[2/5] spdx: Reformat

Message ID	20260609222331.1293007-3-JPEWhacker@gmail.com
State	Changes Requested
Headers	show Return-Path: <JPEWhacker@gmail.com> ip: 209.85.160.44, mailfrom: jpewhacker@gmail.com) From: Joshua Watt <jpewhacker@gmail.com> To: openembedded-core@lists.openembedded.org Cc: Joshua Watt <JPEWhacker@gmail.com> Subject: [OE-core][PATCH 2/5] spdx: Reformat Date: Tue, 9 Jun 2026 16:15:53 -0600 Message-ID: <20260609222331.1293007-3-JPEWhacker@gmail.com> In-Reply-To: <20260609222331.1293007-1-JPEWhacker@gmail.com> References: <20260609222331.1293007-1-JPEWhacker@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Implement SPDX for deploy tasks \| expand [0/5] Implement SPDX for deploy tasks [1/5] classes/baremetal-image: Remove "do_" prefix from image manifest [2/5] spdx: Reformat [3/5] spdx: Add ability for deploy tasks to create SPDX [4/5] Add SPDX deploy tasks [5/5] spdx: Replace do_create_image_spdx with deploy task

diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py index b379ff947c..0926266295 100644 --- a/meta/lib/oe/sbom30.py +++ b/meta/lib/oe/sbom30.py @@ -712,7 +712,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): return self.add(v) def new_vex_patched_relationship(self, from_, to, notes: None): - props = {'security_statusNotes': notes} if notes else {} + props = {"security_statusNotes": notes} if notes else {} return self._new_relationship( oe.spdx30.security_VexFixedVulnAssessmentRelationship, from_, @@ -724,7 +724,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): ) def new_vex_unpatched_relationship(self, from_, to, notes: None): - props = {'security_statusNotes': notes} if notes else {} + props = {"security_statusNotes": notes} if notes else {} return self._new_relationship( oe.spdx30.security_VexAffectedVulnAssessmentRelationship, from_, @@ -737,7 +737,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): ) def new_vex_ignored_relationship(self, from_, to, *, impact_statement, notes: None): - props = {'security_statusNotes': notes} if notes else {} + props = {"security_statusNotes": notes} if notes else {} return self._new_relationship( oe.spdx30.security_VexNotAffectedVulnAssessmentRelationship, from_, diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 7cc46d579b..72d17aade6 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -382,7 +382,6 @@ def collect_dep_sources(dep_objsets, dest): index_sources_by_hash(e.to, dest) - def _generate_git_purl(d, download_location, srcrev): """Generate a Package URL for a Git source from its download location. @@ -392,27 +391,29 @@ def _generate_git_purl(d, download_location, srcrev): Returns the PURL string or None if no mapping matches. """ - if not download_location or not download_location.startswith('git+'): + if not download_location or not download_location.startswith("git+"): return None git_url = download_location[4:] # Remove 'git+' prefix # Default handler: github.com git_purl_handlers = { - 'github.com': 'pkg:github', + "github.com": "pkg:github", } # Custom PURL mappings from SPDX_GIT_PURL_MAPPINGS # Format: "domain1:purl_type1 domain2:purl_type2" - custom_mappings = d.getVar('SPDX_GIT_PURL_MAPPINGS') + custom_mappings = d.getVar("SPDX_GIT_PURL_MAPPINGS") if custom_mappings: for mapping in custom_mappings.split(): - parts = mapping.split(':', 1) + parts = mapping.split(":", 1) if len(parts) == 2: git_purl_handlers[parts[0]] = parts[1] bb.debug(2, f"Added custom Git PURL mapping: {parts[0]} -> {parts[1]}") else: - bb.warn(f"Invalid SPDX_GIT_PURL_MAPPINGS entry: {mapping} (expected format: domain:purl_type)") + bb.warn( + f"Invalid SPDX_GIT_PURL_MAPPINGS entry: {mapping} (expected format: domain:purl_type)" + ) try: parsed = urllib.parse.urlparse(git_url) @@ -425,11 +426,11 @@ def _generate_git_purl(d, download_location, srcrev): for domain, purl_type in