"Marta Rybczynska" <[email protected]> writes: > On Wed, May 15, 2024 at 8:09 PM Joshua Watt <[email protected]> wrote: > > On Wed, May 15, 2024 at 11:11 AM Marta Rybczynska <[email protected]> > wrote: > > So, the question is, what people plan to archive from the build? Do > > we need to archive the whole SPDX output too? This is an > > interesting question for example in case of "world" builds.. > > The algorithm for creating the final SBoM for SPDX is actually pretty > generic: Given a single starting document that has some references to > external SPDX objects, it finds the documents that provide those > objects and adds those documents to the final SBoM. It then > re-calculates all of the (missing) external SPDX objects from the new > SBoM and repeats the process of adding documents to the SBoM until > either all references are satisfied, or the references are known to > not exist in the current build (which generates a warning, since it's > not really expected). > > The nice thing about this algorithm is that we can really generate a > SBoM for anything as long as you have the document (e.g. initial > objects) you want to start from. As such, we should be able to > generate SBoMs for world builds, individual packages, or just about > whatever we want. > > I'm wondering what makes sense to store: on one side, image is > something that people flash on the device, so we definitely want to > keep it. If there is a vulnerability in the compiler used to build, it > does not necessarily affect the image (and you do not need to update > it); except the case it affects the generated code. It makes then > sense to store SDK and image status separately. > > I'd like to head opinions from people who use the SPDX generation, if > there is a preference.
As SDK is something that is potentially delivered to customers, having SBoM for it definitely makes sense, and I believe any output of security scanning/analysis would also make sense. As for the native recipes, I don't think I will ever want to see that in any of this. /Esben
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#2012): https://lists.openembedded.org/g/openembedded-architecture/message/2012 Mute This Topic: https://lists.openembedded.org/mt/106118369/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
