Yocto SBOM Generation
The meta-runsafe-sbom layer generates a CycloneDX v1.6 compatible Software Bill of Materials for a yocto build.
Installation
NOTE: This layer currently requires RunSafe Identify to be setup for the repository generating the SBOM. If you have not setup Gremlin or do not plan to use Gremlin, please contact support@runsafesecurity.com for instructions.
- Download the latest
meta-runsafe-sbomlayer to the proper directory in your Yocto project, such as the top level of the poky directory.
$ git clone -b master https://gitlab.com/runsafe-foss/meta-runsafe-sbom.git
- Add the
meta-runsafe-sbomlayer to yourbblayers.conffile.
$ bitbake-layers add-layer meta-runsafe-sbom
SBOM File Location
The SBOM is generated in build/tmp/deploy/runsafe-sbom/target_sbom.cdx.json.
Configuration
The metadata component at the top of the CycloneDX SBOM can be configured by setting the following environment variables:
| Veriable | Description |
|---|---|
RUNSAFE_SBOM_METADATA_COMPONENT_NAME | Name of the software or firmware being built. Defaults to yocto-image |
RUNSAFE_SBOM_METADATA_COMPONENT_VERSION | Version of the software or firmware being built. Defaults to 1.0.0 |
RUNSAFE_SBOM_METADATA_COMPONENT_SUPPLIER | Name of the supplier. Defaults to Organization: OpenEmbedded () |
RUNSAFE_SBOM_METADATA_COMPONENT_PREVIOUS_VERSION | Previous version of the software or firmware being built |
License
This layer is licensed under the MIT license. See LICENSE for more information. The layer was forked and modified from the bgnetworks/meta-dependency-track repo.