Generating a Yocto SBOM with Meta-CVEScan

Meta-CVEScan allows you to generate .inventory.json SBOMs file for your Yocto project. Let's follow instructions extracted from Meta-CVEScan's readme.

Add the meta-cvescan layer to your conf/bblayers.conf.

Add the following line to your conf/local.conf:

INHERIT += "cvescan-inventory"

Then build an image as usual, for example:

bitbake core-image-base

When the build completes the SBOM has been serialized in a *.inventory.json file.

It can be fed to the CVEScan run subcommand as:

cvescan run --inventory core-image-base.inventory.json

Warning

The master branch cannot be used as such, instead this repository maintains $CODENAME-v$MAJOR.$MINOR.$PATCH tags, where CODENAME is the lowercase supported Yocto release's codename (see Yocto Releases page for reference).

Examples: * kirkstone-v1.0.0 * langdale-v1.0.0 * mickledore-v1.0.0 * nanbield-v1.0.0 * scarthgap-v1.0.0