| Message ID | 20260324132958.2316491-1-stondo@gmail.com |
|---|---|
| Headers | show |
| Series | SPDX 3.0 SBOM enrichment and compliance improvements | expand |
This series enhances Yocto's SPDX 3.0 output with ecosystem-specific Package URLs, Git source version tracking, and configurable SBOM generation improvements. Changes since v14 (addressing Joshua's review of v14 patches 3/4 and 4/4): - Split the monolithic "Enrich source downloads" patch into two focused patches: ecosystem PURLs (patch 3, bbclass-only) and Git download enrichment (patch 4, spdx30_tasks.py additions-only) - Removed ALL extraneous changes: formatting, comment removals, blank-line deletions, variable removals, and off-topic refactors - Fixed go-mod.bbclass duplicate SPDX_PACKAGE_URLS line - Reverted pypi.bbclass UPSTREAM_CHECK_PYPI_PACKAGE change - Removed the else-branch that copied recipe ecosystem PURLs to non-git download files (per Joshua's feedback) - Reverted do_create_spdx -> do_create_package_spdx change in collect_build_package_inputs - Reverted bb.note -> bb.fatal for missing SPDX providers - Restored all removed TODO comments and blank lines - Patches 2-5 are now strictly additions-only (0 deletions) - Tests unchanged (additions-only, all 12 master tests preserved) Stefano Tondo (5): spdx30: Add configurable file exclusion pattern support spdx30: Add supplier support for image and SDK SBOMs spdx30: Add ecosystem PURLs for recipe classes spdx30: Add Git version and PURL to source downloads oeqa/selftest: Add tests for source download enrichment meta/classes-recipe/cargo_common.bbclass | 3 + meta/classes-recipe/cpan.bbclass | 11 ++ meta/classes-recipe/go-mod.bbclass | 3 + meta/classes-recipe/npm.bbclass | 7 + meta/classes-recipe/pypi.bbclass | 3 + meta/classes/create-spdx-3.0.bbclass | 17 ++ meta/classes/spdx-common.bbclass | 7 + meta/lib/oe/spdx30_tasks.py | 202 ++++++++++++++++++++--- meta/lib/oeqa/selftest/cases/spdx.py | 76 +++++++++ 9 files changed, 302 insertions(+), 27 deletions(-)
From: Stefano Tondo <stefano.tondo.ext@siemens.com> This series enhances SPDX 3.0 SBOM generation with enriched metadata and compliance-oriented controls for current master. Changes since v13: - Fixed patch 4/4: reverted incorrect modifications to existing SPDX selftests that broke test_custom_annotation_vars, test_gcc_include_source, and test_kernel_config_spdx on the autobuilder (wrong SPDX output paths and task names). Patch 4 now only appends two new test methods without touching any existing upstream tests. - Patches 1-3 are unchanged from v13. Validated with: oe-selftest -r \ spdx.SPDX30Check.test_download_location_defensive_handling \ spdx.SPDX30Check.test_version_extraction_patterns Stefano Tondo (4): spdx30: Add configurable file exclusion pattern support spdx30: Add supplier support for image and SDK SBOMs spdx30: Enrich source downloads with version and PURL oeqa/selftest: Add tests for source download enrichment meta/classes-recipe/cargo_common.bbclass | 3 + meta/classes-recipe/cpan.bbclass | 11 + meta/classes-recipe/go-mod.bbclass | 6 + meta/classes-recipe/npm.bbclass | 7 + meta/classes-recipe/pypi.bbclass | 6 +- meta/classes/create-spdx-3.0.bbclass | 17 ++ meta/classes/spdx-common.bbclass | 7 + meta/lib/oe/spdx30_tasks.py | 278 +++++++++++++++++------ meta/lib/oeqa/selftest/cases/spdx.py | 76 +++++++ 9 files changed, 338 insertions(+), 73 deletions(-)