LogoLogo
Get FDA readyServicesSolutionsGuardian helpGet a demo
  • Helm help center home
  • Get Started
    • Helm features
    • Quickstart process
    • Understand data sources and update frequency
    • Get familiar with the Helm UI
      • Understand your dashboard
      • Helm terminology
    • Don't have an SBOM?
      • Why SBOMs are critical to your present and future
      • Generate CycloneDX SBOM with open-source tools
      • Generate SPDX SBOM with open-source tools
        • Generate SBOM with Yocto on Linux
      • Convert your SBOM from CSV to CycloneDX
      • Get expert Services help
    • Upload your first SBOM
      • Upload or convert .zst SBOM files from Yocto on Linux
  • Automate and integrate
    • Automate and integrate risk prioritization and management
    • Automate SBOM and vulnerability management via Helm API SDK
    • Automate SBOM management via GitHub action
    • Automate SBOM management via MS Azure DevOps extension
    • Create and manage lifecycle rules to automate EOS and EOL information across all products
  • Match components
    • Match unmatched components
    • Understand match statuses
    • Understand match sources
    • Create and manage alias rules to match and rematch components across all products
  • manage sboms
    • Manage SBOM
      • Manage component
      • Manage licenses
      • Create, edit, or merge SBOMs
      • Export your SBOM
      • Upload new version of SBOM with each release
      • Archive a product or product version
    • Find out what products contain a particular component
  • manage vulnerabilities
    • Check whether a particular vulnerability impacts your products
    • Manage vulnerabilities
      • Identify and prioritize exploitable vulnerabilities
        • Get email notifications for new vulnerabilities
        • Send email with vulnerability details for future prioritization
        • Understand issue severity level
          • Understand the CVSS vulnerability scoring system
      • Rescore vulnerabilities in bulk or individually
      • Remediate vulnerabilities in bulk or individually
      • Patch Windows vulnerabilities in bulk or individually
      • Export vulnerabilities
  • Ensure FDA readiness
    • FDA-ready SBOM and vulnerability reports
      • Meet FDA requirements with your FDA SBOM report
      • VEX and VDR reports
    • Understand new FDA cybersecurity requirements for cyber devices
      • Is my device a cyber device?
      • What if I already submitted my cyber device?
    • What should my cybersecurity management plan entail?
      • What does risk management entail?
      • Verification & Validation: Build the right product/service/system in the right way
      • Why do I need a Quality Management System (QMS)?
      • Cybersecurity is everyone's responsibility
  • Terminology
    • Cybersecurity terminology
    • What is CPE?
      • How do I read a CPE string?
  • Administration
    • Manage users
    • Manage products
    • Modify your organization name
  • what's new
    • Changelog
Powered by GitBook

© Copyright MedCrypt 2024, All rights reserved.

On this page
  • Generate your .zst file using Yocto on Linux
  • Convert your .zst file to a zipped format (.tar.gz or .zip)

Was this helpful?

Export as PDF
  1. Get Started
  2. Don't have an SBOM?
  3. Generate SPDX SBOM with open-source tools

Generate SBOM with Yocto on Linux

PreviousGenerate SPDX SBOM with open-source toolsNextConvert your SBOM from CSV to CycloneDX

Last updated 1 year ago

Was this helpful?

Generate your .zst file using Yocto on Linux

Although we try to ensure that 3rd-party information is still accurate, you should check to make sure there haven't been any changes since we last checked this.

  1. Inherit create-spdx class: Ensure that your Yocto configuration file inherits the create-spdx class by adding the following line:

    INHERIT += "create-spdx"
  2. Build the image: Proceed with building the image using the standard Yocto build process.

  3. Locate the SBOM files: After the build process, you'll see three different outputs. All are provided here to guide you, but you must only use the third one (in bold). These items are copied directly from Yocto documentation.

  • SPDX output in JSON format as in IMAGE-MACHINE.spdx.json in tmp/deploy/images/MACHINE in your build directory.

  • This top-level file also has an IMAGE-MACHINE.spdx.index.json containing an index of SPDX files for individual recipes

  • The compressed archive IMAGE-MACHINE.spdx.tar.zst, which contains the index and files for the single recipes.

Convert your .zst file to a zipped format (.tar.gz or .zip)

  1. Navigate to the directory that has the .zst file.

  2. Run this command to unzip this file, which contains your individual SBOM files. Replace filename with your actual file name (in the bullets above from Yocto's docs, this is their IMAGE-MACHINE).

tar --zstd -xvf filename.zst

  1. Create a directory with the name of what you want to name your zip file.

  2. Navigate into that directory, then create the subdirectory, packages, in this directory.

  3. Copy the individual SBOM files into this directory.

  4. Run this command to zip the parent directory. In this example, we've used zst_sbom as the file name.

Create .tar.gz

COPYFILE_DISABLE=1 tar -zcvf zst_sbom.tar.gz zst_sbom -x 

Create .zip

zip -r zst_sbom.zip zst_sbom -x '**/.*'

When creating a .zip for Mac, add: -x '**/__MACOSX' after the command. This does not work for creating a .tar.gz.

Once you've converted the file to either .tar.gz or .zip, you can to Helm.

Yocto's SBOM documentation
upload your SBOM