From patchwork Mon Apr 20 07:44:32 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 86451 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EE689F36C51 for ; Mon, 20 Apr 2026 07:44:59 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.14471.1776671088623350828 for ; Mon, 20 Apr 2026 00:44:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=hATJK1RV; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id ACB15C5C98B; Mon, 20 Apr 2026 07:45:26 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id E89B55FFA5; Mon, 20 Apr 2026 07:44:46 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 5313B10460ADD; Mon, 20 Apr 2026 09:44:45 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776671086; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=z90vHRKR1kkuj68tHX2F5RSZd76YXCdqa+4IrgUNZTE=; b=hATJK1RVid6Nk5D2qKBnCYGKygjmX70IunZfaO1B9JIeoF8J6uOZ8driTPknNd9p6BhsaQ 1ezNm/Uj6wOqrYubA+NLQls2DUhtVIk9gwmr+lwZRq5ea0+Af0otJWnOt5qeXbFT82UhIB JNTjMAFd0Su4tmMP0YF+TFT091tHL4jJq1C+V4i4rBKIhL5h5uwrGmfUsy5ecCic/+olgY NKmnd8hAkjYnygDToDAJrOIhQAT6GM7qZkmYflhcZq9ae5/smDuyRMqUMfhqsiay9T81rV HCamVqx+OMiIpkhRVzfcyDxlWYiJuxyKCik1qbZvQSJBJJy01A+uLsIymjS1gA== From: "Benjamin Robin (Schneider Electric)" Date: Mon, 20 Apr 2026 09:44:32 +0200 Subject: [PATCH 01/10] oe/sbom30: Remove unneeded oe.sbom30. to reference local symbol MIME-Version: 1.0 Message-Id: <20260420-spdx3-improvements-v1-1-27e0d5edcdbe@bootlin.com> References: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> In-Reply-To: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: richard.purdie@linuxfoundation.org, peter.marko@siemens.com, ross.burton@arm.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, "Benjamin Robin (Schneider Electric)" X-Mailer: b4 0.15.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 07:44:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235542 The class OEDocumentExtension is declared within the sbom30.py file. There is no need to use its full package path to reference it. Same for get_element_link_id() function. Signed-off-by: Benjamin Robin (Schneider Electric) --- meta/lib/oe/sbom30.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py index b386b0f55bd3..9f50821af087 100644 --- a/meta/lib/oe/sbom30.py +++ b/meta/lib/oe/sbom30.py @@ -279,7 +279,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): def is_native(self): for e in self.doc.extension: - if not isinstance(e, oe.sbom30.OEDocumentExtension): + if not isinstance(e, OEDocumentExtension): continue if e.is_native is not None: @@ -289,14 +289,14 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): def set_is_native(self, is_native): for e in self.doc.extension: - if not isinstance(e, oe.sbom30.OEDocumentExtension): + if not isinstance(e, OEDocumentExtension): continue e.is_native = is_native return if is_native: - self.doc.extension.append(oe.sbom30.OEDocumentExtension(is_native=True)) + self.doc.extension.append(OEDocumentExtension(is_native=True)) def add_aliases(self): for o in self.foreach_type(oe.spdx30.Element): @@ -633,7 +633,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): self.new_relationship( [spdx_file], oe.spdx30.RelationshipType.hasDeclaredLicense, - [oe.sbom30.get_element_link_id(lic_alias) for lic_alias in file_licenses], + [get_element_link_id(lic_alias) for lic_alias in file_licenses], ) spdx_file.extension.append(OELicenseScannedExtension()) From patchwork Mon Apr 20 07:44:33 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 86449 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DC5C4F36C4C for ; Mon, 20 Apr 2026 07:44:59 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.14869.1776671089878677670 for ; Mon, 20 Apr 2026 00:44:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=nnp4L4Kp; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 3E2DF4E42A75; Mon, 20 Apr 2026 07:44:48 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 0DDAD5FFA5; Mon, 20 Apr 2026 07:44:48 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 9A36710460B74; Mon, 20 Apr 2026 09:44:46 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776671087; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=elhwNXb6qyNCHqMdK5UyWLfTJsVVq1eVgq4TcKLwz/c=; b=nnp4L4KpC+/h8R8L3CbcS7BML8ZNbf/zJsZ8HSILr2G8WD0mu16v3wIC5X3CDVSYG3xHCE +oJYaU1ozwOaoakPig2cnftnci/zwjFm1av4533a83tAkCDvMKA2InfmulpYzc8vhCaupQ XuwBcW8c+KMBPtPCBxe34UJMxsk5Sdu9+4d3OsG/LKFXOAk1bKSCwsHCwKVLoiynXxDPKE 7lBt2Sg0pZV44sxFbNfyF0Lf6JX7w4AR/zpX63sTsLu+iE5I0pxpYCbc2LScqvLmxCRGSG vOBYRQI38wxrsweNWJg6TYshWUQ+VKQtUL7njF0b7FJ2yz3UO52KXkZmlIld9Q== From: "Benjamin Robin (Schneider Electric)" Date: Mon, 20 Apr 2026 09:44:33 +0200 Subject: [PATCH 02/10] oe/sbom30: Simplify sorting of license_text_map MIME-Version: 1.0 Message-Id: <20260420-spdx3-improvements-v1-2-27e0d5edcdbe@bootlin.com> References: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> In-Reply-To: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: richard.purdie@linuxfoundation.org, peter.marko@siemens.com, ross.burton@arm.