Hello
How can I find the SBOM for a Torizon OS build? The website with the Verdin example doesn’t help.
I’ve downloaded the release image for Colibri IMX8: torizon-core-docker-colibri-imx8x-Tezi_6.4.0+build.5.tar and built it using torizoncore-builder 3.8.1.
But in my output_directroy I can’t find the .spdx files. Do I need to tell torizoncore-builder explicitly to generate a .spdx file?
Best regards
waax
Greetings @waax,
The spdx/SBOM files actually come from the Yocto build itself as documented here: SBOM | Toradex Developer Center
TorizonCore Builder only modifies the OS rather than add new software/packages, so you can just reference the SBOM from the base image you used here. Though unfortunately for the 6.4.0 release you’re using there was an issue at the time and we actually had to disable SBOM generation in this build. Meaning SBOM files are not available for this particular release.
Is this going to be an issue for your development? Or what exactly is your use-case here?
Best Regards,
Jeremias
Hello Jeremias
Thanks for the reply.
We need the SBOM to see what licences are used in the image. Our customer is very specific about software and their licences that is used in his product.
Will I get the SBOM from a TorizonCore 5 image? Will it be very different from the 6.4? Will there be a SBOM in future releases of 6.4?
Best regards
Axel Wachter
We need the SBOM to see what licences are used in the image. Our customer is very specific about software and their licences that is used in his product.
I see, makes sense.
Will I get the SBOM from a TorizonCore 5 image?
We were not producing SBOMs for our builds back during the days of TorizonCore 5. One could in theory do a TorizonCore 5 Yocto build and integrate SBOM generation then manually do a build to get an SBOM. Though this would take some work.
Will it be very different from the 6.4?
If a theoretical SBOM existed for Torizon 5, I imagine it would be quite different. Major version number differences introduces major changes in our overall BSP.
Will there be a SBOM in future releases of 6.4?
We typically move forward with our releases, so the next release will be versioned 6.5. We plan to have SBOM generation re-enabled and working again for the 6.5 release. Would this suffice for your needs? Or do you specifically need an SBOM for version 6.4?
Best Regards,
Jeremias
Hello Jeremias
We are in the process of deciding if we should use Torizon or build our own images using Yocto. As I mentioned earlier our customer is very specific about the software licences and it is crucial to us to deliver a SBOM. I was under the impression that there is always a SBOM delivered together with a Torizon image. This is not to the case and therefore an argument in favour of building our own images.
Best regards
Axel Wachter
Hi @waax !
As pointed out by @jeremias.tx , there was an issue related to the SBOM. In the next monthly release (Torizon OS 6.5.0), the SBOM will be available.
You can actually check the files in our artifactory for the latest build: Index of torizoncore-oe-prerelease-frankfurt/kirkstone-6.x.y/monthly/20/verdin-imx8mp/torizon/torizon-core-docker/oedeploy
So, in summary, we have from now (6.5.0) on SBOM available for ready-to-use Torizon OS.
EDIT: if you need the licenses, you can take a look at the manifests as well, which are enabled by default: JFrog
Best regards,
