From patchwork Mon Mar 9 13:28:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefano Tondo X-Patchwork-Id: 82898 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 86297F3C259 for ; Mon, 9 Mar 2026 13:29:16 +0000 (UTC) Received: from mail-yw1-f178.google.com (mail-yw1-f178.google.com [209.85.128.178]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.14153.1773062951218477930 for ; Mon, 09 Mar 2026 06:29:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Q/ClX782; spf=pass (domain: gmail.com, ip: 209.85.128.178, mailfrom: stondo@gmail.com) Received: by mail-yw1-f178.google.com with SMTP id 00721157ae682-7982c3b7dfcso116513717b3.0 for ; Mon, 09 Mar 2026 06:29:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773062950; x=1773667750; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=IsaWMu3Oduo4+4VMiqWAmX+9Nd2zMtlvUNRCVbb+pOc=; b=Q/ClX782cVHp2r+Gc/4cqUypndMP80alPjqq+Dwa+9seh+xh5KwcCqVQYtlaAdgGF1 pvN+sD/2SupVsLRHWx5GGQ/EL4DMP+6LBccLjq5ji97uSm0w3pOL0LGl4LoARZEVe/0g Os0aXzDXwhZpHSZbI78tshQftZL+h2Z4B3O8zQ2V+qBuvK+DC51IP91KWX95A+X6L34Z BFKHik+eg7PvweyGiMNwsz2Lyqkta8+2Xo6qadcYwYq2qb11h6Mslq628TZPbiu6Iivn ugWBBZ/CS5hP4J0HuYjBb4QKw0aLu81+/FnoPHYD4hTPvDdj3tBqi+ZBY2TZbBFhhc3q yk6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773062950; x=1773667750; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=IsaWMu3Oduo4+4VMiqWAmX+9Nd2zMtlvUNRCVbb+pOc=; b=F2i7xJzb+8AC4XqODI7FBM/teSEgJ7dGqUX5YeDjBAkukluK/gtiIpfT9NPr1HSHDq JLepbE1Q+aQcqn74EbfI5Ycz9CUzXbuMyNjQNVGTdc7wpTLxs6ySY5HQnibyAJ0zaZkp Kveb1dnvWu/nspexqjuyYfUCPJo9IqTAHoMtSV4zIQZHDKec7/Yno5U2P+ST8rAm+PF5 HdSbrz0Rw7yNe4jNeP20EkyO9QAq89hVvNGZpGwZQ3sy/gTsTZv908WiLCJgIY0A8Ih+ A0yNZdMIMVsv0myucIFw/uMg9X/kOclL0OwgpjgLe4yBgJJQ9cBQEg7BEAUMEnRCwC7b LLzQ== X-Gm-Message-State: AOJu0Ywb1vXHPtC77J5PBP4k+dk9+XZ0e20MHaxQ/ORw7RPpth3f3PXD pQD7/HWCSBEHVoW/EuCUqbRY1pgcEsAmaAITb2ileOUXFWUXnuvkUjVloYdZnw== X-Gm-Gg: ATEYQzxxs27ziJa7uAEwkJ2NwWvymdU/I5lIxPnZxseZvNW/cF/iYMjDfjAlrHA5k0x CSUTEyi682jpcgJWatUMUD2Py+FF7dGl7WzsFp0LmSf0Wdxhl8UO/1ldXJ1XmqttwWQLC7Jw1yg f8G7aMX0T4V2z3pCe73cJb4Nno4yHaBFGKjz4tgm/dXLPPZqLAk89P+9TF2VWLwgqiRhXvzXuNq RBcIdDKmwo4k6xoFJ4RSHqgjBtr+JFlxfkOgw5Kk10uA0aaZVW+KOERLAQPxomMa7a3GDgT4v5L Yh6pqDIe+uytJ9TYPTgn+Ah+IzX1hWhROHgX+5OV4qxQMT3d4S71wn2UYeGS/LqxVMdOEJNtCvR b6aOZiJ9L5gxjwbjh4yHtqCRODH61VXKKlkQ+ljcrVCKLhodj8UaGe91FlSl4cYKJUykSamxmcv 1XpsRUsKURbTC6iB8vzo+K9dAtYBmJkVnU/OCk8Tt9ba4/m9+vt9Ei+iqu9GA4Q7fR7D2oFFPqm W+RrQP0 X-Received: by 2002:a05:690c:730a:b0:798:6d21:be0f with SMTP id 00721157ae682-798dd756e16mr106215617b3.41.1773062950084; Mon, 09 Mar 2026 06:29:10 -0700 (PDT) Received: from fedora (mob-194-230-161-149.cgn.sunrise.net. [194.230.161.149]) by smtp.gmail.com with ESMTPSA id 00721157ae682-798dee6afd5sm44299437b3.45.2026.03.09.06.29.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Mar 2026 06:29:09 -0700 (PDT) From: stondo@gmail.com To: openembedded-core@lists.openembedded.org Cc: Ross.Burton@arm.com, jpewhacker@gmail.com, stefano.tondo.ext@siemens.com, Peter.Marko@siemens.com, adrian.freihofer@siemens.com, mathieu.dubois-briand@bootlin.com Subject: [OE-core][PATCH v8 1/7] spdx30: Add configurable file exclusion pattern support Date: Mon, 9 Mar 2026 14:28:48 +0100 Message-ID: <20260309132854.128375-2-stondo@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260309132854.128375-1-stondo@gmail.com> References: <20260309132854.128375-1-stondo@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Mar 2026 13:29:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232710 From: Stefano Tondo Add SPDX_FILE_EXCLUDE_PATTERNS variable that allows filtering files from SPDX output by pattern matching. The variable accepts a space-separated list of patterns; files whose paths contain any pattern are excluded. When empty (the default), no filtering is applied and all files are included, preserving existing behavior. This enables users to reduce SBOM size by excluding files that are not relevant for compliance (e.g., test files, object files, patches). When file exclusion is active, debug source lookups that reference filtered files are gracefully skipped instead of causing fatal errors. Signed-off-by: Stefano Tondo --- meta/classes/spdx-common.bbclass | 6 ++++++ meta/lib/oe/spdx30_tasks.py | 28 ++++++++++++++++++++++++---- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass index 3110230c9e..f54459d3b4 100644 --- a/meta/classes/spdx-common.bbclass +++ b/meta/classes/spdx-common.bbclass @@ -54,6 +54,12 @@ SPDX_CONCLUDED_LICENSE[doc] = "The license concluded by manual or external \ SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}" +SPDX_FILE_EXCLUDE_PATTERNS ??= "" +SPDX_FILE_EXCLUDE_PATTERNS[doc] = "Space-separated list of patterns to exclude \ + from SPDX file output. Files whose paths contain any of these patterns will \ + be filtered out. Defaults to empty (no filtering). Example: \ + SPDX_FILE_EXCLUDE_PATTERNS = '.patch .diff /test/ .pyc .o'" + python () { from oe.cve_check import extend_cve_status extend_cve_status(d) diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 99f2892dfb..5ced792d71 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -161,6 +161,9 @@ def add_package_files( compiled_sources, types = oe.spdx_common.get_compiled_sources(d) bb.debug(1, f"Total compiled files: {len(compiled_sources)}") + # File exclusion filtering + exclude_patterns = (d.getVar("SPDX_FILE_EXCLUDE_PATTERNS") or "").split() + for subdir, dirs, files in os.walk(topdir, onerror=walk_error): dirs[:] = [d for d in dirs if d not in ignore_dirs] if subdir == str(topdir): @@ -174,6 +177,13 @@ def add_package_files( continue filename = str(filepath.relative_to(topdir)) + + # Apply file exclusion filtering + if exclude_patterns: + filename_lower = filename.lower() + if any(pattern in filename_lower for pattern in exclude_patterns): + continue + file_purposes = get_purposes(filepath) # Check if file is compiled @@ -219,6 +229,8 @@ def add_package_files( def get_package_sources_from_debug( d, package, package_files, sources, source_hash_cache ): + exclude_patterns = (d.getVar("SPDX_FILE_EXCLUDE_PATTERNS") or "").split() + def file_path_match(file_path, pkg_file): if file_path.lstrip("/") == pkg_file.name.lstrip("/"): return