SBOMs

[ajlennon]

I'd really like to produce and document source code bill of materials (SBOMs) for the main components of the repository.

This would lead into tracking open CVEs and thus aim to provide compliance with best practice and upcoming security legislation.

Does anybody have any thoughts, ideas on how we might want to go about this? @Livius90 @karthago1 ?

[Livius90]

I think openembedded already done this:
https://layers.openembedded.org/layerindex/branch/master/layer/meta-mono/

If you like to make some further docs you can following that how AMD-Xilinx improved its meta-xilinx:
https://github.com/Xilinx/meta-xilinx/tree/master/docs
They have some "user guide" for meta-xilinx layer in markdown files.

[karthago1]

adding the following to bitbake will generate a dependency dot file for an image

INHERIT += "buildhistory"
BUILDHISTORY_COMMIT = "1"

https://docs.yoctoproject.org/dev-manual/build-quality.html#maintaining-build-output-quality

so with some logic, it should be possible to get all (direct and indirect) dependencies related to a specific recipe.

another possible solution might be https://docs.yoctoproject.org/dev/dev-manual/sbom.html.
I still didn't explore this solution yet.

(the security topic is becoming more important for companies. I might have to deal with this topic in the near future)