Integrate a SBOM generation tool into Oniro build system

Value

SBOM helps assure the origin of the sources used

Description

SBOM is needed for IP compliance, but also allows to figure out the exact state of the source code tree, which module has been downloaded from where and in which version. It will be also used in our update tool.

In scope

Use yocto's create-spdx class in Oniro

Out of Scope

Other SBOM types or bugfixes

Acceptance Criteria

SBOM generation is integrated

Applicable Market Segments

• All

Applicable Personas

• Product Integrator
• Software Quality Auditor
• License Compliance Auditor

added to epic &8

changed milestone to %goofy alpha

set weight to 10

added teamsecurity label

changed epic to &101 (closed)

changed iteration to Oniro Core Iterations Apr 1, 2022 - Apr 30, 2022

added Doing label

assigned to @mrybczyn

!65 (merged)

Upstream patches to fix CI when adding create-spdx:

• https://git.openembedded.org/openembedded-core/commit/?h=master-next&id=0c147316c07b88bf3710a58c9298f319e574060d
• https://lists.yoctoproject.org/g/yocto/message/56769

Currently FreeRTOS is not building due to this dependency, from some preliminary tests it is useless (because it doesn't force the task to be executed due to missing dependency). This needs to be tested properly and maybe consider to crate an Oniro specific version (it might brake upstream in some cases).

assigned to @tony3oo3

changed iteration to Oniro Core Iterations May 1, 2022 - May 31, 2022

marked this issue as related to #559 (closed)

changed milestone to %goofy beta

changed iteration to Oniro Core Iterations Jun 1, 2022 - Jun 30, 2022

marked this issue as related to #57

MR: https://gitlab.eclipse.org/eclipse/oniro-core/oniro/-/jobs/41770

changed iteration to Oniro Core Iterations Jul 1, 2022 - Jul 31, 2022

changed the description

Note: activated on Linux only for now, pending issue on Zephyr #684 (closed)

removed the relation with #559 (closed)

closed

removed Doing label