git_purl_handlers.items(): if hostname == domain: - path = parsed.path.strip('/') - path_parts = path.split('/') + path = parsed.path.strip("/") + path_parts = path.split("/") if len(path_parts) >= 2: owner = path_parts[0] - repo = path_parts[1].replace('.git', '') + repo = path_parts[1].replace(".git", "") return f"{purl_type}/{owner}/{repo}@{srcrev}" break @@ -448,12 +449,12 @@ def _enrich_source_package(d, dl, fd, file_name, primary_purpose): if fd.type == "git": # Use full SHA-1 from fd.revision - srcrev = getattr(fd, 'revision', None) - if srcrev and srcrev not in {'${AUTOREV}', 'AUTOINC', 'INVALID'}: + srcrev = getattr(fd, "revision", None) + if srcrev and srcrev not in {"${AUTOREV}", "AUTOINC", "INVALID"}: version = srcrev # Generate PURL for Git hosting services - download_location = getattr(dl, 'software_downloadLocation', None) + download_location = getattr(dl, "software_downloadLocation", None) if version and download_location: purl = _generate_git_purl(d, download_location, version) @@ -464,12 +465,12 @@ def _enrich_source_package(d, dl, fd, file_name, primary_purpose): dl.software_packageUrl = purl # Add VCS external reference for Git repositories - download_location = getattr(dl, 'software_downloadLocation', None) + download_location = getattr(dl, "software_downloadLocation", None) if download_location and isinstance(download_location, str): - if download_location.startswith('git+'): + if download_location.startswith("git+"): git_url = download_location[4:] - if '@' in git_url: - git_url = git_url.split('@')[0] + if "@" in git_url: + git_url = git_url.split("@")[0] dl.externalRef = dl.externalRef or [] dl.externalRef.append( @@ -480,7 +481,6 @@ def _enrich_source_package(d, dl, fd, file_name, primary_purpose): ) - def add_download_files(d, objset): inputs = set() @@ -726,8 +726,9 @@ def create_recipe_spdx(d): if status == "Patched": spdx_vex = recipe_objset.new_vex_patched_relationship( - [spdx_cve_id], [recipe], - notes=": ".join(v for v in (detail, description) if v) + [spdx_cve_id], + [recipe], + notes=": ".join(v for v in (detail, description) if v), ) patches = [] for idx, filepath in enumerate(resources): @@ -753,8 +754,9 @@ def create_recipe_spdx(d): elif status == "Unpatched": recipe_objset.new_vex_unpatched_relationship( - [spdx_cve_id], [recipe], - notes=": ".join(v for v in (detail, description) if v) + [spdx_cve_id], + [recipe], + notes=": ".join(v for v in (detail, description) if v), ) elif status == "Ignored": spdx_vex = recipe_objset.new_vex_ignored_relationship( @@ -1060,7 +1062,11 @@ def create_spdx(d): if include_sources: debug_sources |= get_package_sources_from_debug( - d, package, package_files, dep_sources, source_hash_cache, + d, + package, + package_files, + dep_sources, + source_hash_cache, excluded_files=excluded_files, ) @@ -1185,7 +1191,7 @@ def create_package_spdx(d): if dep not in providers: continue - (dep, _) = providers[dep] + dep, _ = providers[dep] if not oe.packagedata.packaged(dep, localdata): continue @@ -1455,17 +1461,17 @@ def create_image_spdx(d): image_path = image_deploy_dir / image_filename if os.path.isdir(image_path): a, _ = add_package_files( - d, - objset, - image_path, - lambda file_counter: objset.new_spdxid( - "imagefile", str(file_counter) - ), - lambda filepath: [], - license_data=None, - ignore_dirs=[], - ignore_top_level_dirs=[], - archive=None, + d, + objset, + image_path, + lambda file_counter: objset.new_spdxid( + "imagefile", str(file_counter) + ), + lambda filepath: [], + license_data=None, + ignore_dirs=[], + ignore_top_level_dirs=[], + archive=None, ) artifacts.extend(a) else: @@ -1482,7 +1488,7 @@ def create_image_spdx(d): oe.spdx30.Hash( algorithm=oe.spdx30.HashAlgorithm.sha512, hashValue=bb.utils.sha512_file(image_path), - ) + ), ], ) )

[2/5] spdx: Reformat

Commit Message

Patch