From patchwork Fri Oct 28 15:10:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Opdenacker X-Patchwork-Id: 14532 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B272BC38A02 for ; Fri, 28 Oct 2022 15:10:56 +0000 (UTC) Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by mx.groups.io with SMTP id smtpd.web11.626.1666969848924000196 for ; Fri, 28 Oct 2022 08:10:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=gm1 header.b=DGVq7eq2; spf=pass (domain: bootlin.com, ip: 217.70.183.196, mailfrom: michael.opdenacker@bootlin.com) Received: (Authenticated sender: michael.opdenacker@bootlin.com) by mail.gandi.net (Postfix) with ESMTPSA id E4AB2E0006; Fri, 28 Oct 2022 15:10:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1; t=1666969847; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Al+A2cl58LaZHXeKAoMjkOibRO4FhJTolw+UhP3GTMA=; b=DGVq7eq2cf6M1nuIYIjOfbm7v6WGlG4bDXLVy7zLbOXSLpQm6gQVdFdVfguQlOs6ogGBMI ZVOy1hIn6oqx+owGy34Do2BgNoQaVz7TEJAqTY1kB9As7sDMcvaI8SVgTa5TKxacyz6Raa mnnNzL6qdxo0kRKqjQrD/oWae7bsBy9a0fKaQ8RKqAr4hZu/stlN8CgXgWdq1mLa64ixCK gC3P2M8jr9PpV7SmFVNyyrSOA2BacRXc/+E7XsGcNSJQn0kKbt5g7ouL6Ch1jJMhtOvkv/ 4pB0A/yZkOOos56DKVoCX5qUkZxLslroR6K19CFYBjjDAao1r0Ry55GlDh+pdw== From: michael.opdenacker@bootlin.com To: docs@lists.yoctoproject.org Cc: JPEWhacker@gmail.com, mikko.rapeli@linaro.org, Michael Opdenacker Subject: [PATCH v2 1/5] ref-manual: terms.rst: add SBOM and SPDX terms Date: Fri, 28 Oct 2022 17:10:29 +0200 Message-Id: <20221028151033.383087-2-michael.opdenacker@bootlin.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221028151033.383087-1-michael.opdenacker@bootlin.com> References: <17224368BE5A21CF.6604@lists.yoctoproject.org> <20221028151033.383087-1-michael.opdenacker@bootlin.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Oct 2022 15:10:56 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/3443 From: Michael Opdenacker Signed-off-by: Michael Opdenacker --- documentation/ref-manual/terms.rst | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/documentation/ref-manual/terms.rst b/documentation/ref-manual/terms.rst index 40209528ba..4711d7df7b 100644 --- a/documentation/ref-manual/terms.rst +++ b/documentation/ref-manual/terms.rst @@ -321,6 +321,23 @@ universal, the list includes them just in case: :term:`build host` and other components, that can work on specific hardware. + :term:`SBOM` + This term means *Software Bill of Materials*. When you distribute + software, it offers a description of all the components you used, + their corresponding licenses, their dependencies, the changes that were + applied and the known vulnerabilities that were fixed. + + This can be used by the recipients of the software to assess + their exposure to license compliance and security vulnerability issues. + + See the `Software Supply Chain `__ + article on Wikipedia for more details. + + The OpenEmbedded Build System can generate such documentation for your + project, in :term:`SPDX` format, based on all the metadata it used to + build the software images. See the ":ref:`dev-manual/common-tasks:creating + a software bill of materials`" section of the Development Tasks manual. + :term:`Source Directory` This term refers to the directory structure created as a result of creating a local copy of the ``poky`` Git @@ -381,6 +398,15 @@ universal, the list includes them just in case: ":ref:`overview-manual/development-environment:repositories, tags, and branches`" section in the Yocto Project Overview and Concepts Manual. + :term:`SPDX` + This term means *Software Package Data Exchange*, and is used as a open + standard for providing a *Software Bill of Materials* (:term:`SBOM`). + This standard is developed through a `Linux Foundation project + `__ and is used by the OpenEmbedded Build System to + provide an :term:`SBOM` associated to each a software image. + + For details, see Wikipedia's `SPDX page `__. + :term:`Sysroot` When cross-compiling, the target file system