SOSS Community Day Japan 2024

Fujitsu supports SPDX evolution and the movement to an international standard that provides a common SBOM basis for software exploitation for companies throughout the supply chain. We have long provided multilateral support for SPDX, especially thorough activities in Yocto and SPDX-Lite. From 2016, we have been joining maintainers of meta-spdxscanner, enabling SPDX functionality for the Yocto Project. Also, we are the top contributors of patch submissions to the Yocto Project. In recent years, increasing interest in cybersecurity has led to the need to quickly determine whether a product is vulnerable or not. In the supply chain, vulnerability information can be handled in combination with SBOM and VEX. An SBOM should be generated for each build, and a VEX should be generated for each vulnerability detection. It is necessary to manage them separately because their life cycles are different. In addition, there is a problem in the accuracy of the vulnerability, and there are some measures to solve it. In this presentation, we describe the advantages and challenges of creating VEX in Yocto as a use case.