True @@ -251,10 +263,18 @@ def get_package_sources_from_debug( continue if not any(file_path_match(file_path, pkg_file) for pkg_file in package_files): - bb.fatal( - "No package file found for %s in %s; SPDX found: %s" - % (str(file_path), package, " ".join(p.name for p in package_files)) - ) + # When file exclusion patterns are active, some files may be filtered out + if exclude_patterns: + bb.debug( + 1, + f"Skipping debug source lookup for {file_path} in {package} (file exclusion active)", + ) + continue + else: + bb.fatal( + "No package file found for %s in %s; SPDX found: %s" + % (str(file_path), package, " ".join(p.name for p in package_files)) + ) continue for debugsrc in file_data["debugsrc"]: From patchwork Mon Mar 9 13:28:49 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefano Tondo X-Patchwork-Id: 82897 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 87F05F3C25A for ; Mon, 9 Mar 2026 13:29:16 +0000 (UTC) Received: from mail-yw1-f169.google.com (mail-yw1-f169.google.com [209.85.128.169]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.14154.1773062953840561555 for ; Mon, 09 Mar 2026 06:29:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=aCYdekSa; spf=pass (domain: gmail.com, ip: 209.85.128.169, mailfrom: stondo@gmail.com) Received: by mail-yw1-f169.google.com with SMTP id 00721157ae682-79901821bb0so6104697b3.2 for ; Mon, 09 Mar 2026 06:29:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773062953; x=1773667753; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=m4MO1wMJL49xQRRJcjgjfZnFZvHPCNP7ySXitFu5dDo=; b=aCYdekSaF7kYds46mkfjp1vPnYHcYu6fbaiLsrMg9mYAqJsl4p1UXWysLKtKil9Gd9 CfJvFzmWrfOXKg6iEYBaV+Eb4b+blWirbIMU7zwQtDfiZKEI0frKqA1G5m7ONzocVqOM 9dnZJ0bTUqIDk/YN4zAM8c+d8iAgU2r0eUEASx3kYFD/8Ga5a2ddx1ceCc1Vfa1jbi7J 45QLQYHYc8TEwoy+mFzy/ZrCp1ie5OM4gRwrFnPoq2kz5xxEEGt1/XZqSpbZipraG/fp SBHsFs78+cQCVFX5KYVBus7zNfpdcvaSFGII33Sh10fjO4vn4GBSMmxgz8eiFNoRgiTa D99A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773062953; x=1773667753; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=m4MO1wMJL49xQRRJcjgjfZnFZvHPCNP7ySXitFu5dDo=; b=wVJX7OFI8RYzx8VN9noLfNN/56VFzc4szQBBcDtL1zannoLCPoVaE68FniObYfooVZ BXTA6iIs9cvSqWsf7xGQJdHiYuUBfcnEUlkNNSmZn2ufBdDGPSHsNK99x5mowjJ9aoAE 9yL2LnH5DNPYBSnvs11y4o0OcsxxwaYzRZ2w2LYyF+ClD3DfTxy4XAN4KHrNWAY6kEsQ tZiGCOk351dMeYhfg0Gkkn9P9Lo4rYheVGwoLqCv+4m9VvNVRZOBuQFoXz9R013Tlo5l T5PCjCOHZ6ofJ9lxS5Qv0JSf02SZwSoaVfpa8SuWDcHlopqohEHjrUqNDzQip3EBNgJd tfsg== X-Gm-Message-State: AOJu0YzcK+0643MrE6Nsx5SpNUWyFblORMV1b/pIqvcqU+gIKMn8rJYt GiQjlP4da2L1DVHX+HKkvchGF6C8nm2ol9oaxdxOJxnl3XJGq5V0PK69GNLYgA== X-Gm-Gg: ATEYQzwGj+FRaWYNCkEmuo0RTOSbWDdDGcHH9Bax9SBo9fMOP04W05go+QwDDeFOA03 ks4P4Tz/d1FOVaVCLo++u5gB7d+F8tvxHOtsCtNutOO6lDucuQEOLADwwXzZ/wv23cqLfQoHziV vnFTlntfSB/4DTvZCOW5HeZddkjLj1oqUkCk+Df7dS2Ev46uVbbsSJy185MOgsixM2yLhc3TbTm 7noiZ9QsFxDRiDxMYZSpFgRY9PoHe4+scPjPS9R261jTHL3kjNWC4E99PgiSa0ijA4MnaAgBz8Q Ve6M51ARmlQVOmq70i/wWS92LLX80sg3C1Y9ffrtM23s39To4pyW7EQjW1MtojrKadEAX2jQEWz 5nKz0t8lTlPaEIzinkVezLJrzT/0Wdnsuyj0pHyF/+RMjWd9ZTy+f3TXE+bLld91KuCC66+Cs4T oGMPNT7OkQSWAgIBa79PoeZcaiUXRKxmoikVJemhKuGE9SAVp/n9qy14s7uRepuDK0VV9uUk7+4 GoLMIeq X-Received: by 2002:a05:690c:c510:b0:798:67be:f903 with SMTP id 00721157ae682-798dd73a078mr101231427b3.39.1773062952707; Mon, 09 Mar 2026 06:29:12 -0700 (PDT) Received: from fedora (mob-194-230-161-149.cgn.sunrise.net. [194.230.161.149]) by smtp.gmail.com with ESMTPSA id 00721157ae682-798dee6afd5sm44299437b3.45.2026.03.09.06.29.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Mar 2026 06:29:12 -0700 (PDT) From: stondo@gmail.com To: openembedded-core@lists.openembedded.org Cc: Ross.Burton@arm.com, jpewhacker@gmail.com, stefano.tondo.ext@siemens.com, Peter.Marko@siemens.com, adrian.freihofer@siemens.com, mathieu.dubois-briand@bootlin.com Subject: [OE-core][PATCH v8 2/7] spdx30: Add supplier support for image and SDK SBOMs Date: Mon, 9 Mar 2026 14:28:49 +0100 Message-ID: <20260309132854.128375-3-stondo@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260309132854.128375-1-stondo@gmail.com> References: <20260309132854.128375-1-stondo@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Mar 2026 13:29:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232711 From: Stefano Tondo Add SPDX_IMAGE_SUPPLIER and SPDX_SDK_SUPPLIER variables that allow setting a supplier agent on image and SDK SBOM root elements using the suppliedBy property. These follow the existing SPDX_PACKAGE_SUPPLIER pattern and use the standard agent variable system to define supplier information. Signed-off-by: Stefano Tondo Reviewed-by: Joshua Watt --- meta/classes/create-spdx-3.0.bbclass | 10 ++++++++++ meta/lib/oe/spdx30_tasks.py | 20 ++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass index d4575d61c4..def2dacbc3 100644 --- a/meta/classes/create-spdx-3.0.bbclass +++ b/meta/classes/create-spdx-3.0.bbclass @@ -124,6 +124,16 @@ SPDX_ON_BEHALF_OF[doc] = "The base variable name to describe the Agent on who's SPDX_PACKAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who \ is supplying artifacts produced by the build" +SPDX_IMAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who \ + is supplying the image SBOM. The supplier will be set on all root elements \ + of the image SBOM using the suppliedBy property. If not set, no supplier \ + information will be added to the image SBOM." + +SPDX_SDK_SUPPLIER[doc] = "The base variable name to describe the Agent who \ + is supplying the SDK SBOM. The supplier will be set on all root elements \ + of the SDK SBOM using the suppliedBy property. If not set, no supplier \ + information will be added to the SDK SBOM." + SPDX_PACKAGE_VERSION ??