On Wed, May 15, 2024 at 11:11 AM Marta Rybczynska <[email protected]> wrote: > > Hello all, > As this discussion might be interesting to multiple people, I post it to YP > list and the OE architecture list. > > In the VEX work (the status will go out in a moment in a separate message), > we're collecting SPDX and CVE files for builds to re-run the CVE checks later > (potentially months later). The CVE check file is generated for both the > image and the build as it is (including the SDK). > > On the other hand, the SPDX archive is generated for the image only, and > contains only packages from the system image itself, omitting the build > system. This is possible for us to get all the partial SPDX files from the > build dir, but we do not expect the complete build dir to be kept for months.
Can you clarify what you mean by "build" here? We do generate SPDX for the "native" recipes used during the build, and they are in the final SPDX generated for an image, so we do have some idea of the "build" tools used to generate an image. > > So, the question is, what people plan to archive from the build? Do we need > to archive the whole SPDX output too? This is an interesting question for > example in case of "world" builds.. The algorithm for creating the final SBoM for SPDX is actually pretty generic: Given a single starting document that has some references to external SPDX objects, it finds the documents that provide those objects and adds those documents to the final SBoM. It then re-calculates all of the (missing) external SPDX objects from the new SBoM and repeats the process of adding documents to the SBoM until either all references are satisfied, or the references are known to not exist in the current build (which generates a warning, since it's not really expected). The nice thing about this algorithm is that we can really generate a SBoM for anything as long as you have the document (e.g. initial objects) you want to start from. As such, we should be able to generate SBoMs for world builds, individual packages, or just about whatever we want. > > Kind regards, > Marta >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#2010): https://lists.openembedded.org/g/openembedded-architecture/message/2010 Mute This Topic: https://lists.openembedded.org/mt/106118369/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
