diff options
Diffstat (limited to 'documentation/dev-manual/sbom.rst')
| -rw-r--r-- | documentation/dev-manual/sbom.rst | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst index b72bad1554..e6806ce929 100644 --- a/documentation/dev-manual/sbom.rst +++ b/documentation/dev-manual/sbom.rst | |||
| @@ -24,12 +24,20 @@ users can read in standardized format. | |||
| 24 | :term:`SBOM` information is also critical to performing vulnerability exposure | 24 | :term:`SBOM` information is also critical to performing vulnerability exposure |
| 25 | assessments, as all the components used in the Software Supply Chain are listed. | 25 | assessments, as all the components used in the Software Supply Chain are listed. |
| 26 | 26 | ||
| 27 | The OpenEmbedded build system doesn't generate such information by default. | 27 | The OpenEmbedded build system doesn't generate such information by default, |
| 28 | To make this happen, you must inherit the | 28 | though the :term:`Poky` reference distribution has it enabled out of the box. |
| 29 | :ref:`ref-classes-create-spdx` class from a configuration file:: | 29 | |
| 30 | To enable it, inherit the :ref:`ref-classes-create-spdx` class from a | ||
| 31 | configuration file:: | ||
| 30 | 32 | ||
| 31 | INHERIT += "create-spdx" | 33 | INHERIT += "create-spdx" |
| 32 | 34 | ||
| 35 | In the :term:`Poky` reference distribution, :term:`SPDX` generation does | ||
| 36 | consume some build time resources and thus if needed it can be disabled from a | ||
| 37 | :term:`configuration file`:: | ||
| 38 | |||
| 39 | INHERIT:remove = "create-spdx" | ||
| 40 | |||
| 33 | Upon building an image, you will then get: | 41 | Upon building an image, you will then get: |
| 34 | 42 | ||
| 35 | - :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in | 43 | - :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in |