= "${PV}" SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \ in software_Package" diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 5ced792d71..c3a23d7889 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -1314,6 +1314,16 @@ def create_image_sbom_spdx(d): objset, sbom = oe.sbom30.create_sbom(d, image_name, root_elements) + # Set supplier on root elements if SPDX_IMAGE_SUPPLIER is defined + supplier = objset.new_agent("SPDX_IMAGE_SUPPLIER", add=False) + if supplier is not None: + supplier_id = supplier if isinstance(supplier, str) else supplier._id + if not isinstance(supplier, str): + objset.add(supplier) + for elem in sbom.rootElement: + if hasattr(elem, "suppliedBy"): + elem.suppliedBy = supplier_id + oe.sbom30.write_jsonld_doc(d, objset, spdx_path) def make_image_link(target_path, suffix): @@ -1425,6 +1435,16 @@ def create_sdk_sbom(d, sdk_deploydir, spdx_work_dir, toolchain_outputname): d, toolchain_outputname, sorted(list(files)), [rootfs_objset] ) + # Set supplier on root elements if SPDX_SDK_SUPPLIER is defined + supplier = objset.new_agent("SPDX_SDK_SUPPLIER", add=False) + if supplier is not None: + supplier_id = supplier if isinstance(supplier, str) else supplier._id + if not isinstance(supplier, str): + objset.add(supplier) + for elem in sbom.rootElement: + if hasattr(elem, "suppliedBy"): + elem.suppliedBy = supplier_id + oe.sbom30.write_jsonld_doc( d, objset, sdk_deploydir / (toolchain_outputname + ".spdx.json") ) From patchwork Mon Mar 9 13:28:50 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefano Tondo X-Patchwork-Id: 82899 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0A377F3C25E for ; Mon, 9 Mar 2026 13:29:17 +0000 (UTC) Received: from mail-yw1-f171.google.com (mail-yw1-f171.google.com [209.85.128.171]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.14252.1773062956218691395 for ; Mon, 09 Mar 2026 06:29:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=j7G0paGZ; spf=pass (domain: gmail.com, ip: 209.85.128.171, mailfrom: stondo@gmail.com) Received: by mail-yw1-f171.google.com with SMTP id 00721157ae682-79881805788so122521267b3.0 for ; Mon, 09 Mar 2026 06:29:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773062955; x=1773667755; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=wl57JXew2r6uFcc9e/r4WPeGJYquYvBxMZAgrnb/Hhc=; b=j7G0paGZDwZ1C0IyCaiptmFxlk4M0bR/nwYAzI3QAM2UV56CwlONZM3ogPw8/yTrp4 L/uwtpRSndOceuZKycBcBq9lZHUy6X6bQXiUfMYRiXcQEd8izPJ6Kkc22GL38069bQpQ L7dAP3qGOt0aEmpQ55qxfuR+l2RWZ9pMToNQRZqDihoZiQZXdVqbVtbS/Xo7IU4Ivj0I BqM0wpYSTDciLrHWDpeKBm5VZFHKlOICfQxMz/l08doMaAkkBCEHkiJ3qqYPEs7minaV IHNvVHRFGekpv83JgilNb5WJxBQe7CsshTM6MlU5cKqy0SQhJ+lRrMvZNxeLuZto/Mgl FEQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773062955; x=1773667755; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=wl57JXew2r6uFcc9e/r4WPeGJYquYvBxMZAgrnb/Hhc=; b=Gi3bPz8i1OP1y8qEdcL8vt+oo+zndqZwDAdLlGNTbNl7Jqhoue3t0OV9S9Lun6K9ls f8jruVpECHYpS5kz1bwQfBzPyl3gXSV016899O8tZfKz3wTCU7gFIZWETpe5DzAToWG5 hLVnWVCWIYjLIfAekq5uuF1XxEen7OHSj4GfydW5wHEqaEBVB1rUkrJu5tzSUzd6b0z/ +aeuKPWm9o/FXEtAbTOphSVrQdkurDzFXGSLizgcHrMW9JsERgERYdPRpeV2l37ushhB gO37tWKYev9cQZhUMaFuMmntzWl6Z2C4bvRtDTvxzUzJ6v5VV1iW6RZBkXgaXihgAhMc /3Bw== X-Gm-Message-State: AOJu0Yz5k8iifN0F7CrJyJ8Cqd8cBxINf6UsWBinzIgl6VzU6bPzQUyQ 7eciwJpl5f+6/F2jbHA55MS/Oap615sm8VqQq2R4wkGDas3aFc38KfZWW0zTNw== X-Gm-Gg: ATEYQzyoK2qhz5XNnvsCqkF0pM44AlqrKmfpAMED02gT9c9rhWXh181l2WG3SGBNO89 147zH+nLfX9G11JdlbiUHJjvK/ScYGykFRHDWJZdZ0od2wP6wQID1BaVZ/jn+AHgLLzcFp/cfXj RqmPQQ8K0MzgHROHo5W2UTblRlGhsVgxa5ae4V4asW/OyHsMxYm+ns69WmBYIO8iSdWmeOudKmk 4U1egFNS49zwd+CxDgpXRXsgXDcpsEoyVepROWYmYcFcqenbIZZdOpriXbH0D+yurnaULbymari orkDu6nmk+XmTFjxOcrQ5UzAkvOLS3/pM8lwYnBjJpXWVY62zsqyZ+70sv1tZuRY/VcpwaKoJLg oQSHuNV5iaEVLCFcaUzjO/ZmBWQaaI6FtApVLTfwiRjDBDSF6BhUp+E6Yhune17HZARAzPz14nv K1qq4NcTra7yBNkEqRzx8sI5f21hJAboE5rhxigdBajhh5V5fMacyuGNiGq2HKegAm+BwvKUfXk RPuceeQ X-Received: by 2002:a05:690c:84:b0:794:d3e6:a503 with SMTP id 00721157ae682-798dd67c443mr103448287b3.24.1773062955092; Mon, 09 Mar 2026 06:29:15 -0700 (PDT) Received: from fedora (mob-194-230-161-149.cgn.sunrise.net. [194.230.161.149]) by smtp.gmail.com with ESMTPSA id 00721157ae682-798dee6afd5sm44299437b3.45.2026.03.09.06.29.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Mar 2026 06:29:14 -0700 (PDT) From: stondo@gmail.com To: openembedded-core@lists.openembedded.org Cc: Ross.Burton@arm.com, jpewhacker@gmail.com, stefano.tondo.ext@siemens.com, Peter.Marko@siemens.com, adrian.freihofer@siemens.com, mathieu.dubois-briand@bootlin.com Subject: [OE-core][PATCH v8 3/7] spdx30: Add ecosystem-specific PURL generation via bbclasses Date: Mon, 9 Mar 2026 14:28:50 +0100 Message-ID: <20260309132854.128375-4-stondo@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260309132854.128375-1-stondo@gmail.com> References: <20260309132854.128375-1-stondo@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Mar 2026 13:29:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232712 From: Stefano Tondo Have each ecosystem bbclass set its own Package URL by prepending to SPDX_PACKAGE_URLS, rather than detecting inherited classes from the SPDX code. This follows the principle that each class should know how to describe itself. The following bbclasses now generate ecosystem PURLs: - pypi.bbclass: pkg:pypi/@PV - npm.bbclass: pkg:npm/@PV - cargo_common.bbclass: pkg:cargo/@PV - go-mod.bbclass: pkg:golang/@PV - cpan.bbclass: pkg:cpan/@PV Additional ecosystems (nuget, maven, dotnet) can follow the same pattern in their respective layers. Signed-off-by: Stefano Tondo --- meta/classes-recipe/cargo_common.bbclass | 3 +++ meta/classes-recipe/cpan.bbclass | 11 +++++++++++ meta/classes-recipe/go-mod.bbclass | 3 +++ meta/classes-recipe/npm.bbclass | 7 +++++++ meta/classes-recipe/pypi.bbclass | 3 +++ 5 files changed, 27 insertions(+) diff --git a/meta/classes-recipe/cargo_common.bbclass b/meta/classes-recipe/cargo_common.bbclass index bc44ad7918..e884b344ef 100644 --- a/meta/classes-recipe/cargo_common.bbclass +++ b/meta/classes-recipe/cargo_common.bbclass @@ -240,3 +240,6 @@ EXPORT_FUNCTIONS do_configure # https://github.com/rust-lang/libc/issues/3223 # https://github.com/rust-lang/libc/pull/3175 INSANE_SKIP:append = " 32bit-time" + +# Generate ecosystem-specific Package URL for SPDX +SPDX_PACKAGE_URLS:prepend = "pkg:cargo/${BPN}@${PV} " diff --git a/meta/classes-recipe/cpan.bbclass b/meta/classes-recipe/cpan.bbclass index bb76a5b326..355e7e6adf 100644 --- a/meta/classes-recipe/cpan.bbclass +++ b/meta/classes-recipe/cpan.bbclass @@ -68,4 +68,15 @@ cpan_do_install () { done } +# Generate ecosystem-specific Package URL for SPDX +def cpan_spdx_name(d): + bpn = d.getVar('BPN') + if bpn.startswith('perl-'): + return