Yocto SBOM Generation
The meta-runsafe-sbom layer generates a CycloneDX v1.6 compatible Software Bill of Materials for a yocto build.
Installation
NOTE: This layer currently requires RunSafe Identify to be setup for the repository generating the SBOM. If you have not setup Gremlin or do not plan to use Gremlin, please contact [email protected] for instructions.
- Download the latest
meta-runsafe-sbomlayer to the proper directory in your Yocto project, such as the top level of the poky directory.
$ git clone -b master https://gitlab.com/runsafe-foss/meta-runsafe-sbom.git
- Add the
meta-runsafe-sbomlayer to yourbblayers.conffile.
$ bitbake-layers add-layer meta-runsafe-sbom
SBOM File Location
The SBOM is generated in build/tmp/deploy/runsafe-sbom/target_sbom.cdx.json.
Configuration
The metadata component at the top of the CycloneDX SBOM can be configured by setting the following environment variables:
| Veriable | Description |
|---|---|
RUNSAFE_SBOM_METADATA_COMPONENT_NAME | Name of the software or firmware being built. Defaults to yocto-image |
RUNSAFE_SBOM_METADATA_COMPONENT_VERSION | Version of the software or firmware being built. Defaults to 1.0.0 |
RUNSAFE_SBOM_METADATA_COMPONENT_SUPPLIER | Name of the supplier. Defaults to Organization: OpenEmbedded () |
RUNSAFE_SBOM_METADATA_COMPONENT_PREVIOUS_VERSION | Previous version of the software or firmware being built |
License
This layer is licensed under the MIT license. See LICENSE for more information. The layer was forked and modified from the bgnetworks/meta-dependency-track repo.