may be differently laid out and contain different things compared to the host system. The concept From patchwork Fri Oct 28 15:10:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Opdenacker X-Patchwork-Id: 14533 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B3383ECAAA1 for ; Fri, 28 Oct 2022 15:10:56 +0000 (UTC) Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by mx.groups.io with SMTP id smtpd.web10.623.1666969855784508252 for ; Fri, 28 Oct 2022 08:10:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=gm1 header.b=XRVqgFB/; spf=pass (domain: bootlin.com, ip: 217.70.183.199, mailfrom: michael.opdenacker@bootlin.com) Received: (Authenticated sender: michael.opdenacker@bootlin.com) by mail.gandi.net (Postfix) with ESMTPSA id 9EEB1FF80B; Fri, 28 Oct 2022 15:10:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1; t=1666969853; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FUi733WntN08qwU1auoxJqxJmJ/WmRtmA0/ZYyI2TMU=; b=XRVqgFB/lJHI/uIfTqIlK49pKocskuYMsS/lZ4lsYoFX9ZSXC3JTaWrwsaA/ADpEviqdvf 8u52/SM2PZuOwAuTrnE5VkuLk/xYyYED6Vvfxo0Z6B4iOTlgcBpwiL21aJQ7FwI9lMT5kN vvadvIy6uIC9vIi5iIqTvaQvPmjveDIkE0KyDPfVVZnyEInohDiUWgdfNcW0CrY6BzJpmB kTkzB4Xyp6xgcRhF6C+JbVQlU/PH7VtWLCfvDNwIYrNdrl+n1fGdnlyoJzF4a6ive0xrjv 3HbLkY7cxfUW0G4q7dlVknfiJFjXvFITF26vTfkEcmGW2bBpaL8kE2qqh3m6Zg== From: michael.opdenacker@bootlin.com To: docs@lists.yoctoproject.org Cc: JPEWhacker@gmail.com, mikko.rapeli@linaro.org, Michael Opdenacker Subject: [PATCH v2 2/5] ref-manual: variables.rst: document spdx-create class variables Date: Fri, 28 Oct 2022 17:10:30 +0200 Message-Id: <20221028151033.383087-3-michael.opdenacker@bootlin.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221028151033.383087-1-michael.opdenacker@bootlin.com> References: <17224368BE5A21CF.6604@lists.yoctoproject.org> <20221028151033.383087-1-michael.opdenacker@bootlin.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Oct 2022 15:10:56 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/3444 From: Michael Opdenacker Signed-off-by: Michael Opdenacker --- documentation/ref-manual/variables.rst | 82 ++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index dc6eccb314..0cc73a234c 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst @@ -7284,6 +7284,88 @@ system and gives an overview of their function and contents. You can specify only a single URL in :term:`SOURCE_MIRROR_URL`. + :term:`SPDX_ARCHIVE_PACKAGED` + This option allows to add to :term:`SPDX` output compressed archives + of the files in the generated target packages. + + Such archives are available in + ``tmp/deploy/spdx/MACHINE/packages/packagename.tar.zst`` + under the :term:`Build Directory`. + + Enable this option as follows:: + + SPDX_ARCHIVE_PACKAGED = "1" + + According to our tests on release 4.1 "langdale", building + ``core-image-minimal`` for the ``qemux86-64`` machine, enabling this + option multiplied the size of the ``tmp/deploy/spdx`` directory by a + factor of 13 (+1.6 GiB for this image), compared to just using the + :ref:`create-spdx ` class with no option. + + Note that this option doesn't increase the size of :term:`SPDX` + files in ``tmp/deploy/images/MACHINE``. + + :term:`SPDX_ARCHIVE_SOURCES` + This option allows to add to :term:`SPDX` output compressed archives + of the sources for packages installed on the target. It currently + only works when :term:`SPDX_INCLUDE_SOURCES` is set. + + This is one way of fulfilling "source code access" license + requirements. + + Such source archives are available in + ``tmp/deploy/spdx/MACHINE/recipes/recipe-packagename.tar.zst`` + under the :term:`Build Directory`. + + Enable this option as follows:: + + SPDX_INCLUDE_SOURCES = "1" + SPDX_ARCHIVE_SOURCES = "1" + + According to our tests on release 4.1 "langdale", building + ``core-image-minimal`` for the ``qemux86-64`` machine, enabling + these options multiplied the size of the ``tmp/deploy/spdx`` + directory by a factor of 11 (+1.4 GiB for this image), + compared