SBoM are becoming a critical component in ensuring the integrity of our Software Supply Chains. Many current tools for SBoMs generation focus on two ways of generating SBoMs: generating them from the initial source code, or post-mortem analysis of completed systems and artifacts. While these are both valid and useful methods of analysis, less focus has been put on the tooling that pulls upstream source code together and generates the completed system artifacts, such as a distro build system or more generically any "meta-build" system. Using OpenEmbedded as a case study, Joshua will cover the unique strengths that generating SBoMs in meta-build systems can provide, as well as the challenges when trying to do so.
Speakers: Joshua Watt