Complete Compliance Toolchain for Yocto Projects - Software Composition Analysis and SBOM Automation

Learn about an advanced compliance toolchain for Yocto projects in this 13-minute conference talk from FOSDEM 2023. Discover how Eclipse Oniro implemented one of the largest compliance efforts for Yocto projects, incorporating tools like Fossology, Scancode, SPDX, BANG, and Gitlab CI alongside custom-developed solutions. Explore the creation of a comprehensive Software Bill of Materials (SBOM) system that includes a dashboard, aliens4friends, a graph database for mapping dependencies and license incompatibilities, and a license resolver. Understand how to track and preserve compliance information throughout the build process, uniquely identify files in the final image, resolve binary file licenses from mixed-license source files, and manage dependencies in large-scale projects. Gain insights into achieving OpenChain conformant software composition analysis through unprecedented automation techniques for handling extensive data, licenses, files, and packages.