diff mbox series

[v14,2/4] spdx30: Add supplier support for image and SDK SBOMs

Message ID 20260324132958.2316491-3-stondo@gmail.com
State Superseded
Headers show
Series SPDX 3.0 SBOM enrichment and compliance improvements | expand

Commit Message

Stefano Tondo March 24, 2026, 1:29 p.m. UTC 
From: Stefano Tondo <stefano.tondo.ext@siemens.com>

Add SPDX_IMAGE_SUPPLIER and SPDX_SDK_SUPPLIER variables that allow
setting a supplier agent on image and SDK SBOM root elements using
the suppliedBy property.

These follow the existing SPDX_PACKAGE_SUPPLIER pattern and use the
standard agent variable system to define supplier information.

Signed-off-by: Stefano Tondo <stefano.tondo.ext@siemens.com>
Reviewed-by: Joshua Watt <JPEWhacker@gmail.com>
---
 meta/classes/create-spdx-3.0.bbclass | 10 ++++++++++
 meta/lib/oe/spdx30_tasks.py          | 23 ++++++++++++++++++++---
 2 files changed, 30 insertions(+), 3 deletions(-)

Comments

Joshua Watt March 24, 2026, 2:24 p.m. UTC | #1 
On Tue, Mar 24, 2026 at 7:30 AM <stondo@gmail.com> wrote:
>
> From: Stefano Tondo <stefano.tondo.ext@siemens.com>
>
> Add SPDX_IMAGE_SUPPLIER and SPDX_SDK_SUPPLIER variables that allow
> setting a supplier agent on image and SDK SBOM root elements using
> the suppliedBy property.
>
> These follow the existing SPDX_PACKAGE_SUPPLIER pattern and use the
> standard agent variable system to define supplier information.
>
> Signed-off-by: Stefano Tondo <stefano.tondo.ext@siemens.com>
> Reviewed-by: Joshua Watt <JPEWhacker@gmail.com>

If you push a new patch please don't copy the review tag.

> ---
>  meta/classes/create-spdx-3.0.bbclass | 10 ++++++++++
>  meta/lib/oe/spdx30_tasks.py          | 23 ++++++++++++++++++++---
>  2 files changed, 30 insertions(+), 3 deletions(-)
>
> diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
> index 7515f460c3..9a6606dce6 100644
> --- a/meta/classes/create-spdx-3.0.bbclass
> +++ b/meta/classes/create-spdx-3.0.bbclass
> @@ -124,6 +124,16 @@ SPDX_ON_BEHALF_OF[doc] = "The base variable name to describe the Agent on who's
>  SPDX_PACKAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who \
>      is supplying artifacts produced by the build"
>
> +SPDX_IMAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who \
> +    is supplying the image SBOM. The supplier will be set on all root elements \
> +    of the image SBOM using the suppliedBy property. If not set, no supplier \
> +    information will be added to the image SBOM."
> +
> +SPDX_SDK_SUPPLIER[doc] = "The base variable name to describe the Agent who \
> +    is supplying the SDK SBOM. The supplier will be set on all root elements \
> +    of the SDK SBOM using the suppliedBy property. If not set, no supplier \
> +    information will be added to the SDK SBOM."
> +
>  SPDX_PACKAGE_VERSION ??= "${PV}"
>  SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \
>      in software_Package"
> diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
> index 68ed821a8c..62a00069df 100644
> --- a/meta/lib/oe/spdx30_tasks.py
> +++ b/meta/lib/oe/spdx30_tasks.py
> @@ -1449,6 +1449,16 @@ def create_image_sbom_spdx(d):
>
>      objset, sbom = oe.sbom30.create_sbom(d, image_name, root_elements)
>
> +    # Set supplier on root elements if SPDX_IMAGE_SUPPLIER is defined
> +    supplier = objset.new_agent("SPDX_IMAGE_SUPPLIER", add=False)
> +    if supplier is not None:
> +        supplier_id = supplier if isinstance(supplier, str) else supplier._id
> +        if not isinstance(supplier, str):
> +            objset.add(supplier)
> +        for elem in sbom.rootElement:
> +            if hasattr(elem, "suppliedBy"):
> +                elem.suppliedBy = supplier_id
> +
>      oe.sbom30.write_jsonld_doc(d, objset, spdx_path)
>
>      def make_image_link(target_path, suffix):
> @@ -1560,12 +1570,19 @@ def create_sdk_sbom(d, sdk_deploydir, spdx_work_dir, toolchain_outputname):
>          d, toolchain_outputname, sorted(list(files)), [rootfs_objset]
>      )
>
> +    # Set supplier on root elements if SPDX_SDK_SUPPLIER is defined
> +    supplier = objset.new_agent("SPDX_SDK_SUPPLIER", add=False)
> +    if supplier is not None:
> +        supplier_id = supplier if isinstance(supplier, str) else supplier._id
> +        if not isinstance(supplier, str):
> +            objset.add(supplier)
> +        for elem in sbom.rootElement:
> +            if hasattr(elem, "suppliedBy"):
> +                elem.suppliedBy = supplier_id
> +
>      oe.sbom30.write_jsonld_doc(
>          d, objset, sdk_deploydir / (toolchain_outputname + ".spdx.json")
>      )
> -
> -
> -def create_recipe_sbom(d, deploydir):

