What is a SBOM?
A Software Bill of Materials (called SBOM) is a detailed record of all the software components, libraries, and dependencies included in a software project. It provides essential information such as the version of each component, its origin, and licensing details.
This information is vital for managing software vulnerabilities, ensuring compliance with licensing requirements, and maintaining the overall security of the software.
Read our article on what is a software bill of materials (SBOM).
Why do you need to generate a SBOM for your Yocto-based system?
SBOM generation offers several benefits:
- Transparency: It provides a clear understanding of all the components included in your Linux image, which is essential for managing dependencies and ensuring compatibility.
- Licenses management: It helps software engineers identify all licenses associated with each component.
- Security & compliance: It helps in tracking security vulnerabilities in your system and comply with cybersecurity regulations (like the Cyber Resilience Act in Europe).
SBOM formats supported by Yocto
1. SPDX
The Software Package Data Exchange (SPDX) format is widely used for documenting software components and their licenses. Yocto supports generating SPDX 2.2 format, which includes information such as package names, URLs, licenses, and more. Styhead now enables SPDX 3.0.1 by default.
Read more about spdx here.
2. CycloneDX
CycloneDX is a JSON-based format that provides a comprehensive inventory of software components. It includes information about vulnerabilities and can be used to integrate vulnerability data directly into the SBOM. There is no official support of CycloneDX in Yocto but compatible meta layer can be found easily.
Read more about CycloneDX here.
How to generate a SBOM with Yocto?
Yocto is a powerful tool for building custom Linux distributions for embedded systems. It offers mechanisms to generate an SBOM that integrates all the different software components and libraries used in the system.
Here’s how you can generate an SBOM with Yocto (example with the spdx format):
INHERIT += “create-spdx”
bitbake -c create_spdx ${TARGET_PACKAGE_NAME}
Output files
Once your SBOM generated, you’ll have three files:
- IMAGE-MACHINE.spdx.json in tmp/deploy/images/MACHINE/ (in Build Directory)
- IMAGE-MACHINE.spdx.index.json (for individual recipes)
- IMAGE-MACHINE.spdx.tar.zst (index + files for single recipes)
Alternatives to SPDX and CycloneDX for SBOM generation with Yocto
Meta-cvescan is an alternative open-source solution for generating the SBOM of your Yocto system, fully dedicated to vulnerability management. You can use this meta layer available on GitLab here to generate an inventory of all the software packages of your Yocto project in a JSON format.
How to generate a SBOM using meta-cvescan?
After cloning the git repository, add meta-cvescan to your conf/bblayers.conf. Then include the following line to your conf/local.conf:
INHERIT += “cvescan-inventory”
After a standard bitbake operation, an inventory file will be generated in your deploy folder.
Why this new format of Software Bill of Materials (SBOM)?
We, at The Embedded Kit, created this new format to enhance our vulnerability scanning quality, integrating additional information coming from the Yocto include (for example the kernel CONFIG).
Discover more about our vulnerability scanner.
