGE-MACHINE.spdx.index.json` containing an index of SPDX files for individual recipes
* **The compressed archive `IMAGE-MACHINE.spdx.tar.zst`, which contains the index and files for the single recipes.**

## **Convert your .zst file to a zipped format (.tar.gz or .zip)**

1. Navigate to the directory that has the .zst file.
2. Run this command to unzip this file, which contains your individual SBOM files. Replace `filename` with your actual file name (in the bullets above from Yocto's docs, this is their `IMAGE-MACHINE`).&#x20;

`tar --zstd -xvf filename.zst`

2. Create a directory with the name of what you want to name your zip file.
3. Navigate into that directory, then create the subdirectory, `packages`, in this directory.
4. Copy the individual SBOM files into this directory.&#x20;
5. Run this command to zip the parent directory. In this example, we've used `zst_sbom` as the file name.

**Create .tar.gz**

{% code overflow="wrap" %}

```makefile
COPYFILE_DISABLE=1 tar -zcvf zst_sbom.tar.gz zst_sbom -x 
```

{% endcode %}

**Create .zip**

{% code overflow="wrap" %}

```
zip -r zst_sbom.zip zst_sbom -x '**/.*'
```

{% endcode %}

When creating a `.zip` for Mac, add: `-x '**/__MACOSX'` after the command. This does not work for creating a `.tar.gz`.

6. Once you've converted the file to either `.tar.gz` or `.zip`, you can [upload your SBOM](/get-started/upload-your-first-sbom.md) to Helm.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://helm.docs.medcrypt.com/get-started/dont-have-an-sbom/generate-spdx-sbom-with-open-source-tools/generate-sbom-with-yocto-on-linux.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.