Hello, I am trying to generate an SBOM using Yocto, but I am having issues exploiting the result and could really use a hand.
I have done the following steps on a "blank" poky repository on the scarthgap branch: - git clone git://git.yoctoproject.org/poky - cd poky - git checkout origin/scarthgap -b my-branch - source oe-init-build-env I have then edited my local.conf to include those changes: INHERIT += "create-spdx" SPDX_PRETTY = "1" And finally, I compiled the core-image-minimal image for the default qemux86-64 image. - bitbake core-image-minimal Once everything is built, I have the following file: poky/build/tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.spdx.tar.zst >From here, I'm confused about how to exploit this archive, there are many files in it and I do not understand why some of them seems to be named after the name of the software "component" and other start with "recipe". I mainly am interested in establishing the list of software "packages" (binary / libraries...) , along with their "owner" and their license. For instance, if I had dropbear embedded in my image, I would like to extract the following information: *PACKAGE : dropbearVERSION: 2022.83LICENSE: MITSOURCE SITE: https://matt.ucc.asn.au/dropbear/releases <https://matt.ucc.asn.au/dropbear/releases>OWNER: Matt Johnston <m...@ucc.asn.au <m...@ucc.asn.au>>* Also, if possible, having the ability to produce some sort of dependency tree would be really helpful. Do you have any tips / or leads on how to achieve those goals from the produced core-image-minimal-qemux86-64.rootfs.spdx.tar.zst file ? I thank you very much in advance for your help and wish you a nice day ! Regards, Allan ELKAIM.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#63352): https://lists.yoctoproject.org/g/yocto/message/63352 Mute This Topic: https://lists.yoctoproject.org/mt/106725192/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
