# Generate SBOM with Yocto on Linux

## Generate your .zst file using Yocto on Linux

{% hint style="info" %}
Although we try to ensure that 3rd-party information is still accurate, you should check [Yocto's SBOM documentation](https://docs.yoctoproject.org/dev/dev-manual/sbom.html) to make sure there haven't been any changes since we last checked this.
{% endhint %}

1. **Inherit `create-spdx` class**: Ensure that your Yocto configuration file inherits the `create-spdx` class by adding the following line:

   ```makefile
   INHERIT += "create-spdx"
   ```
2. **Build the image**: Proceed with building the image using the standard Yocto build process.&#x20;
3. **Locate the SBOM files**: After the build process, you'll see three different outputs. All are provided here to guide you, but you must only **use the third one (in bold)**. These items are copied directly from Yocto documentation. &#x20;

* SPDX output in JSON format as in `IMAGE-MACHINE.spdx.json` in `tmp/deploy/images/MACHINE` in your build directory.
* This top-level file also has an `IMAGE-MACHINE.spdx.index.json` containing an index of SPDX files for individual recipes
* **The compressed archive `IMAGE-MACHINE.spdx.tar.zst`, which contains the index and files for the single recipes.**

## **Convert your .zst file to a zipped format (.tar.gz or .zip)**

1. Navigate to the directory that has the .zst file.
2. Run this command to unzip this file, which contains your individual SBOM files. Replace `filename` with your actual file name (in the bullets above from Yocto's docs, this is their `IMAGE-MACHINE`).&#x20;

`tar --zstd -xvf filename.zst`

2. Create a directory with the name of what you want to name your zip file.
3. Navigate into that directory, then create the subdirectory, `packages`, in this directory.
4. Copy the individual SBOM files into this directory.&#x20;
5. Run this command to zip the parent directory. In this example, we've used `zst_sbom` as the file name.

**Create .tar.gz**

{% code overflow="wrap" %}

```makefile
COPYFILE_DISABLE=1 tar -zcvf zst_sbom.tar.gz zst_sbom -x 
```

{% endcode %}

**Create .zip**

{% code overflow="wrap" %}

```
zip -r zst_sbom.zip zst_sbom -x '**/.*'
```

{% endcode %}

When creating a `.zip` for Mac, add: `-x '**/__MACOSX'` after the command. This does not work for creating a `.tar.gz`.

6. Once you've converted the file to either `.tar.gz` or `.zip`, you can [upload your SBOM](https://helm.docs.medcrypt.com/get-started/upload-your-first-sbom) to Helm.