feat(linux): Add how to guide for working with SBOMs

Add How to guide for working with SBOM's with sections
* Generating SBOM in SPDX and CycloneDX format
* Tools and references for Working with SBOM i.e visualizing, merging,
modifying SBOMs

Signed-off-by: Yogesh Hegde <y-hegde@ti.com>

Author: yogeshhegde

configs/AM62LX/AM62LX_linux_toc.txt

@@ -127,6 +127,7 @@ linux/How_to_Guides/Target/How_To_Enable_M2CC3301_in_linux
 linux/How_to_Guides/Target/Runtime_debug_unlock_on_secure_device
 linux/How_to_Guides/FAQ/How_to_Check_Device_Tree_Info
 linux/How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software
+linux/How_to_Guides/FAQ/How_to_work_with_SBOM
 linux/How_to_Guides_Hardware_Setup_with_CCS
 linux/How_to_Guides/Hardware_Setup_with_CCS/AM62Lx_EVM_Hardware_Setup
 linux/Demo_User_Guides/index_Demos

configs/AM62PX/AM62PX_linux_toc.txt

@@ -172,6 +172,7 @@ linux/How_to_Guides/Target/Runtime_debug_unlock_on_secure_device
 linux/How_to_Guides/Target/How_to_Tune_Real_Time_Linux
 linux/How_to_Guides/FAQ/How_to_Check_Device_Tree_Info
 linux/How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software
+linux/How_to_Guides/FAQ/How_to_work_with_SBOM
 linux/How_to_Guides_Hardware_Setup_with_CCS
 linux/How_to_Guides/Hardware_Setup_with_CCS/AM62Px_EVM_Hardware_Setup
 linux/How_to_Guides/Target/How_To_Carve_Out_CMA

configs/AM62X/AM62X_linux_toc.txt

@@ -176,6 +176,7 @@ linux/How_to_Guides/Target/Runtime_debug_unlock_on_secure_device
 linux/How_to_Guides/Target/How_to_Tune_Real_Time_Linux
 linux/How_to_Guides/FAQ/How_to_Check_Device_Tree_Info
 linux/How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software
+linux/How_to_Guides/FAQ/How_to_work_with_SBOM
 linux/How_to_Guides_Hardware_Setup_with_CCS
 linux/How_to_Guides/Hardware_Setup_with_CCS/AM62x_EVM_Hardware_Setup
 

configs/AM64X/AM64X_linux_toc.txt

@@ -153,6 +153,7 @@ linux/How_to_Guides/Hardware_Setup_with_CCS/AM64x_EVM_Hardware_Setup
 linux/How_to_Guides/FAQ/How_to_Verify_Ipc_Linux_R5
 linux/How_to_Guides/FAQ/How_to_Check_Device_Tree_Info
 linux/How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software
+linux/How_to_Guides/FAQ/How_to_work_with_SBOM
 linux/How_to_Guides/Target/Processor_SDK_Linux_File_System_Optimization_Customization
 
 devices/AM64X/index_RTOS

source/devices/AM62PX/linux/Release_Specific_Release_Notes.rst

@@ -40,9 +40,9 @@ found on the SDK download page or in the installed directory as indicated below.
 Software Bill of Materials (SBOM)
 =================================
 
-|SDK_FULL_NAME| releases include Software Bill of Materials (SBOM) files in SPDX 3.0
+|__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0
 format by default. SBOMs for all released artifacts are bundled into a single
-archive and can be found on the |SDK_DOWNLOAD_URL|.
+archive and can be found on the |__SDK_DOWNLOAD_URL__|.
 Release 12.00.00.07.04
 ======================
 

source/devices/AM64X/linux/Release_Specific_Release_Notes.rst

@@ -38,9 +38,9 @@ found on the SDK download page or in the installed directory as indicated below.
 Software Bill of Materials (SBOM)
 =================================
 
-|SDK_FULL_NAME| releases include Software Bill of Materials (SBOM) files in SPDX 3.0
+|__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0
 format by default. SBOMs for all released artifacts are bundled into a single
-archive and can be found on the |SDK_DOWNLOAD_URL|.
+archive and can be found on the |__SDK_DOWNLOAD_URL__|.
 