bpn[5:] + elif bpn.startswith('libperl-'): + return bpn[8:] + return bpn + +SPDX_PACKAGE_URLS:prepend = "pkg:cpan/${@cpan_spdx_name(d)}@${PV} " + EXPORT_FUNCTIONS do_configure do_compile do_install diff --git a/meta/classes-recipe/go-mod.bbclass b/meta/classes-recipe/go-mod.bbclass index a15dda8f0e..344712b193 100644 --- a/meta/classes-recipe/go-mod.bbclass +++ b/meta/classes-recipe/go-mod.bbclass @@ -32,3 +32,6 @@ do_compile[dirs] += "${B}/src/${GO_WORKDIR}" # Make go install unpack the module zip files in the module cache directory # before the license directory is polulated with license files. addtask do_compile before do_populate_lic + +# Generate ecosystem-specific Package URL for SPDX +SPDX_PACKAGE_URLS:prepend = "pkg:golang/${GO_IMPORT}@${PV} " diff --git a/meta/classes-recipe/npm.bbclass b/meta/classes-recipe/npm.bbclass index 344e8b4bec..aec69ebfd3 100644 --- a/meta/classes-recipe/npm.bbclass +++ b/meta/classes-recipe/npm.bbclass @@ -354,4 +354,11 @@ FILES:${PN} += " \ ${nonarch_libdir} \ " +# Generate ecosystem-specific Package URL for SPDX +def npm_spdx_name(d): + bpn = d.getVar('BPN') + return bpn[4:] if bpn.startswith('node-') else bpn + +SPDX_PACKAGE_URLS:prepend = "pkg:npm/${@npm_spdx_name(d)}@${PV} " + EXPORT_FUNCTIONS do_configure do_compile do_install diff --git a/meta/classes-recipe/pypi.bbclass b/meta/classes-recipe/pypi.bbclass index 1372d85e8d..fd5cd7af95 100644 --- a/meta/classes-recipe/pypi.bbclass +++ b/meta/classes-recipe/pypi.bbclass @@ -55,3 +55,6 @@ UPSTREAM_CHECK_URI ?= "https://pypi.org/simple/${@pypi_normalize(d)}/" UPSTREAM_CHECK_REGEX ?= "${UPSTREAM_CHECK_PYPI_PACKAGE}-(?P(\d+[\.\-_]*)+).(tar\.gz|tgz|zip|tar\.bz2)" CVE_PRODUCT ?= "python:${PYPI_PACKAGE}" + +# Generate ecosystem-specific Package URL for SPDX +SPDX_PACKAGE_URLS:prepend = "pkg:pypi/${@pypi_normalize(d)}@${PV} " From patchwork Mon Mar 9 13:28:51 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefano Tondo X-Patchwork-Id: 82901 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1A32F3C25C for ; Mon, 9 Mar 2026 13:29:26 +0000 (UTC) Received: from mail-yw1-f170.google.com (mail-yw1-f170.google.com [209.85.128.170]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.14156.1773062958512145936 for ; Mon, 09 Mar 2026 06:29:18 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=G8IviiPZ; spf=pass (domain: gmail.com, ip: 209.85.128.170, mailfrom: stondo@gmail.com) Received: by mail-yw1-f170.google.com with SMTP id 00721157ae682-79907171da2so2925507b3.2 for ; Mon, 09 Mar 2026 06:29:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773062957; x=1773667757; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/tGs98uy8Neks0w5XX342Cr5zI1u8Xh6ZbFuCmEetg8=; b=G8IviiPZqPyCki5IFkOnYhcHs66aDbGDbDT6rRBMIKDvNl1EDyLMom3Gc/uVyP6g0Y 3UWtprDlYJ9c9ZTcIvTDaapGx7+AQvA9Hwzy+YrfMwFHBgu40iGjaFk+DfzblXGx0nHn XTQsgMnx54bTnvNzwX//PDk6KLLFGDVK2I4+jATEjfwZsxFFhVIkE4+y+ZxiH1SevOOH qYcUdtC4P5QpCsQ3kwIIfJ03lAg3zMJavF7jC4sF2j9XozHjsE/3KUC4uVspjPOmcrAm bzwW2zCmjYdYYBdHBvu18/TnAFVzySJsWydq51GHrRTUzoRiMR5k7Ck1ldK6aVwBoOKk asvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773062957; x=1773667757; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=/tGs98uy8Neks0w5XX342Cr5zI1u8Xh6ZbFuCmEetg8=; b=UvrAZzjAKpveHSG4Tupipvz9Z1XuaYC0McTBei/j3GIlKrjrLFZwZRFS5vDpdgWrl9 4eE9u+qFl9fboRcfB7LUQINfa6yhOb3UPo4maIvdXsodUBftFWEhD26o77QeENQD3KwH WuOdcwiswCCsDE7BNKeZdYLzjEDUKFdiIP2Mpl3TvF4UKlx1zq+bRqpo/e9idLnwEU47 79HpuKPnzkleXBQe66rMILOnmtJPbYBx/WntqNVST+msg3za/gY1XYaytcZ9IovgfFiB s8bKJVMcQ9IAGCAPdGf3uo5w3vmrmvDHxiErYF7qgWA+XZWgIzKCmhQRoDkldC4Phw92 FLLw== X-Gm-Message-State: AOJu0Yz4crYpMpCVl2gqTg/9zVkRlqW/d4gYEp6acai/kdStMFmPTWCV g31jzSuEfxmu7OEgNXHtWCWtDbD4ZmQMicQmOwvxc/1bo3MlYZauIiZa7ullZw== X-Gm-Gg: ATEYQzy9LEtP0BSe7KY/ELqoTSypbnYHoiqtzZn3JhlHIZpIwS7VTXEFu5NstSsJxLh rvHjlEKPSQzBPQtJcj9Rp2BGUiUHR4KHBaZiKz1nBwbjmy2WyjtpISdCe60ObleAZRXi/BXcDGD Q3LcgdDZQKuLqTdSi82OBCGa3DcC3X35ekIyEqCh20TQNORtniRaO150TZHyH5DbMoZY5s+ljc8 Vvczxo1YBNgb19H2d06hkwCNpUYeGFqcR+0MB6CG7NNaS9Nwhm4BdxA9mQ3+QvH0hIB3yWyX/0H XQw7LYGBuiCWFVLPpAkovux1snX7Zt13j4RlT9f1uMTN7Vl31h6FXoAJqxMzstRFOZl7ntlrfzS SE9FbKiaSHhVubipGYE+X6tC5KszRuq4YZhlPdEXhu7FBZg6jXFXRHnNdpa+jRWJsZuxltNT6Ri gDUI++lE6jowLeUFvomaw0VWD4BRmpcnxJDMpSes6EaVOSIL9NN+EYTFSILDybbXQvoqn4ZYUfy SxEBTXE X-Received: by 2002:a05:690c:6905:b0:798:68d8:4aa4 with SMTP id 00721157ae682-798dd6ceb4dmr102433327b3.24.1773062957423; Mon, 09 Mar 2026 06:29:17 -0700 (PDT) Received: from fedora (mob-194-230-161-149.cgn.sunrise.net. [194.230.161.149]) by smtp.gmail.com with ESMTPSA id 00721157ae682-798dee6afd5sm44299437b3.45.2026.03.09.06.29.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Mar 2026 06:29:17 -0700 (PDT) From: stondo@gmail.com To: openembedded-core@lists.openembedded.org Cc: Ross.Burton@arm.com, jpewhacker@gmail.com, stefano.tondo.ext@siemens.com, Peter.Marko@siemens.com, adrian.freihofer@siemens.com, mathieu.dubois-briand@bootlin.com Subject: [OE-core][PATCH v8 4/7] spdx30: Enrich source downloads with version and PURL Date: Mon, 9 Mar 2026 14:28:51 +0100 Message-ID: <20260309132854.128375-5-stondo@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260309132854.128375-1-stondo@gmail.com> References: <20260309132854.128375-1-stondo@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Mar 2026 13:29:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232713 From: Stefano Tondo Add version extraction, PURL generation, and external references to source download packages in SPDX 3.0 SBOMs: - Extract version from SRCREV for Git sources (full SHA-1) - Generate PURLs for Git sources on github.com by default - Support custom mappings via SPDX_GIT_PURL_MAPPINGS variable (format: "domain:purl_type", split(':', 1) for parsing) - Use ecosystem PURLs from SPDX_PACKAGE_URLS for non-Git - Add VCS external references for Git downloads - Add distribution external references for tarball downloads - Parse Git URLs using urllib.parse - Extract logic into _generate_git_purl() and _enrich_source_package() helpers The SPDX_GIT_PURL_MAPPINGS variable allows configuring PURL generation for self-hosted Git services (e.g., GitLab). github.com is always mapped to pkg:github by default. Signed-off-by: Stefano Tondo --- meta/classes/create-spdx-3.0.bbclass | 7 ++ meta/lib/oe/spdx30_tasks.py | 122 +++++++++++++++++++++++++++ 2 files changed, 129 insertions(+) diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass index def2dacbc3..9e912b34e1 100644 --- a/meta/classes/create-spdx-3.0.bbclass +++ b/meta/classes/create-spdx-3.0.bbclass @@ -152,6 +152,13 @@ SPDX_PACKAGE_URLS[doc] = "A space separated list of Package URLs (purls) for \ Override this variable to replace the default, otherwise append or prepend \ to add additional purls." +SPDX_GIT_PURL_MAPPINGS ??