The CycloneDX format for the Software-Bill-Of-Materials (SBOM) is expected by tools like Dependency Track. Conversely, Yocto as a Linux-foundation-adjacent project only supports SPDX which is another SBOM format.
There exists a meta-layer for handling CycloneDX: https://github.com/bgnetworks/meta-dependencytrack which only supports Yocto Honister (older than the Kirkstone version targeted by meta-leda) and has not been updated in an year. That is why this option was not preffered
Solution
CycloneDX provides a CLI which can convert a single .spdx.json file to CycloneDX format that is rather slow to parse and convert said file. That is why a python script under .github/workflow-scripts/sbom-converter.py was implemented which calls the CLI on an entire folder containing `.spdx.json`-files in parallel to more efficiently convert the large SBOM for Leda-Distro (~50MBs of json files).
Since the operation of batch-converting the SPDX SBOM to CycloneDX is slow due to the large amount of files to be processed, the conversion step has been added only for self-hosted builds (.github/workflows/build-selfhosted.yml)
Issue
The CycloneDX format for the Software-Bill-Of-Materials (SBOM) is expected by tools like Dependency Track. Conversely, Yocto as a Linux-foundation-adjacent project only supports SPDX which is another SBOM format.
There exists a meta-layer for handling CycloneDX: https://github.com/bgnetworks/meta-dependencytrack which only supports Yocto Honister (older than the Kirkstone version targeted by meta-leda) and has not been updated in an year. That is why this option was not preffered
Solution
CycloneDX provides a CLI which can convert a single .spdx.json file to CycloneDX format that is rather slow to parse and convert said file. That is why a python script under
.github/workflow-scripts/sbom-converter.pywas implemented which calls the CLI on an entire folder containing `.spdx.json`-files in parallel to more efficiently convert the large SBOM for Leda-Distro (~50MBs of json files).Since the operation of batch-converting the SPDX SBOM to CycloneDX is slow due to the large amount of files to be processed, the conversion step has been added only for self-hosted builds (
.github/workflows/build-selfhosted.yml)