Message ID | 20230224192449.1649437-1-saul.wold@windriver.com |
---|---|
State | New |
Headers | show |
Series | [v2] create-spdx: Add check for variable contents along with quotes | expand |
On Fri, Feb 24, 2023 at 1:25 PM Saul Wold <saul.wold@windriver.com> wrote: > > This adds a check to ensure we that if a variable is > empty it gets an empty string, this also adds quotes > to indicate the variable contents. > > "comment": "CUSTOM_SPECIAL=" > or > "comment": "CUSTOM_SPECIAL=variable contents" > > Signed-off-by: Saul Wold <saul.wold@windriver.com> > --- > meta/classes/create-spdx-2.2.bbclass | 5 ++- > .../selftest/cases/spdx_custom_annotations.py | 42 +++++++++++++++++++ > 2 files changed, 46 insertions(+), 1 deletion(-) > create mode 100644 meta/lib/oeqa/selftest/cases/spdx_custom_annotations.py > > diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass > index 454dd7a7a07..da90bf8033a 100644 > --- a/meta/classes/create-spdx-2.2.bbclass > +++ b/meta/classes/create-spdx-2.2.bbclass > @@ -524,7 +524,10 @@ python do_create_spdx() { > > if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"): > for var in d.getVar('SPDX_CUSTOM_ANNOTATION_VARS').split(): > - recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var))) > + if d.getVar(var): > + recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var).replace('"', '\\"'))) Manually trying to escape quotes can be really hard; Is there a particular reason it's necessary? If you're trying to read this back programmatically, I'd expect: name, value = annotation.split(=, 1) to work > + else: > + recipe.annotations.append(create_annotation(d, var + "=")) > > # Some CVEs may be patched during the build process without incrementing the version number, > # so querying for CVEs based on the CPE id can lead to false positives. To account for this, > diff --git a/meta/lib/oeqa/selftest/cases/spdx_custom_annotations.py b/meta/lib/oeqa/selftest/cases/spdx_custom_annotations.py > new file mode 100644 > index 00000000000..a2bef998988 > --- /dev/null > +++ b/meta/lib/oeqa/selftest/cases/spdx_custom_annotations.py > @@ -0,0 +1,42 @@ > +# > +# Copyright OpenEmbedded Contributors > +# > +# SPDX-License-Identifier: MIT > +# > +from oeqa.selftest.case import OESelftestTestCase > +from oeqa.utils.commands import bitbake > +import json > + > +class SPDXCustomAnnotations(OESelftestTestCase): > + > + # Build test recipes with custom-annotation > + def test_spdx_custom_annotations(self): > + self.write_config("INHERIT:append = ' create_spdx'") > + > + result = bitbake('%s custom-annotation') > + print(f"Bitbake Result: {result}") > + try: > + mdir = self.get_dir_from_bb_var('DEPLOY_DIR_SPDX', self.buildtarget) > + with open(f"{mdir}/recpes/recipe-{pn}.spdx.json") as json_file: > + spdx_json = json.load(json_file) > + print(f'{spdx_json["packages"]["annotations"][0]["comment"]}') > + self.assertEqual(spdx_json["packages"]["annotations"][0]["comment"], "ANNOTE1=This is the first custom annotation") > + self.assertEqual(spdx_json["packages"]["annotations"][1]["comment"], "ANNOTE2=This is another custom annotation") > + except: > + print("json load failed") > + > +#class SPDXCustomeAnnotationTests(OESelftestTestCase): > +# def default_config(self): > +# return """ > +#INHERIT:append = " create-spdx" > +#SPDX_CUSTOM_ANNOTATION_VARS:pn-core-image-minimal = "TEST_VAR" > +#TEST_VAR:pn-core-image-minimal = "This is a test annotation" > +#""" > +# > +# def test_image_annotation(self): > +# self.write_config(self.default_config()) > +# > +# result = bitbake('core-image-minimal', ignore_status=True) > + > + > + > -- > 2.25.1 >
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index 454dd7a7a07..da90bf8033a 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass @@ -524,7 +524,10 @@ python do_create_spdx() { if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"): for var in d.getVar('SPDX_CUSTOM_ANNOTATION_VARS').split(): - recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var))) + if d.getVar(var): + recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var).replace('"', '\\"'))) + else: + recipe.annotations.append(create_annotation(d, var + "=")) # Some CVEs may be patched during the build process without incrementing the version number, # so querying for CVEs based on the CPE id can lead to false positives. To account for this, diff --git a/meta/lib/oeqa/selftest/cases/spdx_custom_annotations.py b/meta/lib/oeqa/selftest/cases/spdx_custom_annotations.py new file mode 100644 index 00000000000..a2bef998988 --- /dev/null +++ b/meta/lib/oeqa/selftest/cases/spdx_custom_annotations.py @@ -0,0 +1,42 @@ +# +# Copyright OpenEmbedded Contributors +# +# SPDX-License-Identifier: MIT +# +from oeqa.selftest.case import OESelftestTestCase +from oeqa.utils.commands import bitbake +import json + +class SPDXCustomAnnotations(OESelftestTestCase): + + # Build test recipes with custom-annotation + def test_spdx_custom_annotations(self): + self.write_config("INHERIT:append = ' create_spdx'") + + result = bitbake('%s custom-annotation') + print(f"Bitbake Result: {result}") + try: + mdir = self.get_dir_from_bb_var('DEPLOY_DIR_SPDX', self.buildtarget) + with open(f"{mdir}/recpes/recipe-{pn}.spdx.json") as json_file: + spdx_json = json.load(json_file) + print(f'{spdx_json["packages"]["annotations"][0]["comment"]}') + self.assertEqual(spdx_json["packages"]["annotations"][0]["comment"], "ANNOTE1=This is the first custom annotation") + self.assertEqual(spdx_json["packages"]["annotations"][1]["comment"], "ANNOTE2=This is another custom annotation") + except: + print("json load failed") + +#class SPDXCustomeAnnotationTests(OESelftestTestCase): +# def default_config(self): +# return """ +#INHERIT:append = " create-spdx" +#SPDX_CUSTOM_ANNOTATION_VARS:pn-core-image-minimal = "TEST_VAR" +#TEST_VAR:pn-core-image-minimal = "This is a test annotation" +#""" +# +# def test_image_annotation(self): +# self.write_config(self.default_config()) +# +# result = bitbake('core-image-minimal', ignore_status=True) + + +
This adds a check to ensure we that if a variable is empty it gets an empty string, this also adds quotes to indicate the variable contents. "comment": "CUSTOM_SPECIAL=" or "comment": "CUSTOM_SPECIAL=variable contents" Signed-off-by: Saul Wold <saul.wold@windriver.com> --- meta/classes/create-spdx-2.2.bbclass | 5 ++- .../selftest/cases/spdx_custom_annotations.py | 42 +++++++++++++++++++ 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 meta/lib/oeqa/selftest/cases/spdx_custom_annotations.py