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, "Benjamin Robin (Schneider Electric)" X-Mailer: b4 0.15.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 07:44:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235543 In new_license_expression() the code used to sort the license_text_map dictionary can be simplified. Signed-off-by: Benjamin Robin (Schneider Electric) --- meta/lib/oe/sbom30.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py index 9f50821af087..f45d8f6773ba 100644 --- a/meta/lib/oe/sbom30.py +++ b/meta/lib/oe/sbom30.py @@ -585,9 +585,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): re.sub(r"[^a-zA-Z0-9_-]", "_", license_expression), ] - license_text = [ - (k, license_text_map[k]) for k in sorted(license_text_map.keys()) - ] + license_text = sorted(license_text_map.items(), key=lambda t: t[0]) if not license_text: lic = self.find_filter( From patchwork Mon Apr 20 07:44:34 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 86450 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D0767F36C4D for ; Mon, 20 Apr 2026 07:44:59 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.14473.1776671090504549939 for ; Mon, 20 Apr 2026 00:44:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=kOcnoLIG; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id B052DC5C98E; Mon, 20 Apr 2026 07:45:28 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id ED8905FFA5; Mon, 20 Apr 2026 07:44:48 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 9009510460B76; Mon, 20 Apr 2026 09:44:47 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776671088; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=Q5iG8wH9AIDxUApfpFPIQToEeExLbCsfdFYpZHsqYgc=; b=kOcnoLIGfAj9l+G6bdMSS6CkCl9RSlklNTAlFII56Od7deMW+nn11eDfaZQBGzh1CxVrt2 NpAS0aWMjJc7gtQXKRElFGeQ+MiMbjVehENbjbjqp/BubO21VC5jCceVTRSFOwXAivdsgB n0ARKRpVBmGfFSpmNnh5r3vhDW87RMgYMtFxcud5+dBzPRnpFMgI1XfcJ6t2gm1b75oFcv MdQVLcB3NiMb4VX35YCtyQEPjWRV5QgeZXOoUzLUS4bUXQvMwJYNp//9sGs73yphMgWGq4 hMxzBwku6MM5ynz+QsJ/YD7/PUJ6Uy4eNRZYKSpgZcUFpLtlQR+wVl93eDxAoA== From: "Benjamin Robin (Schneider Electric)" Date: Mon, 20 Apr 2026 09:44:34 +0200 Subject: [PATCH 03/10] oe/sbom30: Fix undeclared variable in import_bitbake_build() MIME-Version: 1.0 Message-Id: <20260420-spdx3-improvements-v1-3-27e0d5edcdbe@bootlin.com> References: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> In-Reply-To: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: richard.purdie@linuxfoundation.org, peter.marko@siemens.com, ross.burton@arm.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, "Benjamin Robin (Schneider Electric)" X-Mailer: b4 0.15.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 07:44:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235544 In the error path, deploy_dir_spdx variable was not defined. Signed-off-by: Benjamin Robin (Schneider Electric) --- meta/lib/oe/sbom30.py | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py index f45d8f6773ba..5d020b934cc0 100644 --- a/meta/lib/oe/sbom30.py +++ b/meta/lib/oe/sbom30.py @@ -760,6 +760,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): bb_objset = self.import_bitbake_build_objset() build = find_bitbake_build(bb_objset) if build is None: + deploy_dir_spdx = self.d.getVar("DEPLOY_DIR_SPDX") bb.fatal(f"No build found in {deploy_dir_spdx}") return build From patchwork Mon Apr 20 07:44:35 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 86447 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1F42F36C4B for ; Mon, 20 Apr 2026 07:44:59 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.14871.1776671091566930171 for ; Mon, 20 Apr 2026 00:44:51 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=F1I04wkt; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id BAD41C5C98B; Mon, 20 Apr 2026 07:45:29 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 033315FFA5; Mon, 20 Apr 2026 07:44:50 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id A849610460890; Mon, 20 Apr 2026 09:44:48 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776671089; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=7igsj3w6RnT081J1ggbE61zMKNj3dVqdfRotoIeosqc=; b=F1I04wktxQ+H6vTaHwT7ci3Hj+7k+PegA8EyzV+IR70CMQA1Wz2AaFkPQw5xAFVd9GvKj0 bTP3cvZIjrdNKgF+nSdVmAWMy5qeKcsymB0cW+Y36SoLfVCAfbA+Lc5r4/6BIJvGRkLoKR BzgVA4hWTCv99OOqO1LzselHY03tPK0tBOnHb9hhsWL3xbc50qnjvBlo3mqc4Q4qWDY3J2 7AhTmHxDcMYjODgLRflh0A6djiXVOsfq3k8cnCBwgh8WvwaOun8pWWPVfuUMhSCjc6H3gT eUiD7qwle35bXqJiawt0lwWPk6uVcEo7JJDy7q6u/yBgpTupSwyNSJHqLNxQZw== From: "Benjamin Robin (Schneider Electric)" Date: Mon, 20 Apr 2026 09:44:35 +0200 Subject: [PATCH 04/10] oe/spdx30_tasks: Remove unused license_ref_idx variable MIME-Version: 1.0 Message-Id: <20260420-spdx3-improvements-v1-4-27e0d5edcdbe@bootlin.com> References: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> In-Reply-To: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: richard.purdie@linuxfoundation.org, peter.marko@siemens.com, ross.burton@arm.