Skip to content

A CLI tool for generating a Software Bill of Materials (SBOM) from Yocto Project.

License

Notifications You must be signed in to change notification settings

Wind-River/meta-wr-sbom

Repository files navigation

Overview

The meta-wr-sbom OpenEmbedded/Yocto layer is used to generate Software Bill of Materials (SBOM) of Software Package Data Exchange (SPDX) format for Yocto-based projects. The SBOM file created by the layer using SPDX v2.2 specification will include accurate identification of software components, explicit mapping of relationships between components, and the association of security and licensing information with each component.
Besides, vulnerability detection can be tried using a scanner like Wind River Scanning Tool.
For commercial support options with meta-wr-sbom or Wind River Scanning Tool, please contact Wind River.


Supported Yocto Project Versions


Quick Start

Requirement

Please create a new project to apply this tool to generate SBOM.

Getting meta-wr-sbom

Clone the meta-wr-sbom repository (or unpack an archive of it) into the top-level directory of your yocto build project:

git clone https://github.com/Wind-River/meta-wr-sbom

If the Yocto version is lower than 4.2, or the Wind River Linux version is lower than LTS23, please SKIP this step. Otherwise, perform below checkout command:

cd meta-wr-sbom
git checkout 4.2_or_higher

Adding the meta-wr-sbom layer to Your Build

Add the layer path into conf/bblayers.conf file:

BBLAYERS += "/xxx/.../meta-wr-sbom"

Generating SBOM File

bitbake ${image_name}

The SBOM file of your yocto project will be generated as tmp/deploy/images/${machine}/${image_name}.spdx.json.


Generate Wind River Linux SBOM with earlier versions

The gen_spdx.py script is used for generating SBOM for WRLinux 5 - 8.

Supported Wind River Linux versions

Generating SBOM File

Generate the old versions WRLinux SBOM


Generate Petalinux SBOM

Supported Petalinux Versions

Generating SBOM File

Generate Petalinux SBOM


Legal Notices

All product names, logos, and brands are property of their respective owners. All company, product and service names used in this software are for identification purposes only. Wind River is a trademark of Wind River Systems, Inc.

Disclaimer of Warranty / No Support: Wind River does not provide support and maintenance services for this software, under Wind River’s standard Software Support and Maintenance Agreement or otherwise. Unless required by applicable law, Wind River provides the software (and each contributor provides its contribution) on an “AS IS” BASIS, WITHOUT WARRANTIES OF ANY KIND, either express or implied, including, without limitation, any warranties of TITLE, NONINFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the software and assume any risks associated with your exercise of permissions under the license.

About

A CLI tool for generating a Software Bill of Materials (SBOM) from Yocto Project.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published