 Release 12.00.00.07.04
 ======================

source/linux/How_to_Guides/FAQ/How_to_work_with_SBOM.rst

@@ -0,0 +1,176 @@
+***************************************************************
+How to Guide for working with Software Bill of Materials (SBOM)
+***************************************************************
+
+Glossary
+========
+
+.. glossary::
+
+   SBOM
+      Software Bill of Materials - is a comprehensive list of all the software components, dependencies, and metadata associated with an application.
+
+   SPDX
+      Software Package Data Exchange - is an open standard (or format) for communicating Software Bill of Materials (SBOM) information including components, licenses, copyrights, and security references.
+
+   CycloneDX
+      CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction.
+
+   VEX
+      Vulnerability Exploitability eXchange - is a standardized format for sharing information about vulnerabilities and their exploitability.
+
+
+Generating SBOM
+===============
+
+|__SDK_FULL_NAME__| build generates SBOMs in the following formats and versions:
+
+.. list-table::
+   :header-rows: 1
+
+   * - Format
+     - Version
+     - Yocto
+     - Buildroot
+   * - SPDX
+     - 3.0
+     - Supported
+     - Not-Supported
+   * - CycloneDX
+     - 1.6
+     - Supported
+     - Supported
+
+Follow the steps below based on your required format.
+
+Generating SBOM in SPDX 3.0 Format
+----------------------------------
+
+SPDX 3.0 is generated by default when building |__SDK_FULL_NAME__| Yocto, no extra steps required.
+If you require additional vulnerability information, follow these steps:
+
+1. Add the following line to your ``local.conf``:
+
+   .. code-block:: text
+
+      INHERIT += "vex"
+
+2. Build Yocto according to the build instructions in :ref:`Processor SDK - Building the SDK with Yocto <building-the-sdk-with-yocto>`.
+
+The following artifacts will be generated in the Yocto deploy directory:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 50 50
+
+   * - File
+     - Description
+   * - ``${IMAGE_NAME}.rootfs.spdx.json``
+     - The SPDX v3.0 SBOM file
+   * - ``${IMAGE_NAME}.rootfs.json``
+     - Vulnerability information file generated by ``vex.bbclass``
+
+
+Generating SBOM in CycloneDX Format
+--------------------------------------
+
+To generate SBOM in CycloneDX format, follow these steps:
+
+1. Start with the build instructions in :ref:`Processor SDK - Building the SDK with Yocto <building-the-sdk-with-yocto>`
+2. After cloning ``oe-layersetup``, uncomment the ``meta-cyclonedx`` line in
+   the layer configuration file, for example:
+
+   .. code-block:: text
+
+      meta-cyclonedx,https://github.com/iris-GmbH/meta-cyclonedx.git,main,0170751b487162f8e476fd32d441ddfcf24ca78a,layers=
+
+3. Add the following line to your ``local.conf``:
+
+   .. code-block:: text
+
+      INHERIT += "cyclonedx-export"
+
+4. Continue to build Yocto according to the build instructions in :ref:`Processor SDK - Building the SDK with Yocto <building-the-sdk-with-yocto>`.
+
+The following artifacts will be generated in the Yocto deploy directory:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 50 50
+
+   * - File
+     - Description
+   * - ``${IMAGE_NAME}.rootfs.cyclonedx.bom.json``
+     - The CycloneDX SBOM file
+   * - ``${IMAGE_NAME}.rootfs.cyclonedx.vex.json``
+     - The CycloneDX VEX file
+
+Working with SBOM
+=================
+
+It is recommended to use open-source tools for working with SBOMs.
+The following open-source tools are recommended for working with SBOMs:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 20 40 40
+
+   * - Format
+     - Tool
+     - Description
+   * - CycloneDX
+     - `CycloneDX Sunshine <https://github.com/CycloneDX/Sunshine/>`_
+     - Visualize CycloneDX SBOMs in a human-readable format
+   * - CycloneDX
+     - `CycloneDX CLI <https://github.com/CycloneDX/cyclonedx-cli>`_
+     - BOM analysis, modification, diffing, merging, format conversion, signing and verification.
+   * - SPDX
+     - `SPDX Open Source Tools <https://spdx.dev/tools/open-source-tools/>`_
+     - A collection of open-source tools for working with SPDX SBOMs
+
+.. note::
+
+   SPDX 3.0 is not yet widely supported by SPDX tools. Using such tools with
+   SPDX 3.0 files may give varied or unexpected results.
+
+CVE Analysis
+============
+
+The `sbom-cve-check <https://pypi.org/project/sbom-cve-check/>`_ tool can be
+used to perform CVE analysis on the generated SPDX SBOM.
+
+1. Install the tool:
+
+   .. code-block:: console
+
+      pip install sbom-cve-check
+
+   .. note::
+
+      It is recommended to install this tool in a Python virtual environment.
+
+2. Retrieve the following artifacts from the Yocto deploy directory:
+
+   .. list-table::
+      :header-rows: 1
+      :widths: 50 50
+
+      * - File
+        - Description
+      * - ``${IMAGE_NAME}.rootfs.spdx.json``
+        - The SPDX v3.0 SBOM file
+      * - ``${IMAGE_NAME}.rootfs.json``
+        - Vulnerability information file generated by ``vex.bbclass``
+
+3. Run the CVE analysis:
+
+   .. code-block:: console
+
+      sbom-cve-check --sbom-path ${IMAGE_NAME}.rootfs.spdx.json \
+                     --yocto-vex-manifest ${IMAGE_NAME}.rootfs.json \
+                     --export-type yocto-cve-check-manifest \
+                     --export-path cve-check.json
+
+.. note::
+
+   ``sbom-cve-check`` only supports SPDX format and does not support CycloneDX.

source/linux/How_to_Guides_Developer_Notes.rst

@@ -38,6 +38,7 @@ Developer Notes
    How_to_Guides/FAQ/How_to_Configure_MSMC_memory
    How_to_Guides/FAQ/How_to_Check_Device_Tree_Info
    How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software
+   How_to_Guides/FAQ/How_to_work_with_SBOM
    How_to_Guides/Host/How_to_Build_a_Ubuntu_Linux_host_under_VMware
    How_to_Guides/Host/K3_Resource_Partitioning_Tool
    How_to_Guides/Host/How_to_Setup_and_Debug_using_Lauterbach