Scanning Yocto Projects
Analyze and report the runtime packages of a Yocto image build to FOSSA using the meta-fossa layer.
Overview
This guide explains how to integrate FOSSA into a Yocto-based build for license and security compliance scanning. FOSSA supports Yocto builds via meta-fossa, a Yocto layer that analyzes and reports the runtime packages of a Yocto image build to FOSSA.
Note
- A working Yocto build environment (or Poky).
- A FOSSA API key, generate one at Account Settings → Integrations → API Tokens.
- Basic familiarity with running
bitbakeandbitbake-layerscommands.
Supported Yocto versions
The meta-fossa layer is published per Yocto release as a dedicated branch. Check out the branch that matches your Yocto version:
| Yocto Version | Branch |
|---|---|
dunfell | dunfell |
honister | honister |
kirkstone | kirkstone |
mickledore | mickledore |
Quickstart
- 1
Check out the FOSSA layer
Clone
meta-fossa, replacingdunfellwith your Yocto version:Shellgit clone https://github.com/fossas/meta-fossa.git -b dunfell - 2
Check out Yocto
If you do not already have a Yocto build environment, clone Poky on the matching branch:
Shellgit clone git://git.yoctoproject.org/poky.git -b dunfell - 3
Activate the Yocto build environment
Source the build environment script:
Shellcd poky && source oe-init-build-env - 4
Add and inherit the meta-fossa layer
Register the layer and configure your build to inherit it:
Shell# Add the meta-fossa layerbitbake-layers add-layer ../../meta-fossa/echo 'BBLAYERS += "${TOPDIR}/../../meta-fossa"' >> conf/local.conf # Inherit the FOSSA layerecho 'INHERIT += "fossa"' >> conf/local.conf - 5
Set your FOSSA API key
Add your API key to the build configuration:
Shellecho 'FOSSA_API_KEY = "<VALID-FOSSA-API-KEY>"' >> conf/local.conf - 6
Build your image
Run your build as usual. The FOSSA layer analyzes the runtime packages as part of the build:
Shellbitbake core-image-minimal - 7
View the results
When the build completes, FOSSA logs the project URL:
Shell[ INFO] Using project name: `core-image-minimal`[ INFO] Using revision: `qemux86-64-20230103233003`[ INFO] Using branch: `dunfell`[ INFO] ============================================================[ INFO][ INFO] View FOSSA Report:[ INFO] https://app.fossa.com/projects/<YOUR-PROJECT-URL-HERE>[ INFO][ INFO] ============================================================Open the project URL to review license compliance and security issues.
Note
If license or security issues are found, the build fails with an error. This behavior can be disabled. See the GUIDE.md on your branch of the meta-fossa repository for details.
Resources
- meta-fossa repository: select your Yocto version branch for branch-specific docs.
- Installing the FOSSA CLI