| Message ID | 20260511-spdx30-package-supplier-default-v1-1-12e0d086ccf4@jetm.me |
|---|---|
| State | New |
| Headers | show |
| Series | spdx30: default SPDX_PACKAGE_SUPPLIER to OpenEmbedded | expand |
diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass index 56fd01fd53..1fc15ecc7d 100644 --- a/meta/classes/create-spdx-3.0.bbclass +++ b/meta/classes/create-spdx-3.0.bbclass @@ -123,6 +123,7 @@ SPDX_ON_BEHALF_OF[doc] = "The base variable name to describe the Agent on who's SPDX_PACKAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who \ is supplying artifacts produced by the build" +SPDX_PACKAGE_SUPPLIER_ref ??= "SPDX_AUTHORS_openembedded" SPDX_IMAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who \ is supplying the image SBOM. The supplier will be set on all root elements \
spdx_package.suppliedBy is only set when SPDX_PACKAGE_SUPPLIER is explicitly configured. Default builds leave the property empty on every software_Package Element, so SBOM consumers that require it (BSI TR-03183-2 v2.1.0 validators among them, surfaced by shipcheck at https://github.com/jetm/shipcheck/issues/3) treat the SBOM as missing a normative field. Default SPDX_PACKAGE_SUPPLIER_ref to the SPDX_AUTHORS_openembedded agent already defined in this file. new_agent() resolves the _ref redirect (meta/lib/oe/sbom30.py), so the existing OpenEmbedded Organization Element gets attached as suppliedBy on every Package without creating a duplicate Agent. Builds that already configure SPDX_PACKAGE_SUPPLIER via _name/_type/_import/_ref keep their behavior; the ??= only kicks in when nothing is set. The default resolves to a fixed in-tree string, so SPDX output stays reproducible. This follows the additive pattern used by commit c8e6953a0b ("spdx30: Provide software_packageUrl field in SPDX 3.0 SBOM"): give the field a sensible default value, leave overrides untouched. Signed-off-by: Javier Tia <floss@jetm.me> --- COVER-LETTER-BODY-FOLLOWS shipcheck v0.0.6 (https://github.com/jetm/shipcheck) added an SPDX 3.0 validator that scores SBOMs against the BSI TR-03183-2 v2.1.0 minimum content set. A stock poky core-image-minimal with INHERIT += "create-spdx-3.0" scores 0/30 on the per-package field check because suppliedBy is empty by default. Patch context and a public issue are at https://github.com/jetm/shipcheck/issues/3. This series gives SPDX_PACKAGE_SUPPLIER a sensible default by reusing the SPDX_AUTHORS_openembedded agent already defined in create-spdx-3.0.bbclass. new_agent() (meta/lib/oe/sbom30.py) already supports _ref redirection, so the change is one line and no Python is touched. Builds that already configure SPDX_PACKAGE_SUPPLIER via _name/_type/_import/_ref keep their behavior. Two adjacent BSI gaps were considered for this series and intentionally left out: - software_declaredLicense as a field on software_Package. The SPDX 3.0.1 spec (https://spdx.github.io/spdx-spec/v3.0.1/model/Software/Classes/Package/) does not define such a property; license is modeled exclusively via Relationship Elements. The hasDeclaredLicense Relationship is already emitted per package in meta/lib/oe/spdx30_tasks.py (61ba0ef140 switched it from hasConcludedLicense). The shipcheck validator needs the relationship-traversal path, not a new field. - Per-package verifiedUsing aggregated from contained software_File Hash Elements. This is a real spec property (cardinality 0..*) but the multi-hop aggregation is invasive enough to warrant a separate discussion. Tracked on the shipcheck issue above. Cc: Olivier Benjamin <olivier.benjamin@bootlin.com> --- meta/classes/create-spdx-3.0.bbclass | 1 + 1 file changed, 1 insertion(+) --- base-commit: 3724b93538d3acbec9f48d4c524b51d166071708 change-id: 20260511-spdx30-package-supplier-default-17c1bdc10a21 Best regards, -- Javier Tia <floss@jetm.me>