---

Software Bill of Material (SBOM)

A Software Bill of Materials (SBOM) can be generated automatically during the Yocto build process.

An SBOM lists all components used to build the Yocto image or individual packages.

Generating the Software Bill of Materials

SBOM generation is controlled by the SPDX classes in Yocto.

For mx8mp-yocto-scarthgap-6.6.y_2.2.2-v1.1, in conf/local.conf set:

INHERIT += "vex"
INHERIT:remove = "create-spdx"
INHERIT += "create-spdx-3.0"

Note: These settings are enabled by default.

Effect of Enabling SBOM Generation

Enabling SBOM generation does not change the target image or the built packages.

The build time increases slightly because an extra task is added for each package to create SPDX data. For example, generating SPDX data for 10,000 packages on a test system took less than 2 minutes.

At least 1 GB of free disk space is recommended for SBOM data. Larger images may require more space.

Viewing and Analyzing SPDX Files

SPDX files are in JSON format. This format is suitable for both machine processing and human reading.

To view SBOM data quickly, use the jq tool to format the JSON output.

jq can be installed with the following command:

sudo apt install jq

Here is an example output of using jq:

jq . u-boot-variscite-splash.spdx.json

{
  "SPDXID": "SPDXRef-DOCUMENT",
  "creationInfo": {
    "comment": "This document was created by analyzing packages created during the build.",
    "created": "2025-06-28T12:14:25Z",
    "creators": [
      "Tool: OpenEmbedded Core create-spdx.bbclass",
      "Organization: OpenEmbedded ()",
      "Person: N/A ()"
    ],
    "licenseListVersion": "3.14"
  },
  "dataLicense": "CC0-1.0",
  "documentNamespace": "http://spdx.org/spdxdoc/u-boot-variscite-splash-1bc26fd1-c6dc-5e40-a6c0-440db4016499",
  "externalDocumentRefs": [
    {
      "checksum": {
        "algorithm": "SHA1",
        "checksumValue": "1da13207cb0878503154286a51ecc891ce383561"
      },
      "externalDocumentId": "DocumentRef-recipe-u-boot-variscite",
      "spdxDocument": "http://spdx.org/spdxdoc/recipe-u-boot-variscite-6c0102e3-03fc-5a6b-96af-7134f7ac4d93"
    }
  ],
  "files": [
    {
  [..]

For detailed analysis, use a dedicated SPDX tool. A list of available tools is provided by The Linux Foundation at: https://spdx.dev/use/spdx-tools/

SBOM CVE analysis with sbom-cve-check

sbom-cve-check is a lightweight standalone tool from Bootlin for CVE analysis of SBOM files (including SPDX v3). It analyzes the software components listed in the SBOM against public CVE sources and reports which components are affected. It is designed for out-of-build analysis, so you can re-run vulnerability checks regularly from generated SBOM artifacts, without rebuilding the Yocto image.

In the Yocto workflow, the recommended inputs are:

• <image-name>.rootfs.spdx.json (SPDX v3 SBOM)
• <image-name>.rootfs.json (Yocto VEX manifest generated by vex.bbclass)

For integration with tools that consume Yocto-like CVE outputs, export the result with yocto-cve-check-manifest.

Example:

sbom-cve-check \
  --sbom-path <image-name>.rootfs.spdx.json \
  --yocto-vex-manifest <image-name>.rootfs.json \
  --export-type yocto-cve-check-manifest \
  --export-path sbom-cve-checked.json

Further Reading

• Creating a Software Bill of Materials in Yocto
• SPDX Project Website
• sbom-cve-check (Bootlin)