= "" +SPDX_GIT_PURL_MAPPINGS[doc] = "A space separated list of domain:purl_type \ + mappings to configure PURL generation for Git source downloads. \ + For example, "gitlab.example.com:pkg:gitlab" maps repositories hosted \ + on gitlab.example.com to the pkg:gitlab PURL type. \ + github.com is always mapped to pkg:github by default." + IMAGE_CLASSES:append = " create-spdx-image-3.0" SDK_CLASSES += "create-spdx-sdk-3.0" diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index c3a23d7889..1f6c84628d 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -13,6 +13,7 @@ import oe.spdx30 import oe.spdx_common import oe.sdk import os +import urllib.parse from contextlib import contextmanager from datetime import datetime, timezone @@ -377,6 +378,125 @@ def collect_dep_sources(dep_objsets, dest): index_sources_by_hash(e.to, dest) +def _generate_git_purl(d, download_location, srcrev): + """Generate a Package URL for a Git source from its download location. + + Parses the Git URL to identify the hosting service and generates the + appropriate PURL type. Supports github.com by default and custom + mappings via SPDX_GIT_PURL_MAPPINGS. + + Returns the PURL string or None if no mapping matches. + """ + if not download_location or not download_location.startswith('git+'): + return None + + git_url = download_location[4:] # Remove 'git+' prefix + + # Default handler: github.com + git_purl_handlers = { + 'github.com': 'pkg:github', + } + + # Custom PURL mappings from SPDX_GIT_PURL_MAPPINGS + # Format: "domain1:purl_type1 domain2:purl_type2" + custom_mappings = d.getVar('SPDX_GIT_PURL_MAPPINGS') + if custom_mappings: + for mapping in custom_mappings.split(): + parts = mapping.split(':', 1) + if len(parts) == 2: + git_purl_handlers[parts[0]] = parts[1] + bb.debug(2, f"Added custom Git PURL mapping: {parts[0]} -> {parts[1]}") + else: + bb.warn(f"Invalid SPDX_GIT_PURL_MAPPINGS entry: {mapping} (expected format: domain:purl_type)") + + try: + parsed = urllib.parse.urlparse(git_url) + except Exception: + return None + + hostname = parsed.hostname + if not hostname: + return None + + for domain, purl_type in git_purl_handlers.items(): + if hostname == domain: + path = parsed.path.strip('/') + path_parts = path.split('/') + if len(path_parts) >= 2: + owner = path_parts[0] + repo = path_parts[1].replace('.git', '') + return f"{purl_type}/{owner}/{repo}@{srcrev}" + break + + return None + + +def _enrich_source_package(d, dl, fd, file_name, primary_purpose): + """Enrich a source download package with version, PURL, and external refs. + + Extracts version from SRCREV for Git sources, generates PURLs for + known hosting services, and adds external references for VCS, + distribution URLs, and homepage. + """ + version = None + purl = None + + if fd.type == "git": + # Use full SHA-1 from fd.revision + srcrev = getattr(fd, 'revision', None) + if srcrev and srcrev not in {'${AUTOREV}', 'AUTOINC', 'INVALID'}: + version = srcrev + + # Generate PURL for Git hosting services + download_location = getattr(dl, 'software_downloadLocation', None) + if version and download_location: + purl = _generate_git_purl(d, download_location, version) + else: + # For non-Git sources, use recipe PV as version + pv = d.getVar('PV') + if pv and pv not in {'git', 'AUTOINC', 'INVALID', '${PV}'}: + version = pv + + # Use ecosystem PURL from SPDX_PACKAGE_URLS if available + package_urls = (d.getVar('SPDX_PACKAGE_URLS') or '').split() + for url in package_urls: + if not url.startswith('pkg:yocto'): + purl = url + break + + if version: + dl.software_packageVersion = version + + if purl: + dl.software_packageUrl = purl + + # Add external references + download_location = getattr(dl, 'software_downloadLocation', None) + if download_location and isinstance(download_location, str): + dl.externalRef = dl.externalRef or [] + + if download_location.startswith('git+'): + # VCS reference for Git repositories + git_url = download_location[4:] + if '@' in git_url: + git_url = git_url.split('@')[0] + + dl.externalRef.append( + oe.spdx30.ExternalRef( + externalRefType=oe.spdx30.ExternalRefType.vcs, + locator=[git_url], + ) + ) + elif download_location.startswith(('http://', 'https://', 'ftp://')): + # Distribution reference for tarball/archive downloads + dl.externalRef.append( + oe.spdx30.ExternalRef( + externalRefType=oe.spdx30.ExternalRefType.altDownloadLocation, + locator=[download_location], + ) + ) + + def add_download_files(d, objset): inputs = set() @@ -440,6 +560,8 @@ def add_download_files(d, objset): ) ) + _enrich_source_package(d, dl, fd, file_name, primary_purpose) + if fd.method.supports_checksum(fd): # TODO Need something better than hard coding this for checksum_id in ["sha256", "sha1"]: From patchwork Mon Mar 9 13:28:52 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefano Tondo X-Patchwork-Id: 82902 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E3F5F3C262 for ; Mon, 9 Mar 2026 13:29:27 +0000 (UTC) Received: from mail-yw1-f170.google.com (mail-yw1-f170.google.com [209.85.128.170]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.14159.1773062960976113248 for ; Mon, 09 Mar 2026 06:29:21 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=TbReHyLj; spf=pass (domain: gmail.com, ip: 209.85.128.170, mailfrom: stondo@gmail.com) Received: by mail-yw1-f170.google.com with SMTP id 00721157ae682-79628fb5c05so95036657b3.2 for ; Mon, 09 Mar 2026 06:29:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773062960; x=1773667760; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vTetZvP6BebA79DU1h03+zwm3V3+NRTqsJ+4iic2qCc=; b=TbReHyLjJBY43mDRCaURunk6yIh3vy4ttIZdzRjp3BMuV6aa8lq4vW0z9sVuAWctOH