to just using the :ref:`create-spdx ` + class with no option. + + Note that using this option only marginally increases the size + of the :term:`SPDX` output in ``tmp/deploy/images/MACHINE/`` + (+ 0.07\% with the tested image), compared to just enabling + :term:`SPDX_INCLUDE_SOURCES`. + + :term:`SPDX_INCLUDE_SOURCES` + This option allows to add a description of the source files used to build + the host tools and the target packages, to the ``spdx.json`` files in + ``tmp/deploy/spdx/MACHINE/recipes/`` under the :term:`Build Directory`. + As a consequence, the ``spdx.json`` files under the ``by-namespace`` and + ``packages`` subdirectories in ``tmp/deploy/spdx/MACHINE`` are also + modified to include references to such source file descriptions. + + Enable this option as follows:: + + SPDX_INCLUDE_SOURCES = "1" + + According to our tests on release 4.1 "langdale", building + ``core-image-minimal`` for the ``qemux86-64`` machine, enabling + this option multiplied the total size of the ``tmp/deploy/spdx`` + directory by a factor of 3 (+291 MiB for this image), + and the size of the ``IMAGE-MACHINE.spdx.tar.zst`` in + ``tmp/deploy/images/MACHINE`` by a factor of 130 (+15 MiB for this + image), compared to just using the + :ref:`create-spdx ` class with no option. + + :term:`SPDX_PRETTY` + This option makes the SPDX output more human-readable, using + identation and newlines, instead of the default output in a + single line:: + + SPDX_PRETTY = "1" + + The generated SPDX files are approximately 20% bigger, but + this option is recommended if you want to inspect the SPDX + output files with a text editor. + :term:`SPDXLICENSEMAP` Maps commonly used license names to their SPDX counterparts found in ``meta/files/common-licenses/``. For the default :term:`SPDXLICENSEMAP` From patchwork Fri Oct 28 15:10:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Opdenacker X-Patchwork-Id: 14534 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B34EAC38A02 for ; Fri, 28 Oct 2022 15:11:06 +0000 (UTC) Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by mx.groups.io with SMTP id smtpd.web09.602.1666969863891501453 for ; Fri, 28 Oct 2022 08:11:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=gm1 header.b=ZcydDvIC; spf=pass (domain: bootlin.com, ip: 217.70.183.200, mailfrom: michael.opdenacker@bootlin.com) Received: (Authenticated sender: michael.opdenacker@bootlin.com) by mail.gandi.net (Postfix) with ESMTPSA id B571A2001E; Fri, 28 Oct 2022 15:10:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1; t=1666969862; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Nm8acp95owQSih45g+eelnuQhio/WuU7cw8eHwI0Nwg=; b=ZcydDvICZhX4brHKTeKEY1SsHfdBhcrnb+Q6tuYiBpOZjrXDapjHrO//yoe4UB9jbdM/KC QmIHSKN3SPIVujNYzyMTZEk2UAx980LzfZRwGtnu+SfFNDQG5o/C5kOJECC+dfbktyOROr khbj5y5sOjqiCtvNAv2To11BcvIb/XWi9aRhiMFW2m2PC7pcK/cQLnQXEHRMldIlmCpnPa ezVB/YmqnjpD07W7Bv1LjCPTFn7w9aHhT9VFBMcobg3/JeM14JyVedDXETQfkgnvyTtRQl VQZorUzymE/d3lIKy16nTwVO7ygCYOu5cD+oKQKkfjy7Cyl+IQxThlzNsktajw== From: michael.opdenacker@bootlin.com To: docs@lists.yoctoproject.org Cc: JPEWhacker@gmail.com, mikko.rapeli@linaro.org, Michael Opdenacker Subject: [PATCH v2 3/5] dev-manual: common-tasks.rst: add section about SPDX / SBOM generation Date: Fri, 28 Oct 2022 17:10:31 +0200 Message-Id: <20221028151033.383087-4-michael.opdenacker@bootlin.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221028151033.383087-1-michael.opdenacker@bootlin.com> References: <17224368BE5A21CF.6604@lists.yoctoproject.org> <20221028151033.383087-1-michael.opdenacker@bootlin.