[v9,0/7] SPDX 3.0 SBOM enrichment and compliance improvements

Message ID	20260312153845.164369-1-stondo@gmail.com
Headers	show Return-Path: <stondo@gmail.com> ip: 209.85.128.44, mailfrom: stondo@gmail.com) From: stondo@gmail.com To: openembedded-core@lists.openembedded.org Cc: JPEWhacker@gmail.com, Stefano Tondo <stefano.tondo.ext@siemens.com> Subject: [OE-core][PATCH v9 0/7] SPDX 3.0 SBOM enrichment and compliance improvements Date: Thu, 12 Mar 2026 16:38:38 +0100 Message-ID: <20260312153845.164369-1-stondo@gmail.com> In-Reply-To: <20260309132854.128375-1-stondo@gmail.com> References: <20260309132854.128375-1-stondo@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	SPDX 3.0 SBOM enrichment and compliance improvements \| expand [v9,0/7] SPDX 3.0 SBOM enrichment and compliance improvements [v9,1/7] spdx30: Add configurable file exclusion pattern support [v9,2/7] spdx30: Add supplier support for image and SDK SBOMs [v9,3/7] spdx30: Add ecosystem-specific PURL generation via bbclasses [v9,4/7] spdx30: Enrich source downloads with version and PURL [v9,5/7] oeqa/selftest: Add tests for source download enrichment [v9,6/7] cve_check: Escape special characters in CPE 2.3 strings [v9,7/7] spdx-common: Add documentation for undocumented SPDX variables

Message ID

20260312153845.164369-1-stondo@gmail.com

Headers

From: stondo@gmail.com
To: openembedded-core@lists.openembedded.org
Cc: JPEWhacker@gmail.com,
	Stefano Tondo <stefano.tondo.ext@siemens.com>
Subject: [OE-core][PATCH v9 0/7] SPDX 3.0 SBOM enrichment and compliance
 improvements
Date: Thu, 12 Mar 2026 16:38:38 +0100
Message-ID: <20260312153845.164369-1-stondo@gmail.com>
In-Reply-To: <20260309132854.128375-1-stondo@gmail.com>
References: <20260309132854.128375-1-stondo@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

SPDX 3.0 SBOM enrichment and compliance improvements | expand

Message

Stefano Tondo March 12, 2026, 3:38 p.m. UTC

From: Stefano Tondo <stefano.tondo.ext@siemens.com>

This series enhances SPDX 3.0 SBOM generation with enriched
metadata, ecosystem-specific Package URLs, and compliance
improvements.

Changes since v8 (addressing Joshua Watt's review):

  1/7: File exclusion now uses re.compile() for proper regex
       matching instead of substring matching. Excluded files
       are tracked in a set() returned from add_package_files()
       and passed to get_package_sources_from_debug() for
       precise cross-checking.

  2/7: Unchanged (Reviewed-by added).

  3/7: Fixed npm_spdx_name() to use bpn[5:] instead of bpn[4:]
       since "node-" is 5 characters.

  4/7: Dropped PV fallback for non-Git source versions since
       the recipe version does not necessarily match individual
       downloaded file versions. Ecosystem PURLs (which include
       version) from SPDX_PACKAGE_URLS are still used.

  5/7: Renamed recipe-m4/recipe-tar to build-m4/build-tar in
       tests to align with upstream rename.

  6/7: Unchanged (Reviewed-by added).

  7/7: Unchanged (Reviewed-by added).

Stefano Tondo (7):
  spdx30: Add configurable file exclusion pattern support
  spdx30: Add supplier support for image and SDK SBOMs
  spdx30: Add ecosystem-specific PURL generation via bbclasses
  spdx30: Enrich source downloads with version and PURL
  oeqa/selftest: Add tests for source download enrichment
  cve_check: Escape special characters in CPE 2.3 strings
  spdx-common: Add documentation for undocumented SPDX variables

 meta/classes-recipe/cargo_common.bbclass |   3 +
 meta/classes-recipe/cpan.bbclass         |  11 ++
 meta/classes-recipe/go-mod.bbclass       |   3 +
 meta/classes-recipe/npm.bbclass          |   7 +
 meta/classes-recipe/pypi.bbclass         |   3 +
 meta/classes/create-spdx-3.0.bbclass     |  17 +++
 meta/classes/spdx-common.bbclass         |  33 +++++
 meta/lib/oe/cve_check.py                 |  38 ++++-
 meta/lib/oe/spdx30_tasks.py              | 175 +++++++++++++++++++++--
 meta/lib/oeqa/selftest/cases/spdx.py     |  71 ++++++++-
 10 files changed, 351 insertions(+), 10 deletions(-)