I have a yocto build based on torizon-core-docker with a couple of extra layers.
I am trying to run the SBOM through cve bin tool. I have tested one of the published SBOM’s from https://artifacts.toradex.com/ui/ and that runs successfully.
Looking at the other posts on the forum I have seen that the SBOM’s that are published are generated from Yocto. https://community.toradex.com/t/where-to-find-the-sbom-for-a-torizon-build/21257/2 I have looked online and cannot get Yocto to output the files in the correct format. Is there another process that is taking place in-between generating the SBOM and publishing the SBOM on the artifacts webpage.
The Yocto SBOM contents also differs from the artifacts SBOM.
I might make mistakes. Our support team will step in if needed. If I answered your question, please tick the “Solution” checkbox. For follow-up questions to me, please use @ToradexAI in your post.
Did you like my answer?
Hello! Thank you for reaching out with your question.
You’ve correctly noted that Toradex publishes merged SBOMs in SPDX (tag-value or .spdx) format for Torizon OS images—these download and work directly with cve-bin-tool(1)(2). However, when you enable SBOM generation in Yocto, you typically receive per-package SBOM files in SPDX JSON format (with the .spdx.json extension). By default, Yocto (as of 4.x) generates SBOMs in JSON only.
The Toradex documentation doesn’t specify additional scripts or tools used to convert these .spdx.json files into the merged .spdx tag-value format—only that the merged files are provided for Torizon OS builds from their build infrastructure.
Here’s what you can do to work toward the format that cve-bin-tool expects:
Options for Converting Yocto SBOM Output
1. Convert SPDX JSON to Tag-Value Format
There are open source tools developed by the SPDX community that can convert between SPDX formats:
If your build creates multiple SBOMs (one for each package), you will need to merge them before running tools like cve-bin-tool. Unfortunately, Yocto doesn’t do this natively.
The SPDX community and other third-party tools provide SBOM merging utilities.
Alternatively, review Toradex’s documentation on SBOMs; the published SBOMs can serve as a format reference.
3. Using the SBOM with cve-bin-tool
Once you have a merged .spdx (tag-value) file, you can run:
Yocto generates .spdx.json files, which need to be converted and merged for use with security tools.
Toradex’s build process for the official images generates a merged .spdx file, but the process (likely involving conversion and merging) is not detailed publicly.
Use SPDX tools to convert/merge your SBOMs to the tag-value .spdx format for compatibility.
You are correct that Yocto produces a bunch of *.spdx.json files when enabling SBOMs during the build.
What we do, is we actually use another tool to take all of those *.spdx.json files and merges them into a single master *.spdx file. We use this tool here in our internal builds: GitHub - philips-software/SPDXMerge: SPDX Merge tool
Fortunately this tool also comes as a container for easier execution. To be clear this is what we do in our builds:
After your Yocto build is done if SBOM was enabled in your deploy directory there should be a *.spdx.tar.zst file that contains all the individual *.spdx.json files for the various packages/software that comprises the build.
This tarball gets unpacked into a temporary directory.
In the unpacked contents there is a index.json file this is not actually an SBOM file, delete it before proceeding.
We then execute the following docker command:
docker run --rm -v <path to unpacked tarball directory>:/code -v <path to your deploy directory>:/output -e DOCPATH=/code -e OUTPATH=/output -e NAME=toradex-sbom -e MERGETYPE=1 -e AUTHOR=Toradex -e EMAIL=cicd@toradex.com -e DOCNAMESPACE=https://spdx.toradex.com -e FILETYPE=T docker.io/philipssoftware/spdxmerge:v0.2.0
This will take all the *.spdx.json files and merge them into a single *.spdx file. You should be able to use this with various CVE tools. Feel free to tweak the arguments of the command to better fit your case. The arguments are better described on the Github repo for the tool I linked above.