wwKkTJZ+FSLY7/eDXv1qT/hd5DaGNHWglp7RFrZe360ib0Vl3hkBmdDd3IIzZxrP1yiV Roxzf571TH1//CO/K/ppbNkloOVjqcYutOh5Bd3M/Xp9apMZlmmFv9uMgb6bzg+7etQp ciMP1AAtEO/K5b88/nfTYYqKCeCMnEN5YdkG4I4z9IIdIJD8TQyHU9uZVulgTQ5rXw1D ymlONDE7ypV4mQ+4brysPnSLiuNwDHNO+1w2+0qgP+Zv8wfjdcEPIRAKwAev2E6QVt9G ENcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773062960; x=1773667760; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=vTetZvP6BebA79DU1h03+zwm3V3+NRTqsJ+4iic2qCc=; b=pOkt9w21NAEKiED6rrRtEiRxQjgF6QRSg+y3Msxv45ysLRpvBKyXUeKOmBe2vz5N7r Q9vhc/Qh099BzFA6J8zOgBmDK7Q9ccIYuTJSd5nlilkauuQpp2E6UBAnjK/TwgLkCqUT vCwiGBdZ2ZQWgWk05Zd7uRt/hRmAciF5dKwIkJABYwQbHKcsQU88/L5HL2mlK+hNMdXg ff2oBt4t1xuaBU4Wv8HMAM382Ip/DBKkQ2pL/ZEV4Lq+6dawa7QVAER7yvSTRhnF2pxr ExZVZau8gxZzj8fy3d5wQ2DECYEMX1t9C7S5yjU5Lnuq07BvpE1nr8qfdRkkDyk35jvC vGZg== X-Gm-Message-State: AOJu0YwkqhuahJMixw74x2LdlntQhDVSfeSvLTxvKJGDSghLYOtjf/R+ 3BsjV8Mi6PuIPfFupEbU9QObiDmWsdLRAOdph+HhJA5N7jksP4DaJ0Kll3qwJw== X-Gm-Gg: ATEYQzziHtnWJ6l6lxOTACsjIPkZcoAgOd5bXdGj2U7Oq6g0Tv/xTdXPMKU9xfkpQHk fSO22ekDoaGdMNpiqW35QqMi+QuidcueME4+2XqLPjlvtKogP61893oq9xSbC8cYTYg3PyYwzVC e9adm8Tj09CrktL8J6aJkaa8xXA1MZ7xdQMa0ICl1Qg2vBB0cHmVUk7IMOJtXebcGHJfVGyUxdp uTc3YISs4ea9KzgEBsFHFq4SiuVpS0KkDOc0SC/XSkt8r4u7DZP+7K1+GnHgrfaUiWtCAoLG+CP NeZl0DNoLt2YLl6gryD9jUkvzsEsb6aP8VENVJS1G3CwNl7FFbVb/27TqlZZWJ8RkiDJI5vzd3P O/3T4QwGEMbCifJVJMSyPBVTX9eIQ7v6CK/cMaQaOM5Wa77ryR3i1Mxf+GXwlLwEqoz8fH7el6b qjyo1RPEcTIoBcqCT91p0zS8rjiG5ZdBOgIElZoPkEjq9iD81BQk3jMOJaUEFyALxRIxQkLgU5b L2Ittct X-Received: by 2002:a05:690c:dd4:b0:798:704e:9d7e with SMTP id 00721157ae682-798dd789d41mr101621397b3.52.1773062959781; Mon, 09 Mar 2026 06:29:19 -0700 (PDT) Received: from fedora (mob-194-230-161-149.cgn.sunrise.net. [194.230.161.149]) by smtp.gmail.com with ESMTPSA id 00721157ae682-798dee6afd5sm44299437b3.45.2026.03.09.06.29.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Mar 2026 06:29:19 -0700 (PDT) From: stondo@gmail.com To: openembedded-core@lists.openembedded.org Cc: Ross.Burton@arm.com, jpewhacker@gmail.com, stefano.tondo.ext@siemens.com, Peter.Marko@siemens.com, adrian.freihofer@siemens.com, mathieu.dubois-briand@bootlin.com Subject: [OE-core][PATCH v8 5/7] oeqa/selftest: Add tests for source download enrichment Date: Mon, 9 Mar 2026 14:28:52 +0100 Message-ID: <20260309132854.128375-6-stondo@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260309132854.128375-1-stondo@gmail.com> References: <20260309132854.128375-1-stondo@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Mar 2026 13:29:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232714 From: Stefano Tondo Add two new SPDX 3.0 selftest cases: test_download_location_defensive_handling: Verifies SPDX generation succeeds for recipes with tarball sources and that external references are properly structured (ExternalRef locator is a list of strings per SPDX 3.0 spec). test_version_extraction_patterns: Verifies that version extraction works correctly and all source packages have proper version strings containing digits. These tests validate the source download enrichment added in the previous commit. Signed-off-by: Stefano Tondo --- meta/lib/oeqa/selftest/cases/spdx.py | 69 ++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/meta/lib/oeqa/selftest/cases/spdx.py b/meta/lib/oeqa/selftest/cases/spdx.py index 41ef52fce1..7ce2ea57b1 100644 --- a/meta/lib/oeqa/selftest/cases/spdx.py +++ b/meta/lib/oeqa/selftest/cases/spdx.py @@ -414,3 +414,72 @@ class SPDX30Check(SPDX3CheckBase, OESelftestTestCase): value, ["enabled", "disabled"], f"Unexpected PACKAGECONFIG value '{value}' for {key}" ) + + def test_download_location_defensive_handling(self): + """Test that download_location handling is defensive. + + Verifies SPDX generation succeeds and external references are + properly structured when download_location retrieval works. + """ + objset = self.check_recipe_spdx( + "m4", + "{DEPLOY_DIR_SPDX}/{SSTATE_PKGARCH}/recipes/recipe-m4.spdx.json", + ) + + found_external_refs = False + for pkg in objset.foreach_type(oe.spdx30.software_Package): + if pkg.externalRef: + found_external_refs = True + for ref in pkg.externalRef: + self.assertIsNotNone(ref.externalRefType) + self.assertIsNotNone(ref.locator) + self.assertGreater(len(ref.locator), 0, "Locator should have at least one entry") + for loc in ref.locator: + self.assertIsInstance(loc, str) + break + + self.logger.info( + f"External references {'found' if found_external_refs else 'not found'} " + f"in SPDX output (defensive handling verified)" + ) + + def test_version_extraction_patterns(self): + """Test that version extraction works for various package formats. + + Verifies that version patterns correctly extract versions from + tarball sources and that all packages have proper version strings. + """ + objset = self.check_recipe_spdx( + "tar", + "{DEPLOY_DIR_SPDX}/{SSTATE_PKGARCH}/recipes/recipe-tar.spdx.json", + ) + + # Collect all packages with versions + packages_with_versions = [] + for pkg in objset.foreach_type(oe.spdx30.software_Package): + if pkg.software_packageVersion: + packages_with_versions.append((pkg.name, pkg.software_packageVersion)) + + self.assertGreater( + len(packages_with_versions), 0, + "Should find packages with extracted versions" + ) + + self.logger.info(f"Found {len(packages_with_versions)} packages with versions") + + # Log some examples for debugging + for name, version in packages_with_versions[:5]: + self.logger.info(f" {name}: {version}") + + # Verify that versions follow expected patterns + for name, version in packages_with_versions: + # Version should not be empty + self.assertIsNotNone(version) + self.assertNotEqual(version, "") + + # Version should contain digits + self.assertRegex( + version, + r'\d', + f"Version '{version}' for package '{name}' should contain digits" + ) From patchwork Mon Mar 9 13:28:53 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefano Tondo X-Patchwork-Id: 82900 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DBD9DF3C25E for ; Mon, 9 Mar 2026 13:29:26 +0000 (UTC) Received: from mail-yw1-f169.google.com (mail-yw1-f169.google.com [209.85.128.169]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.14255.1773062963048979325 