Generating Software Bill of Materials (SBOM)¶

An SBOM is a formal, structured list of all components, libraries, modules and dependencies (both open-source and proprietary) used to create a software application. It acts as a ‘list of ingredients’ for software and provides transparency across the entire software supply chain. A detailed SBOM contains information on component versions, suppliers, licence details and often also on known security vulnerabilities (CVEs – Common Vulnerabilities and Exposures).

This list can be used for rapid identification of vulnerabilities in components used and for verification of licence terms.

SBOMs are frequently created in standardised machine-readable formats such as SPDX or CycloneDX. It is becoming increasingly important due to regulatory requirements, such as the EU Cyber Resilience Act.

Please note

Yocto provides only SBOM generation in SPDX format.

To generate an SBOM during the Yocto build process do the following:

Add the following to conf/local.conf:
```
INHERIT += "create-spdx"
```
Compile the image.

You can control the level of detail in the SBOM using variables in your local.conf:

Variable	Description
SPDX_PRETTY = “1”	Formats the JSON files for readability (indentation), which increases the file size.
SPDX_INCLUDE_SOURCES = “1”	Adds descriptions to the source code files.
SPDX_ARCHIVE_SOURCES = “1”	Archives the actual source code together with the SBOM (useful for licence compliance).
SPDX_ARCHIVE_PACKAGED = “1”	Creates archives of the files that have ended up in the destination packages.

A detailed description of all the features of Yocto’s SBOM generation can be found on the website Creating a Software Bill of Materials.