@@ -414,3 +414,31 @@ class SPDX30Check(SPDX3CheckBase, OESelftestTestCase):
value, ["enabled", "disabled"],
f"Unexpected PACKAGECONFIG value '{value}' for {key}"
)
+
+ def test_download_location_defensive_handling(self):
+ """Test that download_location handling is defensive.
+
+ Verifies SPDX generation succeeds and external references are
+ properly structured when download_location retrieval works.
+ """
+ objset = self.check_recipe_spdx(
+ "m4",
+ "{DEPLOY_DIR_SPDX}/{SSTATE_PKGARCH}/recipes/recipe-m4.spdx.json",
+ )
+
+ found_external_refs = False
+ for pkg in objset.foreach_type(oe.spdx30.software_Package):
+ if hasattr(pkg, 'externalRef') and pkg.externalRef:
+ found_external_refs = True
+ for ref in pkg.externalRef:
+ self.assertIsNotNone(ref.externalRefType)
+ self.assertIsNotNone(ref.locator)
+ self.assertIsInstance(ref.locator, list)
+ for loc in ref.locator:
+ self.assertIsInstance(loc, str)
+ break
+
+ self.logger.info(
+ f"External references {'found' if found_external_refs else 'not found'} "
+ f"in SPDX output (defensive handling verified)"
+ )