diff mbox series

spdx30: Provide software_packageUrl field in SPDX 3.0 SBOM.

Message ID 20250415090304.139447-1-haitao.mi@windriver.com
State New
Headers show
Series spdx30: Provide software_packageUrl field in SPDX 3.0 SBOM. | expand

Commit Message

Haitao Mi April 15, 2025, 9:03 a.m. UTC 
From: Haitao Mi <haitao.mi@windriver.com>

A purl is composed with these fields:
scheme:type/namespace/name@version?qualifiers#subpath

Set 'namespace' field through SPDX_PURL_NAMESPACE variable, the default
value is ${DISTRO}.

Insert private project info into 'qualifiers' field through
PACKAGE_URL_QUALIFIERS_EXTEND variable, join the key=value format
with '&' symbol.

Set 'subpath' field through SPDX_PURL_SUBPATH variable, default is empty.

Signed-off-by: Haitao Mi <haitao.mi@windriver.com>
---
 meta/classes/create-spdx-3.0.bbclass |  8 ++++++++
 meta/lib/oe/spdx30_tasks.py          | 25 +++++++++++++++++++++++++
 2 files changed, 33 insertions(+)

Comments

Mathieu Dubois-Briand April 18, 2025, 8:48 a.m. UTC | #1 
On Tue Apr 15, 2025 at 11:03 AM CEST, Haitao via lists.openembedded.org Mi wrote:
> From: Haitao Mi <haitao.mi@windriver.com>
>
> A purl is composed with these fields:
> scheme:type/namespace/name@version?qualifiers#subpath
>
> Set 'namespace' field through SPDX_PURL_NAMESPACE variable, the default
> value is ${DISTRO}.
>
> Insert private project info into 'qualifiers' field through
> PACKAGE_URL_QUALIFIERS_EXTEND variable, join the key=value format
> with '&' symbol.
>
> Set 'subpath' field through SPDX_PURL_SUBPATH variable, default is empty.
>
> Signed-off-by: Haitao Mi <haitao.mi@windriver.com>
> ---

Hi,

Thanks for your patch.

It looks like this is causing some issue with oe-selftests, as can be
seen on the autobuilder:

2025-04-17 16:37:06,858 - oe-selftest - INFO - FAIL: sstatetests.SStateHashSameSigs3.test_sstate_multilib_or_not_native_samesigs (subunit.RemotedTestCase)
2025-04-17 16:37:06,858 - oe-selftest - INFO - ----------------------------------------------------------------------
2025-04-17 16:37:06,858 - oe-selftest - INFO - testtools.testresult.real._StringException: Traceback (most recent call last):
  File "/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/meta/lib/oeqa/selftest/cases/sstatetests.py", line 588, in test_sstate_multilib_or_not_native_samesigs
    self.assertCountEqual(files1, files2)
  File "/usr/lib64/python3.12/unittest/case.py", line 1216, in assertCountEqual
    self.fail(msg)
  File "/usr/lib64/python3.12/unittest/case.py", line 715, in fail
    raise self.failureException(msg)
AssertionError: Element counts were not equal:
First has 1, Second has 0:  '/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-1615629/tmp-sstatesamehash/stamps/x86_64-linux/e2fsprogs-native/1.47.1.do_create_spdx.sigdata.d0c055a026310db6c0ae4466d0dd7e8c7a6dae353690b6c59b8551fdb9628ef3'
First has 1, Second has 0:  '/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-1615629/tmp-sstatesamehash/stamps/x86_64-linux/e2fsprogs-native/1.47.1.do_collect_spdx_deps.sigdata.dc5f13f56a3a4a875716f8857636dc8f603e559a734f95a49f8327e5c937d7bb'
...

https://autobuilder.yoctoproject.org/valkyrie/#/builders/48/builds/1323

Can you have a look at this failure please?
diff mbox series

Patch

diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
index 044517d9f7..c2499dde59 100644
--- a/meta/classes/create-spdx-3.0.bbclass
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -117,6 +117,14 @@  SPDX_PACKAGE_VERSION ??= "${PV}"
 SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \
     in software_Package"
 
+SPDX_PURL_NAMESPACE ??= "${DISTRO}"
+SPDX_PURL_NAMESPACE[doc] = "The value of the namespace field in software_packageUrl"
+
+SPDX_PURL_QUALIFIERS_EXTEND[doc] = "The project private info in the qualifiers field \
+    of software_packageUrl"
+
+SPDX_PURL_SUBPATH[doc] = "The value of the subpath field in software_packageUrl"
+
 IMAGE_CLASSES:append = " create-spdx-image-3.0"
 SDK_CLASSES += "create-spdx-sdk-3.0"
 
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index ba965821f8..78593e917e 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -631,6 +631,31 @@  def create_spdx(d):
             set_var_field("SUMMARY", spdx_package, "summary", package=package)
             set_var_field("DESCRIPTION", spdx_package, "description", package=package)
 
+            purl_qualifiers = "distro=%s-%s&arch=%s" % (d.getVar("DISTRO"), \
+                                                        d.getVar("DISTRO_VERSION"), \
+                                                        d.getVar("MACHINE"), \
+                                                        )
+            purl_qualifiers_extend = d.getVar("SPDX_PURL_QUALIFIERS_EXTEND")
+            if purl_qualifiers_extend:
+                purl_qualifiers += "&%s" % purl_qualifiers_extend
+
+            purl_type = d.getVar("IMAGE_PKGTYPE")
+            if purl_type == "ipk":
+                purl_type = "generic"
+                purl_qualifiers = "file_extension=ipk&" + purl_qualifiers
+
+            purl_subpath = d.getVar("SPDX_PURL_SUBPATH")
+            purl_subpath = "#" + purl_subpath if purl_subpath else ""
+
+            purl = "pkg:%s/%s/%s@%s?%s%s" % (purl_type, \
+                                             d.getVar("SPDX_PURL_NAMESPACE"), \
+                                             pkg_name, \
+                                             d.getVar("EXTENDPKGV"), \
+                                             purl_qualifiers, \
+                                             purl_subpath \
+                                             )
+            setattr(spdx_package, "software_packageUrl", purl)
+
             pkg_objset.new_scoped_relationship(
                 [oe.sbom30.get_element_link_id(build)],
                 oe.spdx30.RelationshipType.hasOutput,