Re: Urgent need for SPDX-formatted bill of materials.


Kate Stewart
 

"we only have to concern ourselves with producing a proper, compliant SBOM".

+1  Being able to generate the SBOM as a byproduct of the build is going to have the most trust. 
Yocto is in a unique position to do this,  and provide guidance on extending the next generation
of SPDX as well.   Richard convinced me a couple of years ago that the necessary information is present
in the debug info,  challenge is extracting it out and outputting the document.   

Possible approach 
- mark all licensing as NOASSERTION for now, and focus on the components and mapping
the relationships between them.  
- Next phase, add in the licensing information when its available as SPDX headers (ie. no scanning 
tools needed),  use declared vs detected to separate out the info at the package level on what you're
getting from sources.

The example of how it's being done in Zephyr is based on hooking into CMake see:

Kubernetes approach:

AGL might be a good testbed for this capability with Yocto, as there is a PoC starting
in the Auto-ISAC,  and they'll be looking for SBOMs, so many eyes.

In terms of validating the output format produced - 
any document created conforms to the specification.

If there are questions about the way to partition the information, etc.
Steve Winslow and myself are happy to weigh in.

HTH,
Kate





On Tue, May 18, 2021 at 5:15 PM Trevor Woerner <twoerner@...> wrote:
Richard, this is all awesome! Thanks for your input :-)

On Tue, May 18, 2021 at 6:03 PM Richard Purdie <richard.purdie@...> wrote:
* whether we need tooling to take an SPDX image manifest and process it to 
  various forms for end user/tool use (e.g. actual file output or API?).

Kate Stewart recently did a webinar on this topic, you can find the video and slides:  

She also talked about this at the most recent FOSDEM:

I'm thinking of inviting her to the discussion.

If you look at her slides from the webinar, around slide 27 she talks about the ecosystem of tools for working with SBOMs depending on whether you're a producer, consumer, or user of a product. Given what she says, we only have to concern ourselves with producing a proper, compliant SBOM. Other tools in the ecosystem will handle the other things.



Join licensing@lists.yoctoproject.org to automatically receive all group messages.