Yocto SBOM

From Variscite Wiki


DART-MX8M-PLUS - Software Bill of Material (SBOM)

A Software Bill of Materials (SBOM) can be generated automatically during the Yocto build process.

An SBOM lists all components used to build the Yocto image or individual packages.

Generating the Software Bill of Materials

SBOM generation is controlled by the create-spdx class.

By default, SBOM generation is enabled for mx8mp-yocto-scarthgap-6.6.23_2.0.0-v1.0. To disable it, add: 

INHERIT:remove = "create-spdx"

to the file conf/local.conf

Effect of Enabling SBOM Generation

Enabling SBOM generation does not change the target image or the built packages.

The build time increases slightly because an extra task is added for each package to create SPDX data. For example, generating SPDX data for 10,000 packages on a test system took less than 2 minutes.

At least 1 GB of free disk space is recommended for SBOM data. Larger images may require more space.

Viewing and Analyzing SPDX Files

SPDX files are in JSON format. This format is suitable for both machine processing and human reading.

To view SBOM data quickly, use the jq tool to format the JSON output.

jq can be installed with the following command: 

sudo apt-get -y install jq

Here is an example output of using jq: 

$ jq . u-boot-variscite-splash.spdx.json
{
  "SPDXID": "SPDXRef-DOCUMENT",
  "creationInfo": {
    "comment": "This document was created by analyzing packages created during the build.",
    "created": "2025-06-28T12:14:25Z",
    "creators": [
      "Tool: OpenEmbedded Core create-spdx.bbclass",
      "Organization: OpenEmbedded ()",
      "Person: N/A ()"
    ],
    "licenseListVersion": "3.14"
  },
  "dataLicense": "CC0-1.0",
  "documentNamespace": "http://spdx.org/spdxdoc/u-boot-variscite-splash-1bc26fd1-c6dc-5e40-a6c0-440db4016499",
  "externalDocumentRefs": [
    {
      "checksum": {
        "algorithm": "SHA1",
        "checksumValue": "1da13207cb0878503154286a51ecc891ce383561"
      },
      "externalDocumentId": "DocumentRef-recipe-u-boot-variscite",
      "spdxDocument": "http://spdx.org/spdxdoc/recipe-u-boot-variscite-6c0102e3-03fc-5a6b-96af-7134f7ac4d93"
    }
  ],
  "files": [
    {
  [..]

For detailed analysis, use a dedicated SPDX tool. A list of available tools is provided by The Linux Foundation at: https://spdx.dev/use/spdx-tools/

Further Reading

Creating a Software Bill of Materials in Yocto

SPDX Project Website

Retrieved from "https://variwiki.com/index.php?title=Yocto_SBOM&oldid=30246"
Latest Modules
Support
Variscite Support Center
Contact Support
Product Longevity
Product Compliance Policy
Blog
Variscite Training
Variscite Website
This page was last edited on 9 July 2025, at 10:39.

© 2025 Variscite. All rights reserved