diff mbox series

[08/14] spdx30: Include recipe base PURL in package external identifiers

Message ID 20260221042418.317535-9-stondo@gmail.com
State New
Headers show
Series spdx30: SBOM enrichment for PURL, metadata, and compliance | expand

Commit Message

Stefano Tondo Feb. 21, 2026, 4:24 a.m. UTC 
From: Stefano Tondo <stefano.tondo.ext@siemens.com>

Include the recipe's base PURL (from oe.purl.get_base_purl) in the
external identifiers for built packages alongside any PURLs from
SPDX_PACKAGE_URLS.

This ensures that every built package has a pkg:yocto PURL (e.g.,
pkg:yocto/core/zlib@1.3.1) in its external identifiers, improving
tool interoperability and supply chain tracking.

Signed-off-by: Stefano Tondo <stefano.tondo.ext@siemens.com>
---
 meta/lib/oe/spdx30_tasks.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 9f5a37b8bf..ef47bd4205 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -853,6 +853,7 @@  def create_spdx(d):
         [oe.sbom30.get_element_link_id(recipe_spdx_license)],
     )
 
+
     dep_sources = {}
     if oe.spdx_common.process_sources(d) and include_sources:
         bb.debug(1, "Adding source files to SPDX")
@@ -886,6 +887,8 @@  def create_spdx(d):
     debug_source_ids = set()
     source_hash_cache = {}
 
+    recipe_purl = oe.purl.get_base_purl(d)
+
     # Write out the package SPDX data now. It is not complete as we cannot
     # write the runtime data, so write it to a staging area and a later task
     # will write out the final collection
@@ -953,7 +956,12 @@  def create_spdx(d):
             if purls:
                 spdx_package.software_packageUrl = purls[0]
 
-            for p in sorted(set(purls)):
+            # Combine SPDX_PACKAGE_URLS with recipe base PURL
+            all_purls = set(purls)
+            if recipe_purl:
+                all_purls.add(recipe_purl)
+
+            for p in sorted(all_purls):
                 spdx_package.externalIdentifier.append(
                     oe.spdx30.ExternalIdentifier(
                         externalIdentifierType=oe.spdx30.ExternalIdentifierType.packageUrl,