| Message ID | 20260302160114.46884-1-stefano.tondo.ext@siemens.com |
|---|---|
| Headers | show |
| Series | spdx30: SBOM enrichment and documentation | expand |
Hi, On Mon Mar 2, 2026 at 5:01 PM CET, Stefano Tondo via lists.openembedded.org wrote: > This v5 drops patch 07/11 ("spdx30: Include recipe base PURL in package > external identifiers") from the v4 series, as it is now superseded by > Joshua Watt's commit 874b2d301d ("spdx: Add yocto PURLs") which already > includes oe.purl.get_base_purl(d) in the default SPDX_PACKAGE_URLS value, > making the separate patch redundant. > > All other v4 patches are unchanged. See v4 cover letter for full context. > > Changes since v4: > - Dropped 07/11: "spdx30: Include recipe base PURL in package external > identifiers" — superseded by 874b2d301d (spdx: Add yocto PURLs, > Joshua Watt, merged to master Jan 8 2026) > > Stefano Tondo (10): > spdx30: Add configurable file filtering support > spdx30: Add supplier support for image and SDK SBOMs > spdx30: Add ecosystem-specific PURL generation > spdx30: Add version extraction from SRCREV for Git source components > spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting > spdx30: Enrich source downloads with external refs and PURLs > oeqa/selftest: Add test for download_location defensive handling > spdx.py: Add test for version extraction patterns > cve_check: Escape special characters in CPE 2.3 formatted strings > spdx-common: Add documentation for undocumented SPDX variables > > meta/classes/create-spdx-3.0.bbclass | 20 ++ > meta/classes/spdx-common.bbclass | 63 +++++ > meta/lib/oe/cve_check.py | 37 ++- > meta/lib/oe/spdx30_tasks.py | 329 ++++++++++++++++++++++++++- > meta/lib/oeqa/selftest/cases/spdx.py | 75 ++++++ > 5 files changed, 518 insertions(+), 6 deletions(-) If this series is accepted and merged, would you be able to help documenting the new variables introduced by the series in the Yocto Project documentation? This would be sent on the docs@lists.yoctoproject.org list. Documentation for these variables would be in: https://git.yoctoproject.org/yocto-docs/tree/documentation/ref-manual/variables.rst. The SBOM document would also likely need an update: https://git.yoctoproject.org/yocto-docs/tree/documentation/dev-manual/sbom.rst It can most likely be based off the documentation you've already written through the [doc] flag. I can help with the rST formatting. This would be greatly appreciated! Antonin
Hi Antonin, sure, I can do it! Best, Stefano
This v5 drops patch 07/11 ("spdx30: Include recipe base PURL in package external identifiers") from the v4 series, as it is now superseded by Joshua Watt's commit 874b2d301d ("spdx: Add yocto PURLs") which already includes oe.purl.get_base_purl(d) in the default SPDX_PACKAGE_URLS value, making the separate patch redundant. All other v4 patches are unchanged. See v4 cover letter for full context. Changes since v4: - Dropped 07/11: "spdx30: Include recipe base PURL in package external identifiers" — superseded by 874b2d301d (spdx: Add yocto PURLs, Joshua Watt, merged to master Jan 8 2026) Stefano Tondo (10): spdx30: Add configurable file filtering support spdx30: Add supplier support for image and SDK SBOMs spdx30: Add ecosystem-specific PURL generation spdx30: Add version extraction from SRCREV for Git source components spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting spdx30: Enrich source downloads with external refs and PURLs oeqa/selftest: Add test for download_location defensive handling spdx.py: Add test for version extraction patterns cve_check: Escape special characters in CPE 2.3 formatted strings spdx-common: Add documentation for undocumented SPDX variables meta/classes/create-spdx-3.0.bbclass | 20 ++ meta/classes/spdx-common.bbclass | 63 +++++ meta/lib/oe/cve_check.py | 37 ++- meta/lib/oe/spdx30_tasks.py | 329 ++++++++++++++++++++++++++- meta/lib/oeqa/selftest/cases/spdx.py | 75 ++++++ 5 files changed, 518 insertions(+), 6 deletions(-)