To generate an SBOM (Software Bill of Materials) from a Yocto Project build, you can use the meta-sbom layer,
Steps to Generate SBOM in Yocto:
1. Clone meta-sbom
git clone https://github.com/meta-sbom/meta-sbom.git
2. Add meta-sbom to bblayers.conf
BBLAYERS += “/path/to/meta-sbom”
3.Enable SBOM Generation in local.conf
SBOM_GENERATE = "1"
SBOM_FORMATS = "cyclonedx-json"
SBOM_DEPLOY_DIR = "${TMPDIR}/sboms"
INHERIT += "sbom"
Optional extras:
SBOM_IMAGE_GENERATE = "1" # Also generates SBOM for the image itself
SBOM_INCLUDE_BUILDINFO = "1" # Includes build metadata
4. Build Your Image
bitbake core-image-minimal
5. Locate the Generated SBOM
After a successful build, your CycloneDX-format SBOMs will be in:
tmp/sboms/
You’ll see files like:
core-image-minimal.cyclonedx.jsonbusybox.cyclonedx.json- And more per package/recipe