Re: Urgent need for SPDX-formatted bill of materials.
toggle quoted messageShow quoted text
"we only have to concern ourselves with producing a proper, compliant SBOM".
+1 Being able to generate the SBOM as a byproduct of the build is going to have the most trust.
Yocto is in a unique position to do this, and provide guidance on extending the next generation
of SPDX as well. Richard convinced me a couple of years ago that the necessary information is present
in the debug info, challenge is extracting it out and outputting the document.
- mark all licensing as NOASSERTION for now, and focus on the components and mapping
the relationships between them.
- Next phase, add in the licensing information when its available as SPDX headers (ie. no scanning
tools needed), use declared vs detected to separate out the info at the package level on what you're
getting from sources.
The example of how it's being done in Zephyr is based on hooking into CMake see:
AGL might be a good testbed for this capability with Yocto, as there is a PoC starting
in the Auto-ISAC, and they'll be looking for SBOMs, so many eyes.
In terms of validating the output format produced -
https://tools.spdx.org/app/validate/ is available to check
any document created conforms to the specification.
If there are questions about the way to partition the information, etc.
Steve Winslow and myself are happy to weigh in.
On Tue, May 18, 2021 at 5:15 PM Trevor Woerner <twoerner@...> wrote: