@@ -142,6 +142,10 @@ SPDX_PACKAGE_URLS[doc] = "A space separated list of Package URLs (purls) for \
Override this variable to replace the default, otherwise append or prepend \
to add additional purls."
+SPDX_RECIPE_SBOM_NAME ?= "${PN}-recipe-sbom"
+SPDX_RECIPE_SBOM_NAME[doc] = "The name of output recipe SBoM when using \
+ create_recipe_sbom"
+
IMAGE_CLASSES:append = " create-spdx-image-3.0"
SDK_CLASSES += "create-spdx-sdk-3.0"
@@ -240,6 +244,34 @@ python do_create_package_spdx_setscene () {
}
addtask do_create_package_spdx_setscene
+addtask do_create_recipe_sbom after create_recipe_spdx
+python do_create_recipe_sbom() {
+ import oe.spdx30_tasks
+ from pathlib import Path
+ deploydir = Path(d.getVar("SPDXRECIPESBOMDEPLOY"))
+ oe.spdx30_tasks.create_recipe_sbom(d, deploydir)
+}
+
+SSTATETASKS += "do_create_recipe_sbom"
+do_create_recipe_sbom[recrdeptask] = "do_create_recipe_spdx"
+do_create_recipe_sbom[nostamp] = "1"
+do_create_recipe_sbom[sstate-inputdirs] = "${SPDXRECIPESBOMDEPLOY}"
+do_create_recipe_sbom[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
+do_create_recipe_sbom[file-checksums] += "${SPDX3_DEP_FILES}"
+do_create_recipe_sbom[cleandirs] = "${SPDXRECIPESBOMDEPLOY}"
+do_create_recipe_sbom[vardeps] += "\
+ SPDX_INCLUDE_BITBAKE_PARENT_BUILD \
+ SPDX_PACKAGE_ADDITIONAL_PURPOSE \
+ SPDX_PROFILES \
+ SPDX_NAMESPACE_PREFIX \
+ SPDX_UUID_NAMESPACE \
+ "
+
+python do_create_recipe_sbom_setscene () {
+ sstate_setscene(d)
+}
+addtask do_create_recipe_sbom_setscene
+
python spdx30_build_started_handler () {
import oe.spdx30_tasks
d = e.data.createCopy()
@@ -25,6 +25,7 @@ SPDX_TOOL_VERSION ??= "1.0"
SPDXRECIPEDEPLOY = "${SPDXDIR}/recipe-deploy"
SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
+SPDXRECIPESBOMDEPLOY = "${SPDXDIR}/recipes-bom-deploy"
SPDX_INCLUDE_SOURCES ??= "0"
SPDX_INCLUDE_COMPILED_SOURCES ??= "0"
@@ -532,6 +532,7 @@ RECIPE_MAINTAINER:pn-meta-go-toolchain = "Richard Purdie <richard.purdie@linuxfo
RECIPE_MAINTAINER:pn-meta-ide-support = "Richard Purdie <richard.purdie@linuxfoundation.org>"
RECIPE_MAINTAINER:pn-meta-toolchain = "Richard Purdie <richard.purdie@linuxfoundation.org>"
RECIPE_MAINTAINER:pn-meta-world-pkgdata = "Richard Purdie <richard.purdie@linuxfoundation.org>"
+RECIPE_MAINTAINER:pn-meta-world-recipe-sbom = "Joshua Watt <JPEWhacker@gmail.com>"
RECIPE_MAINTAINER:pn-mingetty = "Yi Zhao <yi.zhao@windriver.com>"
RECIPE_MAINTAINER:pn-mini-x-session = "Unassigned <unassigned@yoctoproject.org>"
RECIPE_MAINTAINER:pn-minicom = "Unassigned <unassigned@yoctoproject.org>"
@@ -1564,3 +1564,13 @@ def create_sdk_sbom(d, sdk_deploydir, spdx_work_dir, toolchain_outputname):
oe.sbom30.write_jsonld_doc(
d, objset, sdk_deploydir / (toolchain_outputname + ".spdx.json")
)
+
+
+def create_recipe_sbom(d, deploydir):
+ sbom_name = d.getVar("SPDX_RECIPE_SBOM_NAME")
+
+ recipe, recipe_objset = load_recipe_spdx(d)
+
+ objset, sbom = oe.sbom30.create_sbom(d, sbom_name, [recipe], [recipe_objset])
+
+ oe.sbom30.write_jsonld_doc(d, objset, deploydir / (sbom_name + ".spdx.json"))
@@ -151,6 +151,16 @@ class SPDX30Check(SPDX3CheckBase, OESelftestTestCase):
"{DEPLOY_DIR_SPDX}/{MACHINE_ARCH}/packages/package-base-files.spdx.json",
)
+ def test_world_sbom(self):
+ objset = self.check_recipe_spdx(
+ "meta-world-recipe-sbom",
+ "{DEPLOY_DIR_IMAGE}/world-recipe-sbom.spdx.json",
+ task="create_recipe_sbom",
+ )
+
+ # Document should be fully linked
+ self.check_objset_missing_ids(objset)
+
def test_gcc_include_source(self):
objset = self.check_recipe_spdx(
"gcc",
new file mode 100644
@@ -0,0 +1,29 @@
+SUMMARY = "Generates a combined SBoM for all world recipes"
+LICENSE = "MIT"
+
+INHIBIT_DEFAULT_DEPS = "1"
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+inherit nopackages
+deltask do_fetch
+deltask do_unpack
+deltask do_patch
+deltask do_configure
+deltask do_compile
+deltask do_install
+
+do_prepare_recipe_sysroot[deptask] = ""
+
+WORLD_SBOM_EXCLUDE ?= ""
+
+EXCLUDE_FROM_WORLD = "1"
+SPDX_RECIPE_SBOM_NAME = "world-recipe-sbom"
+
+python calculate_extra_depends() {
+ exclude = set('${WORLD_SBOM_EXCLUDE}'.split())
+ exclude |= set(f"{v}-{self_pn}" for v in '${MULTILIB_VARIANTS}'.split())
+ exclude.add(self_pn)
+
+ deps.extend(p for p in world_target if p not in exclude)
+}
Adds a task that will create the complete recipe-level SBoM for a given target recipe, following all dependencies. For example: ``` bitbake -c create_recipe_sbom zstd ``` Would produce the complete recipe SBoM for the zstd recipe, include all build time dependencies (recursively). The complete SBoM for all (target) recipes can be built with: ``` bitbake -c create_recipe_sbom meta-world-recipe-sbom ``` Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> --- meta/classes/create-spdx-3.0.bbclass | 32 +++++++++++++++++++ meta/classes/spdx-common.bbclass | 1 + meta/conf/distro/include/maintainers.inc | 1 + meta/lib/oe/spdx30_tasks.py | 10 ++++++ meta/lib/oeqa/selftest/cases/spdx.py | 10 ++++++ .../meta/meta-world-recipe-sbom.bb | 29 +++++++++++++++++ 6 files changed, 83 insertions(+) create mode 100644 meta/recipes-core/meta/meta-world-recipe-sbom.bb