| Message ID | 20250428055717.2358310-1-hongxu.jia@windriver.com |
|---|---|
| State | Accepted, archived |
| Commit | c8e6953a0b6f59ffca994c440069db39e60b12d2 |
| Headers | show |
| Series | [v3] spdx30: Provide software_packageUrl field in SPDX 3.0 SBOM | expand |
Mechanically, this change seems fine. However, I do question what you are planning on putting into this field? PURL is pretty well formalized, and AFAICT there isn't really a good way to describe what we produce as a PURL. Can you provide some context on what you are planning on putting in this field? It might also be helpful to follow this discussion: https://github.com/package-url/purl-spec/pull/372 On Sun, Apr 27, 2025 at 11:57 PM Hongxu Jia <hongxu.jia@windriver.com> wrote: > > Define var-SPDX_PACKAGE_URL to provide software_packageUrl field [1][2] > in SPDX 3.0 SBOM, support to override with package name > SPDX_PACKAGE_URL:<pkgname> > > Currently, the format of purl is not defined in Yocto, set empty for now > until we have a comprehensive plan for what Yocto purls look like. > But users could customize their own purl by setting var-SPDX_PACKAGE_URL > > [1] https://spdx.github.io/spdx-spec/v3.0.1/model/Software/Properties/packageUrl/ > [2] https://spdx.github.io/spdx-spec/v3.0.1/annexes/pkg-url-specification/ > > Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> > --- > meta/classes/create-spdx-3.0.bbclass | 5 +++++ > meta/lib/oe/spdx30_tasks.py | 8 ++++++++ > 2 files changed, 13 insertions(+) > > diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass > index 044517d9f72..c0a5436ad68 100644 > --- a/meta/classes/create-spdx-3.0.bbclass > +++ b/meta/classes/create-spdx-3.0.bbclass > @@ -117,6 +117,11 @@ SPDX_PACKAGE_VERSION ??= "${PV}" > SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \ > in software_Package" > > +SPDX_PACKAGE_URL ??= "" > +SPDX_PACKAGE_URL[doc] = "Provides a place for the SPDX data creator to record \ > +the package URL string (in accordance with the Package URL specification) for \ > +a software Package." > + > IMAGE_CLASSES:append = " create-spdx-image-3.0" > SDK_CLASSES += "create-spdx-sdk-3.0" > > diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py > index ba965821f86..61d7ba45e3e 100644 > --- a/meta/lib/oe/spdx30_tasks.py > +++ b/meta/lib/oe/spdx30_tasks.py > @@ -631,6 +631,14 @@ def create_spdx(d): > set_var_field("SUMMARY", spdx_package, "summary", package=package) > set_var_field("DESCRIPTION", spdx_package, "description", package=package) > > + if d.getVar("SPDX_PACKAGE_URL:%s" % package) or d.getVar("SPDX_PACKAGE_URL"): > + set_var_field( > + "SPDX_PACKAGE_URL", > + spdx_package, > + "software_packageUrl", > + package=package > + ) > + > pkg_objset.new_scoped_relationship( > [oe.sbom30.get_element_link_id(build)], > oe.spdx30.RelationshipType.hasOutput, > -- > 2.34.1 >
On 5/1/25 23:03, Joshua Watt wrote: > CAUTION: This email comes from a non Wind River email account! > Do not click links or open attachments unless you recognize the sender and know the content is safe. > > Mechanically, this change seems fine. However, I do question what you > are planning on putting into this field? > > PURL is pretty well formalized, and AFAICT there isn't really a good > way to describe what we produce as a PURL. Can you provide some > context on what you are planning on putting in this field? We are planning to add rpm types [1] in original [V2 spdx30: Provide software_packageUrl field in SPDX 3.0 SBOM] [2] [1] https://github.com/package-url/purl-spec/blob/main/PURL-TYPES.rst#rpm [2] https://lists.openembedded.org/g/openembedded-core/topic/112409837#msg215310 //Hongxu > It might also be helpful to follow this discussion: > https://github.com/package-url/purl-spec/pull/372 > > On Sun, Apr 27, 2025 at 11:57 PM Hongxu Jia <hongxu.jia@windriver.com> wrote: >> Define var-SPDX_PACKAGE_URL to provide software_packageUrl field [1][2] >> in SPDX 3.0 SBOM, support to override with