@@ -60,6 +60,9 @@ more information in the output :term:`SPDX` data:
- Add a description of the source files used to generate host tools and target
packages (:term:`SPDX_INCLUDE_SOURCES`)
+- Add a description of the **compiled** source files used to generate host tools
+ and target packages (:term:`SPDX_INCLUDE_COMPILED_SOURCES`)
+
- Add archives of these source files themselves (:term:`SPDX_ARCHIVE_SOURCES`).
Though the toplevel :term:`SPDX` output is available in
@@ -8764,6 +8764,28 @@ system and gives an overview of their function and contents.
image), compared to just using the :ref:`ref-classes-create-spdx` class
with no option.
+ :term:`SPDX_INCLUDE_COMPILED_SOURCES`
+ This option allows the same as :term:`SPDX_INCLUDE_SOURCES` but including
+ only the sources used to compile the host tools and the target packages.
+ While :term:`SPDX_INCLUDE_SOURCES` includes all files in the source
+ directory as source file descriptions, :term:`SPDX_INCLUDE_COMPILED_SOURCES`
+ includes only the sources that are used to produce the binaries delivered
+ as packages. The source files that are not used during compilation are not
+ included in the SBOM. It uses debugsource information generated during
+ ``do_package`` to filter out source files.
+
+ This enables an external tool to use the SPDX information to disregard
+ vulnerabilities that are not compiled in the packages.
+
+ Enable this option as follows::
+
+ SPDX_INCLUDE_COMPILED_SOURCES = "1"
+
+ According to our tests, building ``core-image-minimal`` for the
+ ``qemux86-64`` machine, enabling this option compared with the
+ :term:`SPDX_INCLUDE_SOURCES` reduces the size of the ``tmp/deploy/spdx``
+ directory from 2GB to 1.6GB.
+
:term:`SPDX_NAMESPACE_PREFIX`
This option could be used in order to change the prefix of ``spdxDocument``
and the prefix of ``documentNamespace``. It is set by default to