Hi, On Fri, 2020-12-18 at 15:15 -0500, Jérôme Carretero wrote: > Please correct me if I'm wrong but as far as I understand it, as of > today the flow for generating SPDX data to build software BoMs, > documented eg. in: > > - https://www.fossology.org/get-started/basic-workflow/ > - > https://elinux.org/images/2/20/License_Compliance_in_Embedded_Linux_with_the_Yocto_Project.pdf > > involves building your own database of SPDX files after reviewing all > the sources, which doesn't look to be something at reach of most > businesses.
The challenge is that Yocto Project lets you build your own custom software, which means you also end up in your own BoM situation. We generally therefore provide tooling that can help you generate the information you need but there usually isn't "one size fits all". I would mention the meta-spdxscanner layer as having support/integration for some of the more recent scanning and document generation tools. > I am wondering by extension: > > - Whether there are businesses selling pre-masticated SPDX data > (I can imagine one would be willing to pay a little something to > obtain a collection of "certified" (or possibly "insured") SPDX); I'm sure there are services provided, particularly by some of the member OSVs but as I mention above, its hard to have a one size fits all since you can patch or reconfigure the sources at will. > - Whether there are (plans for having) public, collaborative > repositories of SPDX data that could be trusted over automatic > scans of source. We are hoping to have better tools integration where the build process may be able to generation better SBoM and SPDX information directly. Unfortunately its an area its hard to find people willing to contribute. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#51808): https://lists.yoctoproject.org/g/yocto/message/51808 Mute This Topic: https://lists.yoctoproject.org/mt/79070135/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
