The meta-wr-sbom OpenEmbedded/Yocto layer is used to generate Software Bill of Materials (SBOM) of Software Package Data Exchange (SPDX) format for Yocto-based projects. The SBOM file created by the layer using SPDX v2.2 specification will include accurate identification of software components, explicit mapping of relationships between components, and the association of security and licensing information with each component.
Besides, vulnerability detection can be tried using a scanner like Wind River Scanning Tool.
For commercial support options with meta-wr-sbom or Wind River Scanning Tool, please contact Wind River.
- Yocto Project 4.2 (Mickledore)
- Yocto Project 4.1 (Langdale)
- Yocto Project 4.0 (Kirkstone)
- Yocto Project 3.4 (Honister)
- Yocto Project 3.3 (Hardknott)
- Yocto Project 3.2 (Gatesgarth)
- Yocto Project 3.1 (Dunfell)
- Yocto Project 3.0 (Zeus)
- Yocto Project 2.7 (Warrior)
- Yocto Project 2.6 (Thud)
- Yocto Project 2.5 (Sumo)
- Yocto Project 2.4 (Rocko)
- Yocto Project 2.3 (Pyro)
- Yocto Project 2.2 (Morty)
- Wind River Linux LTS23
- Wind River Linux LTS22
- Wind River Linux LTS21
- Wind River Linux LTS19
- Wind River Linux LTS18
- Wind River Linux LTS17
- Wind River Linux 9
Please create a new project to apply this tool to generate SBOM.
Clone the meta-wr-sbom repository (or unpack an archive of it) into the top-level directory of your yocto build project:
git clone https://github.com/Wind-River/meta-wr-sbom
If the Yocto version is lower than 4.2, or the Wind River Linux version is lower than LTS23, please SKIP this step. Otherwise, perform below checkout command:
cd meta-wr-sbom
git checkout 4.2_or_higher
Add the layer path into conf/bblayers.conf file:
BBLAYERS += "/xxx/.../meta-wr-sbom"
bitbake ${image_name}
The SBOM file of your yocto project will be generated as tmp/deploy/images/${machine}/${image_name}.spdx.json.
The gen_spdx.py script is used for generating SBOM for WRLinux 5 - 8.
Generate the old versions WRLinux SBOM
All product names, logos, and brands are property of their respective owners. All company, product and service names used in this software are for identification purposes only. Wind River is a trademark of Wind River Systems, Inc.
Disclaimer of Warranty / No Support: Wind River does not provide support and maintenance services for this software, under Wind River’s standard Software Support and Maintenance Agreement or otherwise. Unless required by applicable law, Wind River provides the software (and each contributor provides its contribution) on an “AS IS” BASIS, WITHOUT WARRANTIES OF ANY KIND, either express or implied, including, without limitation, any warranties of TITLE, NONINFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the software and assume any risks associated with your exercise of permissions under the license.