package name >> SPDX_PACKAGE_URL:<pkgname> >> >> Currently, the format of purl is not defined in Yocto, set empty for now >> until we have a comprehensive plan for what Yocto purls look like. >> But users could customize their own purl by setting var-SPDX_PACKAGE_URL >> >> [1] https://spdx.github.io/spdx-spec/v3.0.1/model/Software/Properties/packageUrl/ >> [2] https://spdx.github.io/spdx-spec/v3.0.1/annexes/pkg-url-specification/ >> >> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> >> --- >> meta/classes/create-spdx-3.0.bbclass | 5 +++++ >> meta/lib/oe/spdx30_tasks.py | 8 ++++++++ >> 2 files changed, 13 insertions(+) >> >> diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass >> index 044517d9f72..c0a5436ad68 100644 >> --- a/meta/classes/create-spdx-3.0.bbclass >> +++ b/meta/classes/create-spdx-3.0.bbclass >> @@ -117,6 +117,11 @@ SPDX_PACKAGE_VERSION ??= "${PV}" >> SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \ >> in software_Package" >> >> +SPDX_PACKAGE_URL ??= "" >> +SPDX_PACKAGE_URL[doc] = "Provides a place for the SPDX data creator to record \ >> +the package URL string (in accordance with the Package URL specification) for \ >> +a software Package." >> + >> IMAGE_CLASSES:append = " create-spdx-image-3.0" >> SDK_CLASSES += "create-spdx-sdk-3.0" >> >> diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py >> index ba965821f86..61d7ba45e3e 100644 >> --- a/meta/lib/oe/spdx30_tasks.py >> +++ b/meta/lib/oe/spdx30_tasks.py >> @@ -631,6 +631,14 @@ def create_spdx(d): >> set_var_field("SUMMARY", spdx_package, "summary", package=package) >> set_var_field("DESCRIPTION", spdx_package, "description", package=package) >> >> + if d.getVar("SPDX_PACKAGE_URL:%s" % package) or d.getVar("SPDX_PACKAGE_URL"): >> + set_var_field( >> + "SPDX_PACKAGE_URL", >> + spdx_package, >> + "software_packageUrl", >> + package=package >> + ) >> + >> pkg_objset.new_scoped_relationship( >> [oe.sbom30.get_element_link_id(build)], >> oe.spdx30.RelationshipType.hasOutput, >> -- >> 2.34.1 >>
diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass index 044517d9f72..c0a5436ad68 100644 --- a/meta/classes/create-spdx-3.0.bbclass +++ b/meta/classes/create-spdx-3.0.bbclass @@ -117,6 +117,11 @@ SPDX_PACKAGE_VERSION ??= "${PV}" SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \ in software_Package" +SPDX_PACKAGE_URL ??= "" +SPDX_PACKAGE_URL[doc] = "Provides a place for the SPDX data creator to record \ +the package URL string (in accordance with the Package URL specification) for \ +a software Package." + IMAGE_CLASSES:append = " create-spdx-image-3.0" SDK_CLASSES += "create-spdx-sdk-3.0" diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index ba965821f86..61d7ba45e3e 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -631,6 +631,14 @@ def create_spdx(d): set_var_field("SUMMARY", spdx_package, "summary", package=package) set_var_field("DESCRIPTION", spdx_package, "description", package=package) + if d.getVar("SPDX_PACKAGE_URL:%s" % package) or d.getVar("SPDX_PACKAGE_URL"): + set_var_field( + "SPDX_PACKAGE_URL", + spdx_package, + "software_packageUrl", + package=package + ) + pkg_objset.new_scoped_relationship( [oe.sbom30.get_element_link_id(build)], oe.spdx30.RelationshipType.hasOutput,
Define var-SPDX_PACKAGE_URL to provide software_packageUrl field [1][2] in SPDX 3.0 SBOM, support to override with package name SPDX_PACKAGE_URL:<pkgname> Currently, the format of purl is not defined in Yocto, set empty for now until we have a comprehensive plan for what Yocto purls look like. But users could customize their own purl by setting var-SPDX_PACKAGE_URL [1] https://spdx.github.io/spdx-spec/v3.0.1/model/Software/Properties/packageUrl/ [2] https://spdx.github.io/spdx-spec/v3.0.1/annexes/pkg-url-specification/ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> --- meta/classes/create-spdx-3.0.bbclass | 5 +++++ meta/lib/oe/spdx30_tasks.py | 8 ++++++++ 2 files changed, 13 insertions(+)