for ; Mon, 09 Mar 2026 06:29:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=h3NIlM1L; spf=pass (domain: gmail.com, ip: 209.85.128.169, mailfrom: stondo@gmail.com) Received: by mail-yw1-f169.google.com with SMTP id 00721157ae682-7982c3b7dfcso116516217b3.0 for ; Mon, 09 Mar 2026 06:29:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773062962; x=1773667762; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6CigqNrWZDm8nD29vgAcTpWDDoEJtFRn37uUgr+KqQE=; b=h3NIlM1LpTZgnyK0R2nKP7XAJZ9IWjYFMlVCr9Ei3+UOEZRsclD8MGPkQILJSa5u9j umKovhFclQy4ORJtF+LlF1Wrzq2ecacchhJC9B1h5ua3CTIh913X3UmMXr3/7T7z7imI a1Qd7a5utAet95V4JBJfRIqrVNlDyyk0qNDpNc3Lb652IAKWV9gdRnCX3LOuBz/eJL7F Lstv56pRAcDQfOrXYrNgEGiHgHG0oN+Z0KeFwBiyT4n77OACv/NzkJZdjg81IKdGdSfx 9I0u++rRzqWT/0X1VIRvtitCLd8gy2yrZUyfu29xM/C5oN5yO9fQ8TJCZhmWUsHigv/F Dg1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773062962; x=1773667762; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=6CigqNrWZDm8nD29vgAcTpWDDoEJtFRn37uUgr+KqQE=; b=duKh+Dyjk5lYrcgZzqFX3RFo5J+GTKBb+of1GhwB4ijplUBC0cb+iKgQWLWyUKCXzi kCGGT+zi8nqUEbjpofN8+qmDYZ1jI+K2LXlUE+q0jyzMQaf59hwitHYF3/WWohGSxXPT +TOhosvm3S7Dy5GvUBp8dU5t67wuk8up7a8toHkYXJTfMIUMdCNxNkjE2qlsQMZLf200 eM7Nav3nFprINBkZaJXfs4dHrQOiQmPvO7uY+sqMpuWm5rKCS/aEhDrgMgdMV1dkVgzG LChkrLuRyrbz/jlbh/hHn7IzUTIneZ7FUkSBNoxivh8d+weGeZLYqDsWbYHMBmfgbGCN mrVA== X-Gm-Message-State: AOJu0YzDJtN6VHbT4kKoR3crUiSStHvk9lHm6cDIwJGYZAM3XG08Ej8E 2u70yaDwgOyG5ww2tgh7alKGDnqYCKt05rAyoVXG/aEeNwXML9L7vUaxiLsMLw== X-Gm-Gg: ATEYQzzG59fH0+H/AkVGXVZV1B1UHzR+BACgUDyWNSTUxIFPLhmrewxwn9U2vzTIv4W m2fGZnRRZUnbUQ0nvhUjWTUAC8EoLoqjR3sa9/77M9c5AqfBcRGoNA/MRW9HiTWHXERDTl494Qv IPiFhbC7qpYlCErBSBA9WaQCoinP0ZrJGwp8GwOHUW1YZTezx5SJ1fdyj/j86wMROfyACgWBPu5 c/OVlzKRTw6n7FCJq/E4O6eCVVVcg39BCNMJJE378+PGPyKjPyRReG1FFZZsbnq/M1OSjehDojv VDOCsDf5x3sGpxFvtTAQMcZRroeeWNmJ/AgcJiqpQbEaBRYRKPeqtYXW80V2POrvply6B2NJRAj JbATyfgxtwtu5URlc1LWeGCxzhYO/FouWCrVGTiibA+hGk9+CR9dGqrQTZQh+MbtSMsbz5bBoId 06tl9u3fQnZ5uZyWRWR33bUSIKp6XRxyiYy2dIIj0KZDHwmqbyKrRSRbBk+iuLYCxlDKnF+qQg+ dclst9SxsbgMRtg92c= X-Received: by 2002:a05:690c:4c02:b0:798:99ae:765 with SMTP id 00721157ae682-798dd788971mr102631187b3.46.1773062961972; Mon, 09 Mar 2026 06:29:21 -0700 (PDT) Received: from fedora (mob-194-230-161-149.cgn.sunrise.net. [194.230.161.149]) by smtp.gmail.com with ESMTPSA id 00721157ae682-798dee6afd5sm44299437b3.45.2026.03.09.06.29.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Mar 2026 06:29:21 -0700 (PDT) From: stondo@gmail.com To: openembedded-core@lists.openembedded.org Cc: Ross.Burton@arm.com, jpewhacker@gmail.com, stefano.tondo.ext@siemens.com, Peter.Marko@siemens.com, adrian.freihofer@siemens.com, mathieu.dubois-briand@bootlin.com Subject: [OE-core][PATCH v8 6/7] cve_check: Escape special characters in CPE 2.3 strings Date: Mon, 9 Mar 2026 14:28:53 +0100 Message-ID: <20260309132854.128375-7-stondo@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260309132854.128375-1-stondo@gmail.com> References: <20260309132854.128375-1-stondo@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Mar 2026 13:29:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232715 From: Stefano Tondo CPE 2.3 formatted string binding (cpe:2.3:...) requires backslash escaping for special meta-characters per NISTIR 7695. Characters like '++' and ':' in product names must be escaped. The CPE 2.3 specification defines two bindings: - URI binding (cpe:/...) uses percent-encoding - Formatted string (cpe:2.3:...) uses backslash escaping Escape the required meta-characters with backslash: - Backslash (\) -> \\ - Question mark (?) -> \? - Asterisk (*) -> \* - Colon (:) -> \: - Plus (+) -> \+ All other characters are kept as-is without encoding. Example CPE identifiers: - cpe:2.3:*:*:crow:1.0\+x:*:*:*:*:*:*:* - cpe:2.3:*:*:sdbus-c\+\+:2.2.1:*:*:*:*:*:*:* Signed-off-by: Stefano Tondo Reviewed-by: Joshua Watt --- meta/lib/oe/cve_check.py | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index ae194f27cf..6555743514 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -205,6 +205,35 @@ def get_patched_cves(d): return patched_cves +def cpe_escape(value): + r""" + Escape special characters for CPE 2.3 formatted string binding. + + CPE 2.3 formatted string binding (cpe:2.3:...) uses backslash escaping + for special meta-characters, NOT percent-encoding. Percent-encoding is + only used in the URI binding (cpe:/...). + + According to NISTIR 7695, these characters need escaping: + - Backslash (\) -> \\ + - Question mark (?) -> \? + - Asterisk (*) -> \* + - Colon (:) -> \: + - Plus (+) -> \+ (required by some SBOM validators) + """ + if not value: + return value + + # Escape special meta-characters for CPE 2.3 formatted string binding + # Order matters: escape backslash first to avoid double-escaping + result = value.replace('\\', '\\\\') + result = result.replace('?', '\\?') + result = result.replace('*', '\\*') + result = result.replace(':', '\\:') + result = result.replace('+', '\\+') + + return result + + def get_cpe_ids(cve_product, version): """ Get list of CPE identifiers for the given product and version @@ -221,7 +250,14 @@ def get_cpe_ids(cve_product, version): else: vendor = "*" - cpe_id = 'cpe:2.3:*:{}:{}:{}:*:*:*:*:*:*:*'.format(vendor, product, version) + # Encode special characters per CPE 2.3 specification + encoded_vendor = cpe_escape(vendor) if vendor != "*" else vendor + encoded_product = cpe_escape(product) + encoded_version = cpe_escape(version) + + cpe_id = 'cpe:2.3:*:{}:{}:{}:*:*:*:*:*:*:*'.format( + encoded_vendor, encoded_product, encoded_version + ) cpe_ids.append(cpe_id) return cpe_ids From patchwork Mon Mar 9 13:28:54 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefano Tondo X-Patchwork-Id: 82903 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EBF1AF3C260 for ; Mon, 9 Mar 2026 13:29:26 +0000 (UTC) Received: from mail-yw1-f174.google.com (mail-yw1-f174.google.com [209.85.128.174]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.14257.1773062965363943566 for ; Mon, 09 Mar 2026 06:29:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=KBZwUZOI; spf=pass (domain: gmail.com, ip: 209.85.128.174, mailfrom: