@@ -50,3 +50,76 @@ able to find the Zephyr repository with the following:
5050 find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
5151
5252:zephyr_file: `share/zephyr-package/cmake ` for details.
53+
54+ .. _west-spdx :
55+
56+ Software bill of materials: ``west spdx ``
57+ *****************************************
58+
59+ This command generates SPDX 2.2 tag-value documents, creating relationships
60+ from source files to the corresponding generated build files.
61+ ``SPDX-License-Identifier `` comments in source files are scanned and filled
62+ into the SPDX documents.
63+
64+ To use this command:
65+
66+ #. Pre-populate a build directory :file: `BUILD_DIR ` like this:
67+
68+ .. code-block :: bash
69+
70+ west spdx --init -d BUILD_DIR
71+
72+
73+ SPDX document generation.
74+
75+ #. Build your application using this pre-created build directory, like so:
76+
77+ .. code-block :: bash
78+
79+ west build -d BUILD_DIR [...]
80+
81+
82+
83+ .. code-block :: bash
84+
85+ west spdx -d BUILD_DIR
86+
87+
88+ :file: `BUILD_DIR/spdx/ `:
89+
90+ - :file: `app.spdx `: BOM for the application source files used for the build
91+ - :file: `zephyr.spdx `: BOM for the specific Zephyr source code files used for
92+ the build
93+ - :file: `build.spdx `: BOM for the built output files
94+
95+ Each file in the bill-of-materials is scanned, so that its hashes (SHA256 and
96+ SHA1) can be recorded, along with any detected licenses if an
97+ ``SPDX-License-Identifier `` comment appears in the file.
98+
99+ SPDX Relationships are created to indicate dependencies between
100+ CMake build targets, build targets that are linked together, and
101+ source files that are compiled to generate the built library files.
102+
103+ ``west spdx `` accepts these additional options:
104+
105+ - ``-n PREFIX ``: a prefix for the Document Namespaces that will be included in
106+ the generated SPDX documents. See `SPDX specification 2.2 section 2.5 `_ for
107+ details. If ``-n `` is omitted, a default namespace will be generated
108+ according to the default format described in section 2.5 using a random UUID.
109+
110+ - ``-s SPDX_DIR ``: specifies an alternate directory where the SPDX documents
111+ should be written instead of :file: `BUILD_DIR/spdx/ `.
112+
113+ - ``--analyze-includes ``: in addition to recording the compiled source code
114+ files (e.g. ``.c ``, ``.S ``) in the bills-of-materials, also attempt to
115+ determine the specific header files that are included for each ``.c `` file.
116+
117+ This takes longer, as it performs a dry run using the C compiler for each
118+ ``.c `` file using the same arguments that were passed to it for the actual
119+ build.
120+
121+ - ``--include-sdk ``: with ``--analyze-includes ``, also create a fourth SPDX
122+ document, :file: `sdk.spdx `, which lists header files included from the SDK.
123+
124+ .. _SPDX specification 2.2 section 2.5 :
125+ https://spdx.github.io/spdx-spec/2-document-creation-information/
0 commit comments