To generate an SBOM (Software Bill of Materials) from a Yocto Project build, you can use the meta-security layer, which includes support for SPDX (Software Package Data Exchange) generation. SPDX is one of the widely accepted SBOM formats.
Steps to Generate SBOM in Yocto:
1. Add the Required Layers:
- meta-openembedded
- meta-security
# Clone meta-security if not already present
git clone https://git.yoctoproject.org/meta-security
2. Enable SPDX Output
Add the following to your conf/local.conf:
INHERIT += "spdx"
SPDX_GENERATE_PACKAGE_INFORMATION = "1"
SPDX_OUTPUT_DIR = "${TMPDIR}/spdx" # or a preferred path
Optional, but recommended:
LICENSE_CREATE_PACKAGE = "1"
COPY_LIC_MANIFEST = "1"
COPY_LIC_DIRS = "1"
3. Build Your Image or Recipe
bitbake core-image-minimal
This will generate SPDX documents (SBOM) for each package under: tmp/deploy/spdx/ or tmp/spdx/ . You’ll find SPDX .spdx or .spdx.json files for each recipe/package.