stondo@gmail.com) Received: by mail-yw1-f174.google.com with SMTP id 00721157ae682-79628fb5c05so95037497b3.2 for ; Mon, 09 Mar 2026 06:29:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773062964; x=1773667764; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Ahdnh+TpwH/Ap6B1OLeHI87lyehbS9YnnywWOR0hym8=; b=KBZwUZOIVSNgYMLZ8g/xXbybQIle9iW2l8tMtXz/NcudabVuP4CTpXBwGssLwfEOAZ 5uC7sb7f5NoSEnOSOkbH6LMDatHzIFcRidnrx8YfUazTs2COQw6niijrsRIKbMeDN1Bh D/2X6hq0PNavxH1KSQvBABJMXHxbx0ABIEchzdTdlF2vOE7mZdEGrQEJN9mOtELEtlxf vLXc1Eud07FbGksLeOaYepiZvtMVb6nnzqS2KiSvv1HYjgGcRcN2uN1Kzl2XSBeidJZW c6RimDU0qJBb8Mt0oYMCHo3/4XiyFmWEgxoyHfC1l8NUAvMr1ha47s9loGWI4q7vuJVF PkDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773062964; x=1773667764; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Ahdnh+TpwH/Ap6B1OLeHI87lyehbS9YnnywWOR0hym8=; b=vcopog4wI+kKSv+tdECu20mNSgMsmeofwQw9o7ZStqWNzqdY/aqO/zINBFTFV3CtHs NLaoQedB41BnmZfiuGIn3ffwZyfZndIo9wHvVPgGVaN5eDvFzUQdYzNPgujtu5PRMXlS DTSlbdpRgFa6FW0XpXQDnKK4l495f2rK+T21vZe8ZWAuw4ZAzlHBHlKpywSv04b4d9XI 5SSp31Mr6NFdZ7eEZ9NmeZWb0PhR+T4ApTuG//Oj7LoawvUZLfaz3yOmPnRt3WM6fM4D +QeW1dsgcUbJZfz1pZE6FISsueE8QlbptiyYnwrGfsmfe0d0jBuMQSTN3zwdgVmB5pQs cbzQ== X-Gm-Message-State: AOJu0YzWo/MiitZ2aFpGDhPeKPk/cL4tZTG7YyW0+ABXDEuAIMPOQsR3 NCyUN90BDbdqGuIxowHxjsSOBeRhWtpu4PetFJDeaj366l+cTF2fjWN6m7oflg== X-Gm-Gg: ATEYQzx1znASIdIFP5P7PFwELMenMKdWhyQo1nsQsF2+5N3ARl6V7437KymZp+umMfQ AQobLt9DAonO7fdANpFC5JjrqWKiF8x59LNTp7Jw4HsP/1kzSKRXzL0xW75XyoXnx9PP5tj/w2v dvieeyw+gmBleDcDy/PJzaWZp3Z/ZPjbES4awiAo00orQg8pY4D2tgq0WJo5qd6znTItuPIhyLl griMiM0J5eUGeDD3gkfJxODdXHK36UjWB3Ddp9qXqpdriVaGlK4BFaqP0p5gsw8dHdaIzZ6uhRS RYBb70FZky8by1J1wEks6n02lmjTtcME4cbU8Cf/LacQM+a3ZF3dtkyWIpHczG8vGV8IPgj4ot7 LylT3NYnTqpQ0BGgI/OWuUeyaKzBRjtzf0EqLSDPlQBUt/u7bafnSjlJ/dReu33R/J/iuU3ncVH kSEZFpBNQegoD1Ga6KvGTfQ+QlG2NkEg9UsXD1aaUypy36lEaK85enj4kjes+lVlKsnV8nFNhV4 CMuoZ7+xSg5ojaXOhs= X-Received: by 2002:a05:690c:46c4:b0:797:d386:44e3 with SMTP id 00721157ae682-798dd6b633fmr110440117b3.25.1773062964291; Mon, 09 Mar 2026 06:29:24 -0700 (PDT) Received: from fedora (mob-194-230-161-149.cgn.sunrise.net. [194.230.161.149]) by smtp.gmail.com with ESMTPSA id 00721157ae682-798dee6afd5sm44299437b3.45.2026.03.09.06.29.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Mar 2026 06:29:23 -0700 (PDT) From: stondo@gmail.com To: openembedded-core@lists.openembedded.org Cc: Ross.Burton@arm.com, jpewhacker@gmail.com, stefano.tondo.ext@siemens.com, Peter.Marko@siemens.com, adrian.freihofer@siemens.com, mathieu.dubois-briand@bootlin.com Subject: [OE-core][PATCH v8 7/7] spdx-common: Add documentation for undocumented SPDX variables Date: Mon, 9 Mar 2026 14:28:54 +0100 Message-ID: <20260309132854.128375-8-stondo@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260309132854.128375-1-stondo@gmail.com> References: <20260309132854.128375-1-stondo@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 09 Mar 2026 13:29:26 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232716 From: Stefano Tondo Add [doc] strings for eight undocumented SPDX-related BitBake variables in spdx-common.bbclass. Variables documented: - SPDX_INCLUDE_SOURCES - SPDX_INCLUDE_COMPILED_SOURCES - SPDX_UUID_NAMESPACE - SPDX_NAMESPACE_PREFIX - SPDX_PRETTY - SPDX_LICENSES - SPDX_CUSTOM_ANNOTATION_VARS - SPDX_MULTILIB_SSTATE_ARCHS This makes variables discoverable via bitbake-getvar and IDE completion, improving usability for SBOM generation. Signed-off-by: Stefano Tondo Reviewed-by: Joshua Watt --- meta/classes/spdx-common.bbclass | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass index f54459d3b4..be6e7b5bd6 100644 --- a/meta/classes/spdx-common.bbclass +++ b/meta/classes/spdx-common.bbclass @@ -26,15 +26,38 @@ SPDX_TOOL_VERSION ??= "1.0" SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy" SPDX_INCLUDE_SOURCES ??= "0" +SPDX_INCLUDE_SOURCES[doc] = "If set to '1', include source code files in the \ + SPDX output. This will create File objects for all source files used during \ + the build. Note: This significantly increases SBOM size and generation time." + SPDX_INCLUDE_COMPILED_SOURCES ??= "0" +SPDX_INCLUDE_COMPILED_SOURCES[doc] = "If set to '1', include compiled source \ + files (object files, etc.) in the SPDX output. This automatically enables \ + SPDX_INCLUDE_SOURCES. Note: This significantly increases SBOM size." SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org" +SPDX_UUID_NAMESPACE[doc] = "The namespace used for generating UUIDs in SPDX \ + documents. This should be a domain name or unique identifier for your \ + organization to ensure globally unique SPDX IDs." + SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs" +SPDX_NAMESPACE_PREFIX[doc] = "The URI prefix used for SPDX document namespaces. \ + Combined with other identifiers to create unique document URIs." + SPDX_PRETTY ??= "0" +SPDX_PRETTY[doc] = "If set to '1', generate human-readable formatted JSON output \ + with indentation and line breaks. If '0', generate compact JSON output. \ + Pretty formatting makes files larger but easier to read." SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json" +SPDX_LICENSES[doc] = "Path to the JSON file containing SPDX license identifier \ + mappings. This file maps common license names to official SPDX license \ + identifiers." SPDX_CUSTOM_ANNOTATION_VARS ??= "" +SPDX_CUSTOM_ANNOTATION_VARS[doc] = "Space-separated list of variable names whose \ + values will be added as custom annotations to SPDX documents. Each variable's \ + name and value will be recorded as an annotation for traceability." SPDX_CONCLUDED_LICENSE ??= "" SPDX_CONCLUDED_LICENSE[doc] = "The license concluded by manual or external \ @@ -53,6 +76,9 @@ SPDX_CONCLUDED_LICENSE[doc] = "The license concluded by manual or external \ SPDX_CONCLUDED_LICENSE:${PN} = 'MIT & Apache-2.0'" SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}" +SPDX_MULTILIB_SSTATE_ARCHS[doc] = "The list of sstate architectures to consider \ + when collecting SPDX dependencies. This includes multilib architectures when \ + multilib is enabled. Defaults to SSTATE_ARCHS." SPDX_FILE_EXCLUDE_PATTERNS ??= "" SPDX_FILE_EXCLUDE_PATTERNS[doc] = "Space-separated list of patterns to exclude \