@@ -14,7 +14,7 @@ python do_sbom_cve_check() {
"""
Task: Run sbom-cve-check analysis on SBOM.
"""
- sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
+ sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}${SPDX_SBOM_EXT}")
image_name = d.getVar("IMAGE_NAME")
link_name = d.getVar("IMAGE_LINK_NAME")
run_sbom_cve_check(d, sbom_path, image_name, link_name)
@@ -74,6 +74,9 @@ SPDX_IMPORTS[doc] = "SPDX_IMPORTS is the base variable that describes how to \
algorithms, as described by the HashAlgorithm vocabulary in the\
SPDX 3 spec. Optional but recommended"
+SPDX_SBOM_EXT ??= ".spdx.json"
+SPDX_SBOM_EXT[doc] = "SBOM file extension name."
+
# Agents
# Bitbake variables can be used to describe an SPDX Agent that may be used
# during the build. An Agent is specified using a set of variables which all
@@ -16,7 +16,7 @@ python do_sbom_cve_check_recipe() {
"""
Task: Run sbom-cve-check analysis on a recipe SBOM.
"""
- sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${SPDX_RECIPE_SBOM_NAME}.spdx.json")
+ sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${SPDX_RECIPE_SBOM_NAME}${SPDX_SBOM_EXT}")
recipe = d.getVar("SPDX_RECIPE_SBOM_NAME")
run_sbom_cve_check(d, sbom_path, recipe)
}
@@ -1526,8 +1526,9 @@ def create_image_sbom_spdx(d):
image_link_name = d.getVar("IMAGE_LINK_NAME")
imgdeploydir = Path(d.getVar("SPDXIMAGEDEPLOYDIR"))
machine = d.getVar("MACHINE")
+ sbom_ext = d.getVar("SPDX_SBOM_EXT")
- spdx_path = imgdeploydir / (image_name + ".spdx.json")
+ spdx_path = imgdeploydir / f"{image_name}{sbom_ext}"
root_elements = []
@@ -1567,7 +1568,7 @@ def create_image_sbom_spdx(d):
if link != target_path:
link.symlink_to(os.path.relpath(target_path, link.parent))
- make_image_link(spdx_path, ".spdx.json")
+ make_image_link(spdx_path, sbom_ext)
def sdk_create_spdx(d, sdk_type, spdx_work_dir, toolchain_outputname):
@@ -1603,6 +1604,7 @@ def sdk_create_spdx(d, sdk_type, spdx_work_dir, toolchain_outputname):
def create_sdk_sbom(d, sdk_deploydir, spdx_work_dir, toolchain_outputname):
+ sbom_ext = d.getVar("SPDX_SBOM_EXT")
# Load the document written earlier
rootfs_objset = oe.sbom30.load_jsonld(
d, spdx_work_dir / "sdk-rootfs.spdx.json", required=True
@@ -1681,15 +1683,15 @@ def create_sdk_sbom(d, sdk_deploydir, spdx_work_dir, toolchain_outputname):
elem.suppliedBy = supplier_id
oe.sbom30.write_jsonld_doc(
- d, objset, sdk_deploydir / (toolchain_outputname + ".spdx.json")
+ d, objset, sdk_deploydir / f"{toolchain_outputname}{sbom_ext}"
)
def create_recipe_sbom(d, deploydir):
sbom_name = d.getVar("SPDX_RECIPE_SBOM_NAME")
-
+ sbom_ext = d.getVar("SPDX_SBOM_EXT")
recipe, recipe_objset = load_recipe_spdx(d)
objset, sbom = oe.sbom30.create_sbom(d, sbom_name, [recipe], [recipe_objset])
- oe.sbom30.write_jsonld_doc(d, objset, deploydir / (sbom_name + ".spdx.json"))
+ oe.sbom30.write_jsonld_doc(d, objset, deploydir / f"{sbom_name}{sbom_ext}")
In preparation for upcoming work, introduce a new SPDX_SBOM_EXT variable explicitly telling the file extension name for SBOMs. Keep the default value ".spdx.json" to maintain compatibility with the current behavior. Co-authored-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> Signed-off-by: Jérémie Dautheribes (Schneider Electric) <jeremie.dautheribes@bootlin.com> --- meta/classes-recipe/sbom-cve-check.bbclass | 2 +- meta/classes/create-spdx-3.0.bbclass | 3 +++ meta/classes/sbom-cve-check-recipe.bbclass | 2 +- meta/lib/oe/spdx30_tasks.py | 12 +++++++----- 4 files changed, 12 insertions(+), 7 deletions(-)