This is removed in error. Please add it back

>      sbom_name = d.getVar("SPDX_RECIPE_SBOM_NAME")
>
>      recipe, recipe_objset = load_recipe_spdx(d)
> --
> 2.53.0
>
diff mbox series

Patch

diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
index 7515f460c3..9a6606dce6 100644
--- a/meta/classes/create-spdx-3.0.bbclass
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -124,6 +124,16 @@  SPDX_ON_BEHALF_OF[doc] = "The base variable name to describe the Agent on who's
 SPDX_PACKAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who \
     is supplying artifacts produced by the build"
 
+SPDX_IMAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who \
+    is supplying the image SBOM. The supplier will be set on all root elements \
+    of the image SBOM using the suppliedBy property. If not set, no supplier \
+    information will be added to the image SBOM."
+
+SPDX_SDK_SUPPLIER[doc] = "The base variable name to describe the Agent who \
+    is supplying the SDK SBOM. The supplier will be set on all root elements \
+    of the SDK SBOM using the suppliedBy property. If not set, no supplier \
+    information will be added to the SDK SBOM."
+
 SPDX_PACKAGE_VERSION ??= "${PV}"
 SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \
     in software_Package"
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 68ed821a8c..62a00069df 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -1449,6 +1449,16 @@  def create_image_sbom_spdx(d):
 
     objset, sbom = oe.sbom30.create_sbom(d, image_name, root_elements)
 
+    # Set supplier on root elements if SPDX_IMAGE_SUPPLIER is defined
+    supplier = objset.new_agent("SPDX_IMAGE_SUPPLIER", add=False)
+    if supplier is not None:
+        supplier_id = supplier if isinstance(supplier, str) else supplier._id
+        if not isinstance(supplier, str):
+            objset.add(supplier)
+        for elem in sbom.rootElement:
+            if hasattr(elem, "suppliedBy"):
+                elem.suppliedBy = supplier_id
+
     oe.sbom30.write_jsonld_doc(d, objset, spdx_path)
 
     def make_image_link(target_path, suffix):
@@ -1560,12 +1570,19 @@  def create_sdk_sbom(d, sdk_deploydir, spdx_work_dir, toolchain_outputname):
         d, toolchain_outputname, sorted(list(files)), [rootfs_objset]
     )
 
+    # Set supplier on root elements if SPDX_SDK_SUPPLIER is defined
+    supplier = objset.new_agent("SPDX_SDK_SUPPLIER", add=False)
+    if supplier is not None:
+        supplier_id = supplier if isinstance(supplier, str) else supplier._id
+        if not isinstance(supplier, str):
+            objset.add(supplier)
+        for elem in sbom.rootElement:
+            if hasattr(elem, "suppliedBy"):
+                elem.suppliedBy = supplier_id
+
     oe.sbom30.write_jsonld_doc(
         d, objset, sdk_deploydir / (toolchain_outputname + ".spdx.json")
     )
-
-
-def create_recipe_sbom(d, deploydir):
     sbom_name = d.getVar("SPDX_RECIPE_SBOM_NAME")
 
     recipe, recipe_objset = load_recipe_spdx(d)