Skip to content

TLDR

  1. Add meta-doubleopen layer to Yocto's conf/bblayers.conf.

  2. Add INHERIT += "doubleopen" to Yocto's conf/local.conf.

  3. Build the image with Yocto. The resulting SPDX will be output to DEPLOY_DIR_IMAGE as <IMAGE_NAME>.spdx.json.

  4. Use CLI to upload missing packages to Fossology:

doubleopen fossology -u <FOSSOLOGY_API_URI> -t <FOSSOLOGY_TOKEN> \
   upload \
   -s <SPDX_DEPLOY_DIR>/*.tar.bz2 \
   -f <FOSSOLOGY_FOLDER_ID> \
   --spdx <IMAGE_SPDX>
  1. Use CLI to populate the SPDX file with license data:
doubleopen fossology -u <FOSSOLOGY_API_URI> -t <FOSSOLOGY_TOKEN> \
   query \
   -i <IMAGE_SPDX> \
   -o <OUTPUT_SPDX>
  1. Convert the SPDX file to ORT's format:
orth convert-spdx-to-ort \
   -i <INPUT_SPDX> \
   -o <OUTPUT_ORT_FILE> \
   --repository-configuration-file <ORT.YML>

  1. Clone ORT configuration and policy.

  2. Evaluate:

ORT_CONFIG_DIR=<POLICY_DIR> \
ort evaluate \
   -i <ORT_RESULT> \
   -o <EVALUATOR_RESULT_DIR> \
  1. Generate reports and notices:
ORT_CONFIG_DIR=<POLICY_DIR> \
ort report \
   -i <EVALUATOR_RESULT_DIR>/evaluation-result.yml \
   -o <REPORT_DIR> \
   -f <FORMATS>