| Message ID | 20260321131826.1401671-1-stondo@gmail.com |
|---|---|
| Headers | show |
| Series | SPDX 3.0 SBOM enrichment and compliance improvements | expand |
On Sat Mar 21, 2026 at 2:18 PM CET, Stefano Tondo via lists.openembedded.org wrote: > From: Stefano Tondo <stefano.tondo.ext@siemens.com> > > This series enhances SPDX 3.0 SBOM generation with enriched > metadata and compliance-oriented controls for current master. > > Compared with v10, this series has been rebased on top of current > master after Joshua's related changes landed upstream. The merged or > superseded pieces have been dropped, leaving the four still-relevant > patches below. > > Changes since v10: > > - Rebased onto current master. > - Dropped patches now merged or superseded upstream. > - Restored the current recipe/build SPDX task split after rebase. > - Updated the remaining selftests to use the current builds/ output > paths. > - Revalidated the source-download enrichment tests requested by > Richard Purdie and Mathieu Dubois-Briand. > > Validated with: > > oe-selftest -r \ > spdx.SPDX30Check.test_packageconfig_spdx \ > spdx.SPDX30Check.test_download_location_defensive_handling \ > spdx.SPDX30Check.test_version_extraction_patterns > > Stefano Tondo (4): Hi Stefano, Thanks for the new version. I believe a call to collect_package_providers() was not modified to add the second argument: NOTE: recipe core-image-full-cmdline-1.0-r0: task do_create_rootfs_spdx: Started ERROR: core-image-full-cmdline-1.0-r0 do_create_rootfs_spdx: Error executing a python function in exec_func_python() autogenerated: The stack trace of python calls that resulted in this exception/failure was: File: 'exec_func_python() autogenerated', lineno: 2, function: <module> 0001: *** 0002:do_create_rootfs_spdx(d) ... File: '/srv/pokybuild/yocto-worker/musl-qemux86-64/build/layers/openembedded-core/meta/lib/oe/spdx30_tasks.py', lineno: 1300, function: collect_build_package_inputs 1296: 1297:def collect_build_package_inputs(d, objset, build, packages, files_by_hash=None): 1298: import oe.sbom30 1299: *** 1300: providers = oe.spdx_common.collect_package_providers(d) 1301: 1302: build_deps = set() 1303: missing_providers = set() 1304: Exception: TypeError: collect_package_providers() missing 1 required positional argument: 'direct_deps' https://autobuilder.yoctoproject.org/valkyrie/#/builders/3/builds/3489 Also, we have a warning about tabs in cpan.bbclass: WARNING: python should use 4 spaces indentation, but found tabs in cpan.bbclass, line 73 WARNING: python should use 4 spaces indentation, but found tabs in cpan.bbclass, line 74 WARNING: python should use 4 spaces indentation, but found tabs in cpan.bbclass, line 75 WARNING: python should use 4 spaces indentation, but found tabs in cpan.bbclass, line 76 WARNING: python should use 4 spaces indentation, but found tabs in cpan.bbclass, line 77 WARNING: python should use 4 spaces indentation, but found tabs in cpan.bbclass, line 78 (same log file) This file already had mixed tabs and spaces, so I'm not sure why this is different. Can you have a look at it? Thanks, Mathieu
From: Stefano Tondo <stefano.tondo.ext@siemens.com> This series enhances SPDX 3.0 SBOM generation with enriched metadata and compliance-oriented controls for current master. Compared with v10, this series has been rebased on top of current master after Joshua's related changes landed upstream. The merged or superseded pieces have been dropped, leaving the four still-relevant patches below. Changes since v10: - Rebased onto current master. - Dropped patches now merged or superseded upstream. - Restored the current recipe/build SPDX task split after rebase. - Updated the remaining selftests to use the current builds/ output paths. - Revalidated the source-download enrichment tests requested by Richard Purdie and Mathieu Dubois-Briand. Validated with: oe-selftest -r \ spdx.SPDX30Check.test_packageconfig_spdx \ spdx.SPDX30Check.test_download_location_defensive_handling \ spdx.SPDX30Check.test_version_extraction_patterns Stefano Tondo (4): spdx30: Add configurable file exclusion pattern support spdx30: Add supplier support for image and SDK SBOMs spdx30: Enrich source downloads with version and PURL oeqa/selftest: Add tests for source download enrichment meta/classes-recipe/cargo_common.bbclass | 3 + meta/classes-recipe/cpan.bbclass | 11 + meta/classes-recipe/go-mod.bbclass | 6 + meta/classes-recipe/npm.bbclass | 7 + meta/classes-recipe/pypi.bbclass | 6 +- meta/classes/create-spdx-3.0.bbclass | 17 ++ meta/classes/spdx-common.bbclass | 7 + meta/lib/oe/spdx30_tasks.py | 279 +++++++++++++++++------ meta/lib/oeqa/selftest/cases/spdx.py | 104 +++++++-- 9 files changed, 345 insertions(+), 95 deletions(-)