Creating a Software Bill of Materials (SBOM) for Yocto build

Creating a Software Bill of Materials (SBOM) in Yocto

We can generate Software Bill of Materials(SBOM), using the Software Package Data Exchange (SPDX) standard in yocto.

Software Package Data Exchange is used as an open standard for providing a Software Bill of Materials (SBOM). This standard is developed through a Linux Foundation project and is used by the OpenEmbedded Build System to provide an SBOM associated to each software image.

Yocto doesn't generate SBOM by default, you must inherit the "create-spdx" class from a configuration file (local.conf). Add the following line in you local.conf

INHERIT += "create-spdx"

Once the build gets completed you will get SPDX output in JSON format as an IMAGE-MACHINE.spdx.json file in tmp/deploy/images/MACHINE/ inside the Build Directory.

This is a toplevel file accompanied by an IMAGE-MACHINE.spdx.index.json containing an index of JSON SPDX files for individual recipes, together with an IMAGE-MACHINE.spdx.tar.zst compressed archive containing all such files.