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Oct 2022 15:11:06 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/3445 From: Michael Opdenacker Also stop refering to the meta-spdxscanner class, no longer relevant. --- documentation/dev-manual/common-tasks.rst | 101 ++++++++++++++-------- 1 file changed, 66 insertions(+), 35 deletions(-) diff --git a/documentation/dev-manual/common-tasks.rst b/documentation/dev-manual/common-tasks.rst index c747c0deac..9c85a656a8 100644 --- a/documentation/dev-manual/common-tasks.rst +++ b/documentation/dev-manual/common-tasks.rst @@ -11200,8 +11200,6 @@ to be covered by assuming that there are three main areas of concern: - Compilation scripts and modifications to the source code must be provided. -- spdx files can be provided. - There are other requirements beyond the scope of these three and the methods described in this section (e.g. the mechanism through which source code is distributed). @@ -11392,39 +11390,6 @@ layers (recipes, configuration files, and so forth) enables you to meet your requirements to include the scripts to control compilation as well as any modifications to the original source. -Providing spdx files -~~~~~~~~~~~~~~~~~~~~~~~~~ - -The spdx module has been integrated to a layer named meta-spdxscanner. -meta-spdxscanner provides several kinds of scanner. If you want to enable -this function, you have to follow the following steps: - -1. Add meta-spdxscanner layer into ``bblayers.conf``. - -2. Refer to the README in meta-spdxscanner to setup the environment (e.g, - setup a fossology server) needed for the scanner. - -3. Meta-spdxscanner provides several methods within the bbclass to create spdx files. - Please choose one that you want to use and enable the spdx task. You have to - add some config options in ``local.conf`` file in your :term:`Build Directory`. - Here is an example showing how to generate spdx files during BitBake using the - fossology-python.bbclass:: - - # Select fossology-python.bbclass. - INHERIT += "fossology-python" - # For fossology-python.bbclass, TOKEN is necessary, so, after setup a - # Fossology server, you have to create a token. - TOKEN = "eyJ0eXAiO..." - # The fossology server is necessary for fossology-python.bbclass. - FOSSOLOGY_SERVER = "http://xx.xx.xx.xx:8081/repo" - # If you want to upload the source code to a special folder: - FOLDER_NAME = "xxxx" //Optional - # If you don't want to put spdx files in tmp/deploy/spdx, you can enable: - SPDX_DEPLOY_DIR = "${DEPLOY_DIR}" //Optional - -For more usage information refer to :yocto_git:`the meta-spdxscanner repository -`. - Compliance Limitations with Executables Built from Static Libraries ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -11674,6 +11639,72 @@ When analyzing CVEs, it is recommended to: - follow public `open source security mailing lists `__ for discussions and advance notifications of CVE bugs and software releases with fixes. +Creating a Software Bill of Materials +===================================== + +Once you are able to build an image for your project, once the licenses for +each software component are all identified (see +":ref:`dev-manual/common-tasks:working with licenses`") and once vulnerability +fixes are applied (see ":ref:`dev-manual/common-tasks:checking +for vulnerabilities`"), the OpenEmbedded build system can generate +a description of all the components you used, their licenses, their dependencies, +the changes that were applied and the known vulnerabilities that were fixed. + +This description is generated in the form of a *Software Bill of Materials* +(:term:`SBOM`), using the :term:`SPDX` standard. + +When you release software, this is the most standard way to provide information +about the Software Supply Chain of your software image and SDK. The +:term:`SBOM` tooling is often used to ensure open source license compliance by +providing the license texts used in the product which legal departments and end +users can read in standardized format. + +:term:`SBOM` information is also critical to performing vulnerability exposure +assessments, as all the components used in the Software Supply Chain are listed. + +The OpenEmbedded build system doesn't generate such information by default. +To make this happen, you must inherit the +:ref:`create-spdx ` class from a configuration file:: + + INHERIT += "create-spdx" + +You then get :term:`SPDX` output in JSON format as an +``IMAGE-MACHINE.spdx.json`` file in ``tmp/deploy/images/MACHINE/`` inside the +:term:`Build Directory`. + +This is a toplevel file accompanied by an ``IMAGE-MACHINE.spdx.index.json`` +containing an index of JSON :term:`SPDX` files for individual recipes, together +with an ``IMAGE-MACHINE.spdx.tar.zst`` compressed archive containing all such +files. + +The :ref:`create-spdx ` class offers options to include +more information in the output :term:`SPDX` data, such as making the generated +files more human readable (:term:`SPDX_PRETTY`), adding compressed archives of +the files in the generated target packages (:term:`SPDX_ARCHIVE_PACKAGED`), +adding a description of the source files handled by the target recipes +(:term:`SPDX_INCLUDE_SOURCES`) and adding archives of these source files +themselves (:term:`SPDX_ARCHIVE_SOURCES`). + +Though the toplevel :term:`SPDX` output is available in +``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`, ancillary +generated files are available in ``tmp/deploy/spdx/MACHINE`` too, such as: + +- The individual :term:`SPDX` JSON files in the ``IMAGE-MACHINE.spdx.tar.zst`` + archive. + +- Compressed archives of the files in the generated target packages, + in ``packages/packagename.tar.zst`` (when :term:`SPDX_ARCHIVE_PACKAGED` + is set). + +- Compressed archives of the source files used to build the host tools + and the target packages in ``recipes/recipe-packagename.tar.zst`` + (when :term:`SPDX_ARCHIVE_SOURCES` is set). Those are needed to fulfill + "source code access" license requirements. + +See the `tools page `__ on the :term:`SPDX` +project website for a list of tools to consume and transform the :term:`SPDX` +data generated by the OpenEmbedded build system. + Using the Error Reporting Tool ============================== From patchwork Fri Oct 28 15:10:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Opdenacker X-Patchwork-Id: 14536 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C93F3FA3741 for ; Fri, 28 Oct 2022 15:11:16 +0000 (UTC) Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by mx.groups.io with SMTP id smtpd.web10.626.1666969868845792553 for ; Fri, 28 Oct 2022 08:11:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=gm1 header.b=fq2nzwS2; spf=pass (domain: bootlin.com, ip: 217.70.183.200, mailfrom: michael.opdenacker@bootlin.com) Received: (Authenticated sender: michael.opdenacker@bootlin.com) by mail.gandi.net (Postfix) with ESMTPSA id 308D420012; Fri, 28 Oct 2022 15:11:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1; t=1666969867; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=op8ma9BXrffWOzkRiLLxVnba3eMYKFNd8VydYb9coE8=; b=fq2nzwS2EuuFiqt2QwD7Djk823p9KwA7bfftc4t0SiO51H6kitXHyinccBRQUo+VOt5Hmr xTdXhldXgpxBAfb/01WhAtQ3U2XdwX0E3zr9FHqSdRvBu6UfWr3m9oe9YJJmW35nJLqBBC //NZudHmSexcAS8MbeeN08nS+LLgBnMfRhiWppMe1b+SR0HuM47I14prK+2VCzYW7H7IvQ uNzFWaKlOyeLAuQaZLvRiCli1n0Pa9YEXcFV+tgNtb63D7fr3AkVq3NmugsO4DxeDIqbxZ 3eUkRTBTNPPmI906ZxcfJF98perrpGwdZarHhyLNqedgB3blkotVHWgS9/FY8A== From: michael.opdenacker@bootlin.com To: docs@lists.yoctoproject.org Cc: JPEWhacker@gmail.com, mikko.rapeli@linaro.org, Michael Opdenacker Subject: [PATCH v2 4/5] ref-manual: classes.rst: expand documentation of create-spdx class Date: Fri, 28 Oct 2022 17:10:32 +0200 Message-Id: <20221028151033.383087-5-michael.opdenacker@bootlin.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221028151033.383087-1-michael.opdenacker@bootlin.com> References: <17224368BE5A21CF.6604@lists.yoctoproject.org> <20221028151033.383087-1-michael.opdenacker@bootlin.