From 95d197cfe7f506840e7b005aedfdfcaeb5c6d5b4 Mon Sep 17 00:00:00 2001 From: Katrina Prosise Date: Tue, 17 Mar 2026 05:50:35 -0400 Subject: [PATCH] Cleanup sbom page Addressed style, grammar, and phrasing to improve readability. Built docs and checked html output, no issues found. This commit addresses issue FFTK-4731, "Improve wording around SBOM info" Signed-off-by: Katrina Prosise --- source/reference-manual/factory/sboms.rst | 47 +++++++++++------------ 1 file changed, 22 insertions(+), 25 deletions(-) diff --git a/source/reference-manual/factory/sboms.rst b/source/reference-manual/factory/sboms.rst index 105e1e18..4cb6337c 100644 --- a/source/reference-manual/factory/sboms.rst +++ b/source/reference-manual/factory/sboms.rst @@ -6,27 +6,27 @@ Software Bill of Materials A Software Bill of Materials(SBOM) declares *the list of software packages used to build a Target*. SBOMs are foundational to understanding: - * Inventory management—the packages a Target uses. - * License compliance—the software licenses of the packages. - * Vulnerability management—the package versions. +* Inventory management—the packages a Target uses. +* License compliance—the software licenses of the packages. +* Vulnerability management—the package versions. The FoundriesFactory™ Platform's SBOM feature extracts the SBOM data and analyzes it according to your needs. .. important:: `Per our terms and conditions `_: - FoundriesFactory build SBOMs (“the SBOM data”) are provided for your use and are generated from SPDX metadata in all project source code files. - Responsibility for open source license compliance rests with you. - In no event shall Foundries.io Limited be liable for any claim, damages or other liability, - whether in an action of contract, tort or other legal theory, arising from, out of, or in connection with the use of the SBOM data. + FoundriesFactory build SBOMs (“the SBOM data”) are provided for your use and are generated from SPDX metadata in all project source code files. + Responsibility for open source license compliance rests with you. + In no event shall Foundries.io Limited be liable for any claim, damages or other liability, + whether in an action of contract, tort or other legal theory, arising from, out of, or in connection with the use of the SBOM data. SBOMs and Builds ---------------- -The FoundriesFactory CI generates SBOM artifacts whenever there a change happens in a Factory build. +Whenever a Factory build changes, The FoundriesFactory CI generates SBOM artifacts. This happens for two kinds of builds: - * Yocto Project: `Software Package Data Exchange`_ (SPDX) artifacts using built-in tooling. - * Container: produce SDPX artifacts using Syft_. +* Yocto Project: `Software Package Data Exchange`_ (SPDX) artifacts using built-in tooling. +* Container: produces SDPX artifacts using Syft_. You can download them from the web UI when viewing a Target. Both artifacts go into the ``sboms`` directory. @@ -34,9 +34,8 @@ Both artifacts go into the ``sboms`` directory. Yocto Project Artifacts ^^^^^^^^^^^^^^^^^^^^^^^ -Yocto builds a comprehensive SPDX per image type. -For example, ``lmp-factory-image-intel-corei7-64.spdx.tar.zst``. -This includes an SPDX file for every package included in the build. +The Yocto Project builds a comprehensive SPDX per image type. +For example, ``lmp-factory-image-intel-corei7-64.spdx.tar.zst`` includes an SPDX file for every package included in the build. Syft Artifacts ^^^^^^^^^^^^^^ @@ -44,24 +43,22 @@ Syft Artifacts Container builds produce an SPDX file for each container/architecture. This will look like ``hub.foundries.io//shellhttpd/arm64.sdpx.json``. -Customers may disable generating SBOMs for containers by setting the environment variable ``DISABLE_SBOM=1`` in their :ref:`ref-factory-definition`. +You may disable generating SBOMs for containers by setting the environment variable ``DISABLE_SBOM=1`` in your :ref:`ref-factory-definition`. Working With SBOMs ------------------ While you can access SBOM information in its raw form by browsing your CI build, -APIs exist that allow Fioctl® to work with Factory SBOMs. +APIs exist that allow the Fioctl® tool to work with Factory SBOMs. Like other Factory concepts, SBOMs revolve around :ref:`Targets `. -You can find out available SBOMs for a Target by running: +You can list the available SBOMs for a Target by running: .. code-block:: console $ fioctl targets show sboms -For example - .. code-block:: console $ fioctl targets show sboms 262 @@ -84,13 +81,13 @@ Notice how: * ``initramfs-...``; runtime packages * ``lmp-factory-image-...``; packages required for boot. - * Several containers for two architectures were built. - In this case, the platform is Intel, so the aarch64 builds are experimental or for debug and not production. + * There is containers for two architectures. + In this case, the platform is Intel, so the aarch64 builds are experimental or for debugging—not production. - * The nginx and Alpine containers come from a ``hub.docker.io``. - * The shellhttpd container comes from the Factory ``hub.foundries.io``. + * The nginx and Alpine containers come from ``hub.docker.io``. + * The shellhttpd container comes from the Factory's ``hub.foundries.io``. -You can then query each SBOM for more details +You can query each SBOM for more details: .. code-block:: console @@ -111,10 +108,10 @@ These tend to work with two competing SBOM formats: * SPDX_ * CycloneDX_ -You may want to just export their SBOM data into spreadsheets for quick, custom processing. +You may want to export their SBOM data into spreadsheets for quick, custom processing. While the native storage format for Factory SBOMs is SPDX, the Foundries.io™ API provides a best-effort conversion to both CycloneDX and CSV. -This allows users to export data from their Factory and into their tool of choice. +This allows you to export data from your Factory and into your tool of choice. To view an SBOM in a given format: