Sbom

TL;DR CRA is a paperwork regulation, not a scanner-selection problem. Yocto already emits the build-derivable half: SBOM (create-spdx), CVE scans, license manifests, signing posture. The vendor-committed half - CVD policy, support period, update mechanism, Declaration of Conformity - has to be written by hand. shipcheck reads a Yocto build plus product.yaml, pivots findings by CRA Annex, and drafts your Annex VII technical file and DoC. The received wisdom is wrong Read any CRA compliance article from a security vendor and you will see the same shape of pitch: run a scanner, triage the CVEs, generate an SBOM, ship. The regulation becomes a scanner-selection problem, and whichever product the vendor sells happens to be the right scanner. ...