.. |br| raw:: html

   <br/>

.. _sbom-index:

Generating Software Bill of Materials (SBOM)
============================================


An SBOM is a formal, structured list of all components, libraries, modules and dependencies (both open-source and proprietary) 
used to create a software application. It acts as a ‘list of ingredients’ for software and provides transparency across the 
entire software supply chain. A detailed SBOM contains information on component versions, suppliers, licence details and often 
also on known security vulnerabilities (CVEs – Common Vulnerabilities and Exposures). 

This list can be used for rapid identification of vulnerabilities in components used and for verification of licence terms. 


SBOMs are frequently created in standardised machine-readable formats such as **SPDX** or **CycloneDX**. 
It is becoming increasingly important due to regulatory requirements, such as the EU Cyber Resilience Act.



.. admonition:: Please note
   :class: note

   Yocto provides only SBOM generation in SPDX format.


To generate an SBOM during the Yocto build process do the following:

#. Add the following to ``conf/local.conf``:

   .. code-block:: text

      INHERIT += "create-spdx"

#. Compile the image.



You can control the level of detail in the SBOM using variables in your local.conf: 

+---------------------------+---------------------------------------------------------------------------------------+
|Variable                   |Description                                                                            |
+---------------------------+---------------------------------------------------------------------------------------+
|SPDX_PRETTY = "1"          |Formats the JSON files for readability (indentation), which increases the file size.   |
+---------------------------+---------------------------------------------------------------------------------------+
|SPDX_INCLUDE_SOURCES = "1" |Adds descriptions to the source code files.                                            | 
+---------------------------+---------------------------------------------------------------------------------------+
|SPDX_ARCHIVE_SOURCES = "1" |Archives the actual source code together with the SBOM (useful for licence compliance).|
+---------------------------+---------------------------------------------------------------------------------------+
|SPDX_ARCHIVE_PACKAGED = "1"|Creates archives of the files that have ended up in the destination packages.          |
+---------------------------+---------------------------------------------------------------------------------------+




A detailed description of all the features of Yocto’s SBOM generation can be found on the website `Creating a Software Bill of Materials`_.




   .. _`Creating a Software Bill of Materials`: https://docs.yoctoproject.org/scarthgap/dev-manual/sbom.html#creating-a-software-bill-of-materials