Zephyr Developer Summit 2022

2021 saw a growing recognition of the need for software distributions to include Software Bills of Materials (SBOMs). In 2021, the Zephyr project gained the ability to generate SBOMs in SPDX format at build time. This enables downstream recipients of a Zephyr build to have greater visibility into specifically which source code files were compiled and linked into the final binary. In this session, Steve will begin by presenting details about how the Zephyr SBOM functionality leverages the underlying CMake infrastructure to create SPDX documents during a Zephyr build. He will discuss the assumptions currently made regarding how Zephyr builds are structured. The session will then open for broader discussion about whether those assumptions are appropriate, and whether there are alternative approaches to SPDX document generation that are more suitable for Zephyr users.