@@ -305,24 +305,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
def add_aliases(self):
for o in self.foreach_type(oe.spdx30.Element):
- if not o._id or o._id.startswith("_:"):
- continue
-
- alias_ext = get_alias(o)
- if alias_ext is None:
- unihash = self.d.getVar("BB_UNIHASH")
- namespace = self.get_namespace()
- if unihash not in o._id:
- bb.warn(f"Unihash {unihash} not found in {o._id}")
- elif namespace not in o._id:
- bb.warn(f"Namespace {namespace} not found in {o._id}")
- else:
- alias_ext = set_alias(
- o,
- o._id.replace(unihash, "UNIHASH").replace(
- namespace, self.d.getVar("PN")
- ),
- )
+ self.set_element_alias(o)
def remove_internal_extensions(self):
def remove(o):
@@ -345,6 +328,26 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
str(uuid.uuid5(namespace_uuid, pn)),
)
+ def set_element_alias(self, e):
+ if not e._id or e._id.startswith("_:"):
+ return
+
+ alias_ext = get_alias(e)
+ if alias_ext is None:
+ unihash = self.d.getVar("BB_UNIHASH")
+ namespace = self.get_namespace()
+ if unihash not in e._id:
+ bb.warn(f"Unihash {unihash} not found in {e._id}")
+ elif namespace not in e._id:
+ bb.warn(f"Namespace {namespace} not found in {e._id}")
+ else:
+ alias_ext = set_alias(
+ e,
+ e._id.replace(unihash, "UNIHASH").replace(
+ namespace, self.d.getVar("PN")
+ ),
+ )
+
def new_spdxid(self, *suffix, include_unihash=True):
items = [self.get_namespace()]
if include_unihash:
@@ -557,7 +560,9 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
scope=scope,
)
- def new_license_expression(self, license_expression, license_data, license_text_map={}):
+ def new_license_expression(
+ self, license_expression, license_data, license_text_map={}
+ ):
license_list_version = license_data["licenseListVersion"]
# SPDX 3 requires that the license list version be a semver
# MAJOR.MINOR.MICRO, but the actual license version might be
@@ -119,9 +119,11 @@ def add_license_expression(d, objset, license_expression, license_data):
)
spdx_license_expression = " ".join(convert(l) for l in lic_split)
- return objset.new_license_expression(
+ o = objset.new_license_expression(
spdx_license_expression, license_data, license_text_map
)
+ objset.set_element_alias(o)
+ return o
def add_package_files(
@@ -462,6 +464,8 @@ def create_spdx(d):
build_objset = oe.sbom30.ObjectSet.new_objset(d, d.getVar("PN"))
build = build_objset.new_task_build("recipe", "recipe")
+ build_objset.set_element_alias(build)
+
build_objset.doc.rootElement.append(build)
build_objset.set_is_native(is_native)
@@ -603,7 +607,7 @@ def create_spdx(d):
set_var_field("DESCRIPTION", spdx_package, "description", package=package)
pkg_objset.new_scoped_relationship(
- [build._id],
+ [oe.sbom30.get_element_link_id(build)],
oe.spdx30.RelationshipType.hasOutput,
oe.spdx30.LifecycleScopeType.build,
[spdx_package],
@@ -650,7 +654,7 @@ def create_spdx(d):
pkg_objset.new_relationship(
[spdx_package],
oe.spdx30.RelationshipType.hasConcludedLicense,
- [package_spdx_license._id],
+ [oe.sbom30.get_element_link_id(package_spdx_license)],
)
# NOTE: CVE Elements live in the recipe collection
The license information and Build created by do_create_spdx are changed to be referenced by their link alias instead of the actual SPDX ID. This fixes a case where do_create_package_spdx would pull these from mismatching sstate, and then the SPDX IDs would be unresolved when assembling the final document Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> --- meta/lib/oe/sbom30.py | 43 +++++++++++++++++++++---------------- meta/lib/oe/spdx30_tasks.py | 10 ++++++--- 2 files changed, 31 insertions(+), 22 deletions(-)