mbox series

[RFC,0/1] spdx: Add software file externalRef support

Message ID 20251110171337.754568-1-fbberton@gmail.com
Headers show
Series spdx: Add software file externalRef support | expand

Message

Fabio Berton Nov. 10, 2025, 5:13 p.m. UTC 
Hi all,

When starting to test SPDX 3.0 in our projects, we noticed that it would
be necessary to have more information for files fetched via the
'file://' protocol, such as the full path of the file or a URL with git
information.

Our first idea was to use 'downloadLocation', but what I understand is
that this is a package property, and files fetched from the layer are
'software_File' type. Looking at the SPDX spec, it appears we could use
the 'ExternalRef' for this purpose.

The idea is to have two options to add this information: one to add the
full path of a file, and another to add the git information
'git+https://host/repo@commit#path/to/file'. The information is added as
an 'externalRef' and can be configured using these types:
https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Vocabularies/ExternalRefType/

When using the 'path' option, something like this is added:
```
"externalRef": [
          {
            "type": "ExternalRef",
            "externalRefType": "sourceArtifact",
           "locator": [
              "/home/user/src/openembedded-core/meta/recipes-core/busybox/files/syslog"
            ]
          }
        ],
```
This option is non-reproducible, if the build path changes, the SPDX
will be different.

And with the 'git' option:
```
"externalRef": [
          {
            "type": "ExternalRef",
            "externalRefType": "sourceArtifact",
            "locator": [
              "git+https://git.openembedded.org/openembedded-core@ac5d9579a0db63b54bbebb5015de2ae860a462bf#meta/recipes-core/busybox/files/syslog"
            ]
          }
        ],
```

The implementation is not completely finished, but since there is
already a thread on this subject,
https://lists.openembedded.org/g/openembedded-core/topic/thoughts_on_spdx_for_files/116135395,
I wanted to share my work and get opinions on how to improve this
implementation.

My questions are:

Is the 'externalRef' the right way to add the information in the spdx
file?

I'm using the 'choices' type, but this only works when inheriting
typecheck.bbclass, and this bbclass is not inherited when using
OE-Core with 'nodistro'. Can this 'choices' type be used here?

I still need to find a way to cache Git layer information to avoid
calling the 'oe.buildcfg' function every time. Maybe it would be
possible to use something like this:
https://git.openembedded.org/openembedded-core/tree/meta/classes/metadata_scm.bbclass
to get information at parsing time. However, this
information is only needed when using SPDX_FILE_LOCATION with the git
option, and for all layers. Any idea here?

For the git option, we need to get a git remote, but there can be more
than one remote per layer, so we need a way to configure these remotes.
In this first implementation, I'm assuming that all layers use the same
remote, and the remote name can be configured, which fits our current
use case.

Should I add a variable like 'SPDX_FILE_LOCATION_GIT_REMOTE_<layername>
= "remote_name"' to set a specific remote for each layer? Would setting
the git remote be sufficient to cover most cases?

Any feedback or suggestions would be appreciated.

Best regards,
Fabio

Fabio Berton (1):
  spdx: Add software file externalRef support

 meta/classes/create-spdx-3.0.bbclass | 24 +++++++
 meta/lib/oe/sbom30.py                | 14 ++++-
 meta/lib/oe/spdx30_tasks.py          | 93 ++++++++++++++++++++++++++++
 3 files changed, 130 insertions(+), 1 deletion(-)