Bitbaking SPDX SBoM, Michael Opdenacker

Practical details for generating an SPDX SBoM with the Yocto Project

The Yocto Project has been having a "create-spdx" class since version 3.4 ("Honister"). This class allows to generate a "Software Bill of Materials" (SBOM) through the SPDX standard format, which device manufacturers and end users can use, typically for license compliance and security vulnerability exposure assessments.

However, this class wasn't documented until very recently. Presentations on the topic have also been done, but more with a contributor focus than from a Yocto Project user perspective.

This quick presentation will therefore quickly explain how to use the class and describe the associated variables to control the contents and volume of the output SPDX, all this without having to look at the code and generated files. I already did that for you.