Complete Compliance Toolchain for Yocto Projects - Software Composition Analysis and SBOM Automation
Eclipse Foundation via YouTube
Overview
Learn about an advanced compliance toolchain for Yocto projects in this 13-minute conference talk from FOSDEM 2023. Discover how Eclipse Oniro implemented one of the largest compliance efforts for Yocto projects, incorporating tools like Fossology, Scancode, SPDX, BANG, and Gitlab CI alongside custom-developed solutions. Explore the creation of a comprehensive Software Bill of Materials (SBOM) system that includes a dashboard, aliens4friends, a graph database for mapping dependencies and license incompatibilities, and a license resolver. Understand how to track and preserve compliance information throughout the build process, uniquely identify files in the final image, resolve binary file licenses from mixed-license source files, and manage dependencies in large-scale projects. Gain insights into achieving OpenChain conformant software composition analysis through unprecedented automation techniques for handling extensive data, licenses, files, and packages.
Syllabus
FOSDEM 2023: A complete compliance toolchain for Yocto projects (even very large ones, yes)
Taught by
Eclipse Foundation