[v12,0/4] SPDX 3.0 SBOM enrichment and compliance improvements

Message ID	20260323130350.1177721-1-stefano.tondo.ext@siemens.com
Headers	show Return-Path: <stondo@gmail.com> ip: 209.85.128.53, mailfrom: stondo@gmail.com) From: Stefano Tondo <stondo@gmail.com> To: openembedded-core@lists.openembedded.org Cc: richard.purdie@linuxfoundation.org, Ross.Burton@arm.com, jpewhacker@gmail.com, stefano.tondo.ext@siemens.com, Peter.Marko@siemens.com, adrian.freihofer@siemens.com, mathieu.dubois-briand@bootlin.com Subject: [OE-core][PATCH v12 0/4] SPDX 3.0 SBOM enrichment and compliance improvements Date: Mon, 23 Mar 2026 14:03:46 +0100 Message-ID: <20260323130350.1177721-1-stefano.tondo.ext@siemens.com> In-Reply-To: <20260321131826.1401671-1-stondo@gmail.com> References: <20260321131826.1401671-1-stondo@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	SPDX 3.0 SBOM enrichment and compliance improvements \| expand [v12,0/4] SPDX 3.0 SBOM enrichment and compliance improvements [v12,1/4] spdx30: Add configurable file exclusion pattern support [v12,2/4] spdx30: Add supplier support for image and SDK SBOMs [v12,3/4] spdx30: Enrich source downloads with version and PURL [v12,4/4] oeqa/selftest: Add tests for source download enrichment

Message ID

20260323130350.1177721-1-stefano.tondo.ext@siemens.com

Headers

From: Stefano Tondo <stondo@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: richard.purdie@linuxfoundation.org,
	Ross.Burton@arm.com,
	jpewhacker@gmail.com,
	stefano.tondo.ext@siemens.com,
	Peter.Marko@siemens.com,
	adrian.freihofer@siemens.com,
	mathieu.dubois-briand@bootlin.com
Subject: [OE-core][PATCH v12 0/4] SPDX 3.0 SBOM enrichment and compliance
 improvements
Date: Mon, 23 Mar 2026 14:03:46 +0100
Message-ID: <20260323130350.1177721-1-stefano.tondo.ext@siemens.com>
In-Reply-To: <20260321131826.1401671-1-stondo@gmail.com>
References: <20260321131826.1401671-1-stondo@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

SPDX 3.0 SBOM enrichment and compliance improvements | expand

Message

Stefano Tondo March 23, 2026, 1:03 p.m. UTC

This series enhances SPDX 3.0 SBOM generation with enriched
metadata and compliance-oriented controls for current master.

Compared with v11, this reroll fixes the follow-up issues reported in
review while keeping the series content otherwise unchanged.

Changes since v11:

  - Fixed the rebased collect_build_package_inputs() provider lookup to
    pass direct_deps to collect_package_providers().
  - Converted the new cpan.bbclass Python helper to 4-space indentation
    to avoid parser warnings.

Validated with:

  oe-selftest -r \
    spdx.SPDX30Check.test_packageconfig_spdx \
    spdx.SPDX30Check.test_download_location_defensive_handling \
    spdx.SPDX30Check.test_version_extraction_patterns

Stefano Tondo (4):
  spdx30: Add configurable file exclusion pattern support
  spdx30: Add supplier support for image and SDK SBOMs
  spdx30: Enrich source downloads with version and PURL
  oeqa/selftest: Add tests for source download enrichment

 meta/classes-recipe/cargo_common.bbclass |   3 +
 meta/classes-recipe/cpan.bbclass         |  11 +
 meta/classes-recipe/go-mod.bbclass       |   6 +
 meta/classes-recipe/npm.bbclass          |   7 +
 meta/classes-recipe/pypi.bbclass         |   6 +-
 meta/classes/create-spdx-3.0.bbclass     |  17 ++
 meta/classes/spdx-common.bbclass         |   7 +
 meta/lib/oe/spdx30_tasks.py              | 278 +++++++++++++++++------
 meta/lib/oeqa/selftest/cases/spdx.py     | 104 +++++++--
 9 files changed, 345 insertions(+), 94 deletions(-)