| Message ID | 20250423060951.1692070-1-haitao.mi@windriver.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] spdx30: Provide software_packageUrl field in SPDX 3.0 SBOM. | expand |
Sorry, I wish we could merge this, but until we have a comprehensive plan for what yocto purls look like, we need to wait. Just "making something" is likely to need to be revised later, which will cause confusion about what they mean, cause breakage, and IMHO, be worse off in the long run. FWIW, I'm not convinced we can use the deb:// and rpm:// protocols for our purls anyway. NACK On Wed, Apr 23, 2025 at 12:09 AM Haitao Mi <haitao.mi@windriver.com> wrote: > > A purl is composed with these fields: > scheme:type/namespace/name@version?qualifiers#subpath > > Set 'namespace' field through SPDX_PURL_NAMESPACE variable, the default > value is ${DISTRO}. > > Insert private project info into 'qualifiers' field through > PACKAGE_URL_QUALIFIERS_EXTEND variable, join the key=value format > with '&' symbol. > > Set 'subpath' field through SPDX_PURL_SUBPATH variable, default is empty. > > Signed-off-by: Haitao Mi <haitao.mi@windriver.com> > --- > meta/classes/create-spdx-3.0.bbclass | 9 +++++++++ > meta/lib/oe/spdx30_tasks.py | 25 +++++++++++++++++++++++++ > 2 files changed, 34 insertions(+) > > diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass > index 044517d9f7..962e46e836 100644 > --- a/meta/classes/create-spdx-3.0.bbclass > +++ b/meta/classes/create-spdx-3.0.bbclass > @@ -117,6 +117,14 @@ SPDX_PACKAGE_VERSION ??= "${PV}" > SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \ > in software_Package" > > +SPDX_PURL_NAMESPACE ??= "${DISTRO}" > +SPDX_PURL_NAMESPACE[doc] = "The value of the 'namespace' field in software_packageUrl" > + > +SPDX_PURL_QUALIFIERS_EXTEND[doc] = "The project private info can be inserted into \ > + the 'qualifiers' field of software_packageUrl through this variable." > + > +SPDX_PURL_SUBPATH[doc] = "The value of the 'subpath' field in software_packageUrl" > + > IMAGE_CLASSES:append = " create-spdx-image-3.0" > SDK_CLASSES += "create-spdx-sdk-3.0" > > @@ -144,6 +152,7 @@ do_create_spdx[vardeps] += "\ > SPDX_NAMESPACE_PREFIX \ > SPDX_UUID_NAMESPACE \ > " > +oe.spdx30_tasks.create_spdx[vardepsexclude] += " MACHINE " > > addtask do_create_spdx after \ > do_collect_spdx_deps \ > diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py > index ba965821f8..310638277e 100644 > --- a/meta/lib/oe/spdx30_tasks.py > +++ b/meta/lib/oe/spdx30_tasks.py > @@ -631,6 +631,31 @@ def create_spdx(d): > set_var_field("SUMMARY", spdx_package, "summary", package=package) > set_var_field("DESCRIPTION", spdx_package, "description", package=package) > > + purl_qualifiers = "distro=%s-%s&arch=%s" % (d.getVar("DISTRO"), \ > + d.getVar("DISTRO_VERSION"), \ > + d.getVar("MACHINE"), \ > + ) > + purl_qualifiers_extend = d.getVar("SPDX_PURL_QUALIFIERS_EXTEND") > + if purl_qualifiers_extend: > + purl_qualifiers += "&%s" % purl_qualifiers_extend > + > + purl_type = d.getVar("IMAGE_PKGTYPE") > + if purl_type == "ipk": > + purl_type = "yocto" > + purl_qualifiers = "file_extension=ipk&" + purl_qualifiers > + > + purl_subpath = d.getVar("SPDX_PURL_SUBPATH") > + purl_subpath = "#" + purl_subpath if purl_subpath else "" > + > + purl = "pkg:%s/%s/%s@%s?%s%s" % (purl_type, \ > + d.getVar("SPDX_PURL_NAMESPACE"), \ > + pkg_name, \ > + d.getVar("EXTENDPKGV"), \ > + purl_qualifiers, \ > + purl_subpath \ > + ) > + setattr(spdx_package, "software_packageUrl", purl) > + > pkg_objset.new_scoped_relationship( > [oe.sbom30.get_element_link_id(build)], > oe.spdx30.RelationshipType.hasOutput,
diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass index 044517d9f7..962e46e836 100644 --- a/meta/classes/create-spdx-3.0.bbclass +++ b/meta/classes/create-spdx-3.0.bbclass @@ -117,6 +117,14 @@ SPDX_PACKAGE_VERSION ??= "${PV}" SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \ in software_Package" +SPDX_PURL_NAMESPACE ??= "${DISTRO}" +SPDX_PURL_NAMESPACE[doc] = "The value of the 'namespace' field in software_packageUrl" + +SPDX_PURL_QUALIFIERS_EXTEND[doc] = "The project private info can be inserted into \ + the 'qualifiers' field of software_packageUrl through this variable." + +SPDX_PURL_SUBPATH[doc] = "The value of the 'subpath' field in software_packageUrl" + IMAGE_CLASSES:append = " create-spdx-image-3.0" SDK_CLASSES += "create-spdx-sdk-3.0" @@ -144,6 +152,7 @@ do_create_spdx[vardeps] += "\ SPDX_NAMESPACE_PREFIX \ SPDX_UUID_NAMESPACE \ " +oe.spdx30_tasks.create_spdx[vardepsexclude] += " MACHINE " addtask do_create_spdx after \ do_collect_spdx_deps \ diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index ba965821f8..310638277e 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -631,6 +631,31 @@ def create_spdx(d): set_var_field("SUMMARY", spdx_package, "summary", package=package) set_var_field("DESCRIPTION", spdx_package, "description", package=package) + purl_qualifiers = "distro=%s-%s&arch=%s" % (d.getVar("DISTRO"), \ + d.getVar("DISTRO_VERSION"), \ + d.getVar("MACHINE"), \ + ) + purl_qualifiers_extend = d.getVar("SPDX_PURL_QUALIFIERS_EXTEND") + if purl_qualifiers_extend: + purl_qualifiers += "&%s" % purl_qualifiers_extend + + purl_type = d.getVar("IMAGE_PKGTYPE") + if purl_type == "ipk": + purl_type = "yocto" + purl_qualifiers = "file_extension=ipk&" + purl_qualifiers + + purl_subpath = d.getVar("SPDX_PURL_SUBPATH") + purl_subpath = "#" + purl_subpath if purl_subpath else "" + + purl = "pkg:%s/%s/%s@%s?%s%s" % (purl_type, \ + d.getVar("SPDX_PURL_NAMESPACE"), \ + pkg_name, \ + d.getVar("EXTENDPKGV"), \ + purl_qualifiers, \ + purl_subpath \ + ) + setattr(spdx_package, "software_packageUrl", purl) + pkg_objset.new_scoped_relationship( [oe.sbom30.get_element_link_id(build)], oe.spdx30.RelationshipType.hasOutput,
A purl is composed with these fields: scheme:type/namespace/name@version?qualifiers#subpath Set 'namespace' field through SPDX_PURL_NAMESPACE variable, the default value is ${DISTRO}. Insert private project info into 'qualifiers' field through PACKAGE_URL_QUALIFIERS_EXTEND variable, join the key=value format with '&' symbol. Set 'subpath' field through SPDX_PURL_SUBPATH variable, default is empty. Signed-off-by: Haitao Mi <haitao.mi@windriver.com> --- meta/classes/create-spdx-3.0.bbclass | 9 +++++++++ meta/lib/oe/spdx30_tasks.py | 25 +++++++++++++++++++++++++ 2 files changed, 34 insertions(+)