How to start worrying and do Software Composition Analysis in a complex YOCTO project.
YOCTO is the go-to building environment for embedded devices. Developing in YOCTO has uncountable advantages and gives developers almost unlimited power. But from a compliance point of view it is an unholy nigh--- ahem, it presents a lot of challenges. Building on our experience in driving YOCTO projects to compliance, first and foremost Eclipse Oniro, we will guide the audience to get a grasp on how much it creates complication and requires a solid external toolchain to govern FOSS compliance and even insecurity (CVEs) managements and reporting. A project could fail spectacularly on both sides if the pitfalls are not adequately flagged and a well crafted process is not put in place. There is more in a recipe than meets the eye. Let's dive into it.