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Oct 2022 15:11:16 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/3446 From: Michael Opdenacker Signed-off-by: Michael Opdenacker --- documentation/ref-manual/classes.rst | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst index 3b33783c58..5537eb774a 100644 --- a/documentation/ref-manual/classes.rst +++ b/documentation/ref-manual/classes.rst @@ -373,8 +373,26 @@ support. ``create-spdx.bbclass`` ======================= -The :ref:`create-spdx ` class provides support for automatically creating -SPDX SBoM documents based upon image and SDK contents. +The :ref:`create-spdx ` class provides support for +automatically creating :term:`SPDX` :term:`SBOM` documents based upon image +and SDK contents. + +This class is meant to be inherited globally from a configuration file:: + + INHERIT += "create-spdx" + +The toplevel :term:`SPDX` output file is generated in JSON format as a +``IMAGE-MACHINE.spdx.json`` file in ``tmp/deploy/images/MACHINE/`` inside the +:term:`Build Directory`. There are other related files in the same directory, +as well as in ``tmp/deploy/spdx``. + +The exact behaviour of this class, and the amount of output can be controlled +by the :term:`SPDX_PRETTY`, :term:`SPDX_ARCHIVE_PACKAGED`, +:term:`SPDX_ARCHIVE_SOURCES` and :term:`SPDX_INCLUDE_SOURCES` variables. + +See the description of these variables and the +":ref:`dev-manual/common-tasks:creating a software bill of materials`" +section in the Yocto Project Development Manual for more details. .. _ref-classes-cross: From patchwork Fri Oct 28 15:10:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Opdenacker X-Patchwork-Id: 14535 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id ADCC8C38A02 for ; Fri, 28 Oct 2022 15:11:16 +0000 (UTC) Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) by mx.groups.io with SMTP id smtpd.web08.611.1666969873809037366 for ; Fri, 28 Oct 2022 08:11:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=gm1 header.b=kbNIe4RP; spf=pass (domain: bootlin.com, ip: 217.70.183.200, mailfrom: michael.opdenacker@bootlin.com) Received: (Authenticated sender: michael.opdenacker@bootlin.com) by mail.gandi.net (Postfix) with ESMTPSA id 2E5A220005; Fri, 28 Oct 2022 15:11:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=gm1; t=1666969872; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NqGe6md57Xufarycij7K84bymV8Axu2ZvOQI+2U29Go=; b=kbNIe4RPTsZ8lfT/KwH1Fu5lWtulwzZllyJNVETuanyDM6YK5+z7Cq0BqN7vkGDyykcvxX SogioiTuV1kueQmoX5AZwDCdGAu2X4e2jvDm2nFiVAiv6hjWpIPHaqNVOmr8FErx8/HQX7 GlXtSllDzx8Slg8OJ8g18Dk8v+iancJKY1/Y5HiAMAfD+v9mkHpCOppFHRH9jWzm3e51d8 uZ8QRi8bUTr8Q9j039mLqfnl/7KtfXkMQPKMN2GM+fojE1CtK0UyZhYiULQRfOeRI5s0TZ UrHU7ZDOrQoGDleewn/Y/RF9ewLZJk8y9eQfOa2upQvdQnFLPkTZ2vc158Zxjg== From: michael.opdenacker@bootlin.com To: docs@lists.yoctoproject.org Cc: JPEWhacker@gmail.com, mikko.rapeli@linaro.org, Michael Opdenacker Subject: [PATCH v2 5/5] ref-manual: terms.rst: add reference to new SBOM/SPDX section in dev manual Date: Fri, 28 Oct 2022 17:10:33 +0200 Message-Id: <20221028151033.383087-6-michael.opdenacker@bootlin.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221028151033.383087-1-michael.opdenacker@bootlin.com> References: <17224368BE5A21CF.6604@lists.yoctoproject.org> <20221028151033.383087-1-michael.opdenacker@bootlin.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 28 Oct 2022 15:11:16 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/3447 From: Michael Opdenacker Signed-off-by: Michael Opdenacker --- documentation/ref-manual/terms.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/documentation/ref-manual/terms.rst b/documentation/ref-manual/terms.rst index 4711d7df7b..b4a78efad3 100644 --- a/documentation/ref-manual/terms.rst +++ b/documentation/ref-manual/terms.rst @@ -405,7 +405,9 @@ universal, the list includes them just in case: `__ and is used by the OpenEmbedded Build System to provide an :term:`SBOM` associated to each a software image. - For details, see Wikipedia's `SPDX page `__. + For details, see Wikipedia's `SPDX page `__ + and the ":ref:`dev-manual/common-tasks:creating a software bill of materials`" + section of the Development Tasks manual. :term:`Sysroot` When cross-compiling, the target file system may be differently laid