| Message ID | 20260303004550.650726-1-JPEWhacker@gmail.com |
|---|---|
| Headers | show |
| Series | Add SPDX 3 Recipe Information | expand |
Hi, On Tue Mar 3, 2026 at 1:43 AM CET, Joshua Watt via lists.openembedded.org wrote: > Changes the SPDX 3 output to include a "recipe" package that describe > static information available at parse time (without building). This is > primarily useful for gathering SPDX 3 VEX information about some or all > recipes, enabling SPDX 3 to be used in place of cve_check.bbclass and > vex.bbclass. Once merged, would it be possible to submit a docs patch to document the new variables in the variable glossary, and possibly update documentation/dev-manual/sbom.rst to document this new feature? Also, looking at the last patch, the CVE information removal seems worthy of a migration note in documentation/migration-guides/migration-6.0.rst? Antonin
On Tue Mar 3, 2026 at 1:43 AM CET, Joshua Watt via lists.openembedded.org wrote: > Changes the SPDX 3 output to include a "recipe" package that describe > static information available at parse time (without building). This is > primarily useful for gathering SPDX 3 VEX information about some or all > recipes, enabling SPDX 3 to be used in place of cve_check.bbclass and > vex.bbclass. > > Special thanks to Benjamin Robin <benjamin.robin@bootlin.com> for > helping work through this. > > V2: Fixes a bug where do_populate_sysroot was running when it should not > be. Drops the patch to ignore ASSUME_PROVIDES recipes, since this is > incorrect (this is already handled by bitbake in the taskgraph, and > doesn't need to be manually removed). > > V3: Fixes a bug where meta-world-recipe-sbom was reporting a circular > dependency. meta-world-recipe-sbom also no longer runs in world builds, > as there's no reason to this. Finally, fixes a bug where > NO_GENERIC_LICENSE files would fail to be found in do_create_spdx > (because do_unpack was not run). > > V4: Fixes test cases. Adds SPDX_PACKAGE_INCLUDE_VEX to control if VEX > information is linked to binary packages, or just recipes. Defaults to > "0" to significantly reduce the size of the SPDX output. > > Joshua Watt (9): > llvm-project-source: Use allarch.bbclass > gcc-source: Use allarch.bbclass > spdx3: Add recipe SPDX data > spdx3: Add recipe SBoM task > spdx3: Add is-native property > spdx30: Include patch file information in VEX > spdx: De-duplicate CreationInfo > spdx_common: Check for dependent task in task flags > spdx30: Skip install package CVE information > > meta/classes-global/sstate.bbclass | 4 +- > .../create-spdx-image-3.0.bbclass | 4 +- > .../create-spdx-sdk-3.0.bbclass | 4 +- > meta/classes-recipe/kernel.bbclass | 2 +- > meta/classes-recipe/nospdx.bbclass | 1 + > meta/classes/create-spdx-2.2.bbclass | 12 +- > meta/classes/create-spdx-3.0.bbclass | 92 +++- > meta/classes/spdx-common.bbclass | 22 +- > meta/conf/distro/include/maintainers.inc | 1 + > meta/lib/oe/sbom30.py | 192 ++++--- > meta/lib/oe/spdx30.py | 2 +- > meta/lib/oe/spdx30_tasks.py | 488 +++++++++++++----- > meta/lib/oe/spdx_common.py | 11 + > meta/lib/oeqa/selftest/cases/spdx.py | 41 +- > .../meta/meta-world-recipe-sbom.bb | 29 ++ > .../clang/llvm-project-source.inc | 8 +- > meta/recipes-devtools/gcc/gcc-source.inc | 16 +- > 17 files changed, 669 insertions(+), 260 deletions(-) > create mode 100644 meta/recipes-core/meta/meta-world-recipe-sbom.bb Hi Joshua, Thanks for the new version, but it looks like one of the two errors is still present on several builds: ERROR: nativesdk-sdk-provides-dummy-1.0-r0 do_create_spdx: Could not find a static SPDX document named static-nativesdk-sdk-provides-dummy https://autobuilder.yoctoproject.org/valkyrie/#/builders/16/builds/3310 https://autobuilder.yoctoproject.org/valkyrie/#/builders/30/builds/3262 https://autobuilder.yoctoproject.org/valkyrie/#/builders/36/builds/3282 https://autobuilder.yoctoproject.org/valkyrie/#/builders/40/builds/3267 ... Can you have a look at these? Thanks, Mathieu