Automated SBoM generation with OpenEmbedded and the Yocto Project

CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/61945 (DOI)

Publisher

FOSDEM VZW

Release Date

2023

Language

English

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

SBoM are becoming a critical component in ensuring the integrity of our Software Supply Chains. Many current tools for SBoMs generation focus on two ways of generating SBoMs: generating them from the initial source code, or post-mortem analysis of completed systems and artifacts. While these are both valid and useful methods of analysis, less focus has been put on the tooling that pulls upstream source code together and generates the completed system artifacts, such as a distro build system or more generically any "meta-build" system. Using OpenEmbedded as a case study, Joshua will cover the unique strengths that generating SBoMs in meta-build systems can provide, as well as the challenges when trying to do so.