mbox series

[0/5] Implement SPDX for deploy tasks

Message ID 20260609222331.1293007-1-JPEWhacker@gmail.com
Headers show
Series Implement SPDX for deploy tasks | expand

Message

Joshua Watt June 9, 2026, 10:15 p.m. UTC 
The SPDX use case for file system image has been well defined since SPDX
was first implemented, however there has always been a desire to also
express SPDX output for other non-image deliverables (primarily, those
that have a do_deploy task or similar). These types of tasks cannot
easily use the traditional method of having a separate SPDX task that
runs to create their SPDX output as this causes lots of problems with
the way dependencies are specified. Instead, it is desirable for these
tasks to directly produce SPDX output that can be consumed by other
tasks that depend on them.

This patch series adds support for this. Any sstate task can now be
added to the SPDX_DEPLOY_TASKS list and it will run a postfunc to
generate SPDX output that describes what is being deployed. For
classical do_deploy tasks, this is setup to be easy by automatically
capturing all the deployed output files in the SPDX data, but other
tasks can be added as well.

Finally, the do_create_image_spdx task is removed and replaced with a
SPDX deploy postfunc using this new system. This means that any task
that depends on do_image_complete will automatically also get the SPDX
output for the image, simplifying the dependency handling.

Joshua Watt (5):
  classes/baremetal-image: Remove "do_" prefix from image manifest
  spdx: Reformat
  spdx: Add ability for deploy tasks to create SPDX
  Add SPDX deploy tasks
  spdx: Replace do_create_image_spdx with deploy task

 meta/classes-recipe/barebox.bbclass           |   3 +-
 meta/classes-recipe/baremetal-image.bbclass   |   2 +-
 .../create-spdx-image-3.0.bbclass             |  30 +-
 meta/classes-recipe/deploy.bbclass            |   1 +
 meta/classes-recipe/devicetree.bbclass        |   3 +-
 meta/classes-recipe/kernel-fit-image.bbclass  |   3 +-
 meta/classes-recipe/kernel.bbclass            |   3 +-
 meta/classes-recipe/nospdx.bbclass            |   2 +-
 meta/classes/create-spdx-3.0.bbclass          | 155 +++++++
 meta/classes/spdx-common.bbclass              |   2 +-
 meta/lib/oe/sbom30.py                         |  52 ++-
 meta/lib/oe/spdx30_tasks.py                   | 377 ++++++++++++++----
 meta/lib/oe/spdx_common.py                    |   2 +-
 meta/recipes-bsp/grub/grub-efi_2.14.bb        |   3 +-
 meta/recipes-bsp/opensbi/opensbi_1.8.1.bb     |   3 +-
 meta/recipes-bsp/u-boot/u-boot.inc            |   3 +-
 .../systemd/systemd-boot_259.5.bb             |   4 +-
 17 files changed, 509 insertions(+), 139 deletions(-)

Comments

Mathieu Dubois-Briand June 10, 2026, 1:17 p.m. UTC | #1 
On Wed Jun 10, 2026 at 12:15 AM CEST, Joshua Watt via lists.openembedded.org wrote:
> The SPDX use case for file system image has been well defined since SPDX
> was first implemented, however there has always been a desire to also
> express SPDX output for other non-image deliverables (primarily, those
> that have a do_deploy task or similar). These types of tasks cannot
> easily use the traditional method of having a separate SPDX task that
> runs to create their SPDX output as this causes lots of problems with
> the way dependencies are specified. Instead, it is desirable for these
> tasks to directly produce SPDX output that can be consumed by other
> tasks that depend on them.
>
> This patch series adds support for this. Any sstate task can now be
> added to the SPDX_DEPLOY_TASKS list and it will run a postfunc to
> generate SPDX output that describes what is being deployed. For
> classical do_deploy tasks, this is setup to be easy by automatically
> capturing all the deployed output files in the SPDX data, but other
> tasks can be added as well.
>
> Finally, the do_create_image_spdx task is removed and replaced with a
> SPDX deploy postfunc using this new system. This means that any task
> that depends on do_image_complete will automatically also get the SPDX
> output for the image, simplifying the dependency handling.
>
> Joshua Watt (5):

Hi Joshua,

Thanks for your series. I believe we are seeing both a new error and new
warnings because of it.


ERROR: grub-efi-2.14-r0 do_deploy_setscene: Recipe grub-efi is trying to install files into a shared area when those files already exist. The files and the manifests listing them are:
  /srv/pokybuild/yocto-worker/wic/build/build/tmp/deploy/spdx/3.0.1/core2-32/deploy/grub-efi-do_deploy-deploy.spdx.json
    (matched in manifest-qemux86-grub-efi.deploy)
  /srv/pokybuild/yocto-worker/wic/build/build/tmp/deploy/spdx/3.0.1/core2-32/by-task/grub-efi:do_deploy.spdx.json
    (matched in manifest-qemux86-grub-efi.deploy)
  /srv/pokybuild/yocto-worker/wic/build/build/tmp/deploy/spdx/3.0.1/core2-32/by-spdxid-hash/3c/3c29614c1a202bc0cc0a6f3dfd5b29235ea75ce5ee5bb0a847367bd8ce978004.spdx.json
    (matched in manifest-qemux86-grub-efi.deploy)
Please adjust the recipes so only one recipe provides a given file.

https://autobuilder.yoctoproject.org/valkyrie/#/builders/15/builds/3852


WARNING: core-image-minimal-1.0-r0 do_create_deploy_sbom: The following SPDX IDs were unable to be resolved:
  http://spdxdocs.org/openembedded-alias/by-doc-hash/500473e510f927d1a990e932c4942f978ce9da778692ab840dec17ad0ece09a1/pigz-native/UNIHASH/build/recipe

https://autobuilder.yoctoproject.org/valkyrie/#/builders/15/builds/3852
https://autobuilder.yoctoproject.org/valkyrie/#/builders/10/builds/3887
https://autobuilder.yoctoproject.org/valkyrie/#/builders/65/builds/3874

Can you have a look at the issues?

Thanks,
Mathieu