@@ -300,6 +300,29 @@ There are also technical considerations like which recipes a class append would
apply to and how that would fit within the layer model. These are complications
we think we can live without!
+How do I integrate a third-party vulnerability scanning tool?
+-------------------------------------------------------------
+
+The :term:`OpenEmbedded Build System` produces SPDX files that contain the
+Software Bill Of Materials (SBOM) for any recipe that is built. For this it
+uses the :ref:`ref-classes-create-spdx` class. This class also creates a final
+SPDX document for an image recipe, found in the deployment directory
+(:term:`DEPLOY_DIR_IMAGE`). See the :doc:`/dev-manual/sbom` section of the
+Yocto Project Development Tasks Manual for more information of SBOMs generated
+by the :term:`OpenEmbedded Build System`.
+
+Some third-party vulnerability scanning tools have existing integration with the
+SPDX documents generated by the :term:`OpenEmbedded Build System`. One example
+is `Blackduck`, which offers the `bd_scan_yocto_via_sbom
+<https://github.com/blackducksoftware/bd_scan_yocto_via_sbom>`__ utility to scan
+the vulnerabilities using the SPDX document as input.
+
+These third-party tools have the responsibility of providing support for
+integrating with the Yocto Project SBOMs.
+
+Also see the :doc:`/dev-manual/vulnerabilities` section of the Yocto Project
+Development Tasks Manual for more information on dealing with vulnerabilities.
+
Customizing generated images
============================
Add the "How do I integrate a third-party vulnerability scanning tool?" Q&A to the FAQ document. Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> --- documentation/ref-manual/faq.rst | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) --- base-commit: c6f5de9fdbab3f29336ac3bf30150de8777bcad7 change-id: 20251113-faq-spdx-3e87ef078825