Add Part 5: Yocto SBOM in production#85
Open
vpetersson wants to merge 3 commits into
Open
Conversation
Covers the architectural leap to JSON-LD output, single-document merging, first-class Build elements with hasInput/hasOutput, the profile-based architecture, native VEX support, and the new build provenance features (build variables, nested builds, agent tracking, build host linking, package supplier). Updates Parts 1 and 2 series footers to link to Part 3. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Traces how vulnerability information flows from Yocto's CVE_STATUS recipe metadata, patch file scanning, and upstream version checks into SPDX 3.0 VEX relationship elements (VexFixedVulnAssessmentRelationship, VexAffectedVulnAssessmentRelationship, VexNotAffectedVulnAssessment- Relationship). Documents the kernel-specific tooling that cuts CVE false positives by 70-80% by cross-referencing the kernel CNA database with compiled source files. Updates Parts 1, 2, and 3 series footers to link to Part 4. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Final post in the series. Covers a recommended production configuration (SPDX_PRETTY, SPDX_INCLUDE_SOURCES, package supplier, namespacing), the standalone CLI tools for working with SPDX 3.0 documents (spdx3query, spdx3merge, spdx3validate), and the gaps that still need filling — layer information and kernel configuration mapping are not yet in the SBOM. Updates Parts 1-4 series footers to link to Part 5. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
JPEWdev
suggested changes
May 14, 2026
JPEWdev
left a comment
JPEWdev
left a comment
There was a problem hiding this comment.
This one is a little all over the place, and some of it is not that useful; maybe we can come up with a better plan for what to include in this last installment (maybe some links for how to get involved in Yocto Project/SPDX/etc. along with the tooling links)?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Stacked on #84 (Part 4). Merge order: #81 → #82 → #83 → #84 → this. After this lands the full 5-post series is published with all cross-links live.
Test plan
/2026/06/02/yocto-sbom-production-config/— confirm post renders/authors/jwatt/— confirm all five posts listedhugo --buildFuture)🤖 Generated with Claude Code