> We are planning to release SPDX SBOMs along with our images to provide package > information about the software components that make them up. > > As it currently stands today, bootloader components are not included in the > final SBOM generated for the image. In particular, for our machines based on > i.MX SoCs, the imx-boot container, along with boot components (ATF, SECO, > SCFW) > have their SPDX files generated in spdx/, but not included in the image SBOM. > > If I understand correctly, the SBOM is generated by looking at the packages in > the rootfs, and recursively adding their SPDX entries along with the ones for > their dependencies. In our builds, I found that U-Boot does get included in > the SBOM, but in our particular case this seems to be due to the presence of > libubootenv in the rootfs, which has the U-Boot recipe in its dependency > chain, > so the inclusion of U-Boot in the SBOM is only a side effect. > > I have not seen anyone raise this as an issue, but my intuition is that this > information should be included in the SBOM. Despite not making it to the > rootfs, these boot components are still part of the image. CVE information > about them, for example, is relevant to users. > > My question is, is there any configuration that should be set to include these > components? I couldn't find anything about this in the documentation or in the > code. If there is no configuration regarding this, would a contribution to add > components such as these be welcome?
Following up on this, I just wanted to know if this behavior is intended to stay as it currently is or if it's worth working on a patch to add components beyond the ones that are in the final rootfs. Kind regards, Leonardo
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#238105): https://lists.openembedded.org/g/openembedded-core/message/238105 Mute This Topic: https://lists.openembedded.org/mt/119502448/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
