Although we try to ensure that 3rd-party information is still accurate, you should check Yocto's SBOM documentation to make sure there haven't been any changes since we last checked this.
Inherit create-spdx
class: Ensure that your Yocto configuration file inherits the create-spdx
class by adding the following line:
Build the image: Proceed with building the image using the standard Yocto build process.
Locate the SBOM files: After the build process, you'll see three different outputs. All are provided here to guide you, but you must only use the third one (in bold). These items are copied directly from Yocto documentation.
SPDX output in JSON format as in IMAGE-MACHINE.spdx.json
in tmp/deploy/images/MACHINE
in your build directory.
This top-level file also has an IMAGE-MACHINE.spdx.index.json
containing an index of SPDX files for individual recipes
The compressed archive IMAGE-MACHINE.spdx.tar.zst
, which contains the index and files for the single recipes.
Navigate to the directory that has the .zst file.
Run this command to unzip this file, which contains your individual SBOM files. Replace filename
with your actual file name (in the bullets above from Yocto's docs, this is their IMAGE-MACHINE
).
tar --zstd -xvf filename.zst
Create a directory with the name of what you want to name your zip file.
Navigate into that directory, then create the subdirectory, packages
, in this directory.
Copy the individual SBOM files into this directory.
Run this command to zip the parent directory. In this example, we've used zst_sbom
as the file name.
Create .tar.gz
Create .zip
When creating a .zip
for Mac, add: -x '**/__MACOSX'
after the command. This does not work for creating a .tar.gz
.
Once you've converted the file to either .tar.gz
or .zip
, you can upload your SBOM to Helm.