diff mbox series

[v2] spdx30: Provide software_packageUrl field in SPDX 3.0 SBOM.

Message ID 20250423060951.1692070-1-haitao.mi@windriver.com
State New
Headers show
Series [v2] spdx30: Provide software_packageUrl field in SPDX 3.0 SBOM. | expand

Commit Message

Haitao Mi April 23, 2025, 6:09 a.m. UTC 
A purl is composed with these fields:
scheme:type/namespace/name@version?qualifiers#subpath

Set 'namespace' field through SPDX_PURL_NAMESPACE variable, the default
value is ${DISTRO}.

Insert private project info into 'qualifiers' field through
PACKAGE_URL_QUALIFIERS_EXTEND variable, join the key=value format
with '&' symbol.

Set 'subpath' field through SPDX_PURL_SUBPATH variable, default is empty.

Signed-off-by: Haitao Mi <haitao.mi@windriver.com>
---
 meta/classes/create-spdx-3.0.bbclass |  9 +++++++++
 meta/lib/oe/spdx30_tasks.py          | 25 +++++++++++++++++++++++++
 2 files changed, 34 insertions(+)
diff mbox series

Patch

diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
index 044517d9f7..962e46e836 100644
--- a/meta/classes/create-spdx-3.0.bbclass
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -117,6 +117,14 @@  SPDX_PACKAGE_VERSION ??= "${PV}"
 SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \
     in software_Package"
 
+SPDX_PURL_NAMESPACE ??= "${DISTRO}"
+SPDX_PURL_NAMESPACE[doc] = "The value of the 'namespace' field in software_packageUrl"
+
+SPDX_PURL_QUALIFIERS_EXTEND[doc] = "The project private info can be inserted into \
+    the 'qualifiers' field of software_packageUrl through this variable."
+
+SPDX_PURL_SUBPATH[doc] = "The value of the 'subpath' field in software_packageUrl"
+
 IMAGE_CLASSES:append = " create-spdx-image-3.0"
 SDK_CLASSES += "create-spdx-sdk-3.0"
 
@@ -144,6 +152,7 @@  do_create_spdx[vardeps] += "\
     SPDX_NAMESPACE_PREFIX \
     SPDX_UUID_NAMESPACE \
     "
+oe.spdx30_tasks.create_spdx[vardepsexclude] += " MACHINE "
 
 addtask do_create_spdx after \
     do_collect_spdx_deps \
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index ba965821f8..310638277e 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -631,6 +631,31 @@  def create_spdx(d):
             set_var_field("SUMMARY", spdx_package, "summary", package=package)
             set_var_field("DESCRIPTION", spdx_package, "description", package=package)
 
+            purl_qualifiers = "distro=%s-%s&arch=%s" % (d.getVar("DISTRO"), \
+                                                        d.getVar("DISTRO_VERSION"), \
+                                                        d.getVar("MACHINE"), \
+                                                        )
+            purl_qualifiers_extend = d.getVar("SPDX_PURL_QUALIFIERS_EXTEND")
+            if purl_qualifiers_extend:
+                purl_qualifiers += "&%s" % purl_qualifiers_extend
+
+            purl_type = d.getVar("IMAGE_PKGTYPE")
+            if purl_type == "ipk":
+                purl_type = "yocto"
+                purl_qualifiers = "file_extension=ipk&" + purl_qualifiers
+
+            purl_subpath = d.getVar("SPDX_PURL_SUBPATH")
+            purl_subpath = "#" + purl_subpath if purl_subpath else ""
+
+            purl = "pkg:%s/%s/%s@%s?%s%s" % (purl_type, \
+                                             d.getVar("SPDX_PURL_NAMESPACE"), \
+                                             pkg_name, \
+                                             d.getVar("EXTENDPKGV"), \
+                                             purl_qualifiers, \
+                                             purl_subpath \
+                                             )
+            setattr(spdx_package, "software_packageUrl", purl)
+
             pkg_objset.new_scoped_relationship(
                 [oe.sbom30.get_element_link_id(build)],
                 oe.spdx30.RelationshipType.hasOutput,