@@ -117,6 +117,11 @@ SPDX_PACKAGE_VERSION ??= "${PV}"
SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \
in software_Package"
+SPDX_PACKAGE_URL ??= ""
+SPDX_PACKAGE_URL[doc] = "Provides a place for the SPDX data creator to record \
+the package URL string (in accordance with the Package URL specification) for \
+a software Package."
+
IMAGE_CLASSES:append = " create-spdx-image-3.0"
SDK_CLASSES += "create-spdx-sdk-3.0"
@@ -631,6 +631,14 @@ def create_spdx(d):
set_var_field("SUMMARY", spdx_package, "summary", package=package)
set_var_field("DESCRIPTION", spdx_package, "description", package=package)
+ if d.getVar("SPDX_PACKAGE_URL:%s" % package) or d.getVar("SPDX_PACKAGE_URL"):
+ set_var_field(
+ "SPDX_PACKAGE_URL",
+ spdx_package,
+ "software_packageUrl",
+ package=package
+ )
+
pkg_objset.new_scoped_relationship(
[oe.sbom30.get_element_link_id(build)],
oe.spdx30.RelationshipType.hasOutput,
Define var-SPDX_PACKAGE_URL to provide software_packageUrl field [1][2] in SPDX 3.0 SBOM, support to override with package name SPDX_PACKAGE_URL:<pkgname> Currently, the format of purl is not defined in Yocto, set empty for now until we have a comprehensive plan for what Yocto purls look like. But users could customize their own purl by setting var-SPDX_PACKAGE_URL [1] https://spdx.github.io/spdx-spec/v3.0.1/model/Software/Properties/packageUrl/ [2] https://spdx.github.io/spdx-spec/v3.0.1/annexes/pkg-url-specification/ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> --- meta/classes/create-spdx-3.0.bbclass | 5 +++++ meta/lib/oe/spdx30_tasks.py | 8 ++++++++ 2 files changed, 13 insertions(+)