Generate SBOM with Yocto on Linux
Last updated
Was this helpful?
Last updated
Was this helpful?
Inherit create-spdx class: Ensure that your Yocto configuration file inherits the create-spdx class by adding the following line:
Build the image: Proceed with building the image using the standard Yocto build process.
Locate the SBOM files: After the build process, you'll see three different outputs. All are provided here to guide you, but you must only use the third one (in bold). These items are copied directly from Yocto documentation.
SPDX output in JSON format as in IMAGE-MACHINE.spdx.json in tmp/deploy/images/MACHINE in your build directory.
This top-level file also has an IMAGE-MACHINE.spdx.index.json containing an index of SPDX files for individual recipes
The compressed archive IMAGE-MACHINE.spdx.tar.zst, which contains the index and files for the single recipes.
Navigate to the directory that has the .zst file.
Run this command to unzip this file, which contains your individual SBOM files. Replace filename with your actual file name (in the bullets above from Yocto's docs, this is their IMAGE-MACHINE).
tar --zstd -xvf filename.zst
Create a directory with the name of what you want to name your zip file.
Navigate into that directory, then create the subdirectory, packages, in this directory.
Copy the individual SBOM files into this directory.
Run this command to zip the parent directory. In this example, we've used zst_sbom as the file name.
Create .tar.gz
Create .zip
When creating a .zip for Mac, add: -x '**/__MACOSX' after the command. This does not work for creating a .tar.gz.
Once you've converted the file to either .tar.gz or .zip, you can to Helm.