diff mbox series

[1/5] ref-manual: terms.rst: add SBOM and SPDX terms

Message ID 20221028101939.93195-2-michael.opdenacker@bootlin.com
State New
Headers show
Series manuals: add documentation about SBOM/SPDX generation | expand

Commit Message

Michael Opdenacker Oct. 28, 2022, 10:19 a.m. UTC
From: Michael Opdenacker <michael.opdenacker@bootlin.com>

Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
 documentation/ref-manual/terms.rst | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
diff mbox series


diff --git a/documentation/ref-manual/terms.rst b/documentation/ref-manual/terms.rst
index 1e3f718a8f..5aedd08aae 100644
--- a/documentation/ref-manual/terms.rst
+++ b/documentation/ref-manual/terms.rst
@@ -323,6 +323,23 @@  universal, the list includes them just in case:
       :term:`build host<Build Host>` and other components, that can
       work on specific hardware.
+   :term:`SBOM`
+      This term means *Software Bill of Materials*. When you distribute
+      software, it offers a description of all the components you used,
+      their corresponding licenses, their dependencies, the changes that were
+      applied and the known vulnerabilities that were fixed.
+      This can be used by the recipients of the software to assess
+      their exposure to license compliance and security vulnerability issues.
+      See the `Software Supply Chain <https://en.wikipedia.org/wiki/Software_supply_chain>`__
+      article on Wikipedia for more details.
+      The OpenEmbedded Build System can generate such documentation for your
+      project, in :term:`SPDX` format, based on all the metadata it used to
+      build the software images. See the ":ref:`dev-manual/common-tasks:creating
+      a software bill of materials`" section of the Development Tasks manual.
    :term:`Source Directory`
      This term refers to the directory structure
      created as a result of creating a local copy of the ``poky`` Git
@@ -383,6 +400,15 @@  universal, the list includes them just in case:
      ":ref:`overview-manual/development-environment:repositories, tags, and branches`"
      section in the Yocto Project Overview and Concepts Manual.
+   :term:`SPDX`
+      This term means *Software Package Data Exchange*, and is used as a open
+      standard for providing a *Software Bill of Materials* (:term:`SBOM`).
+      This standard is developed through a `Linux Foundation project
+      <https://spdx.dev/>`__ and is used by the OpenEmbedded Build System to
+      provide an :term:`SBOM` associated to each a software image.
+      For details, see Wikipedia's `SPDX page <https://en.wikipedia.org/wiki/Software_Package_Data_Exchange>`__.
       When cross-compiling, the target file system may be differently laid
       out and contain different things compared to the host system. The concept