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, "Benjamin Robin (Schneider Electric)" X-Mailer: b4 0.15.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 07:44:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235545 This local variable is never used in the whole code base, so it is safe to remove it. Signed-off-by: Benjamin Robin (Schneider Electric) --- meta/lib/oe/spdx30_tasks.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index cd9672c18e8c..6609784907db 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -39,7 +39,6 @@ def add_license_expression( ): simple_license_text = {} license_text_map = {} - license_ref_idx = 0 def add_license_text(name): nonlocal objset @@ -96,7 +95,6 @@ def add_license_expression( def convert(l): nonlocal license_text_map - nonlocal license_ref_idx if l == "(" or l == ")": return l From patchwork Mon Apr 20 07:44:36 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 86446 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99EEDF36C49 for ; Mon, 20 Apr 2026 07:44:58 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.14477.1776671092937479614 for ; Mon, 20 Apr 2026 00:44:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=Sko8hzUH; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id D18F8C5C98D for ; Mon, 20 Apr 2026 07:45:30 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 188F95FFA5; Mon, 20 Apr 2026 07:44:51 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id B2B9110460ADD; Mon, 20 Apr 2026 09:44:49 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776671090; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=hYSTuvp2LudJ3W92rAxu0jkKDZEKsDGe4Mp3b6mvZPU=; b=Sko8hzUH1nC4QbCDOi+wI08i/6oxPbH8UpECgzusqBnIWqRlDobP5qIf4RaQrylzwHBID9 J2ptjzsOF0L4Z96iSXvXy0mHsH3xvguw7v9gpyhjYuhMLwuOZVrKIjH3IbAU2LV+lgc4Kn 48DMo0Uh6zMph/IDmwY1OPZJm75lJGMgO2vlfREs9K+/GYGRnZ/VTUBrmZ3yk1Uj3y5/w/ L9PhkCaP4yrqG7+TZIR5yZKGVbj3XhrJJfIHELwdIGnhrWbebQoZro+MQQRrNvwY4rykyG 5X1bww9ipvpyqstJDYAl2pVukYeWFxhmH6feQxTcRYFaPGR7o0nHyc5gFMaaCQ== From: "Benjamin Robin (Schneider Electric)" Date: Mon, 20 Apr 2026 09:44:36 +0200 Subject: [PATCH 05/10] oe/spdx30_tasks: Fix return value of get_package_sources_from_debug MIME-Version: 1.0 Message-Id: <20260420-spdx3-improvements-v1-5-27e0d5edcdbe@bootlin.com> References: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> In-Reply-To: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: richard.purdie@linuxfoundation.org, peter.marko@siemens.com, ross.burton@arm.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, "Benjamin Robin (Schneider Electric)" X-Mailer: b4 0.15.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 07:44:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235546 Always return a set, never return None, otherwise create_spdx() is going to fail, since it does not expect debug_sources to be None. Signed-off-by: Benjamin Robin (Schneider Electric) --- meta/lib/oe/spdx30_tasks.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 6609784907db..819f6a34b9c2 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -264,10 +264,9 @@ def get_package_sources_from_debug( pkg_data = oe.packagedata.read_subpkgdata_extended(package, d) - if pkg_data is None: - return - dep_source_files = set() + if pkg_data is None: + return dep_source_files for file_path, file_data in pkg_data["files_info"].items(): if not "debugsrc" in file_data: From patchwork Mon Apr 20 07:44:37 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 86448 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7DE86F36C47 for ; Mon, 20 Apr 2026 07:44:58 +0000 (UTC) Received: from smtpout-02.galae.net (smtpout-02.galae.net [185.246.84.56]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.14873.1776671094031345486 for ; Mon, 20 Apr 2026 00:44:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=cSm/87tq; spf=pass (domain: bootlin.com, ip: 185.246.84.56, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-02.galae.net (Postfix) with ESMTPS id 4D5921A331C; Mon, 20 Apr 2026 07:44:52 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 244E55FFA5; Mon, 20 Apr 2026 07:44:52 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id CD41A10460B74; Mon, 20 Apr 2026 09:44:50 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776671091; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=U933O/m8Rckt5G7NPiUN5j5uaIjj2torke8FsBxrIVE=; b=cSm/87tqYfyN665XQwJVgiBAbSk8k/HUpDOiKqKHR6LivMjFJcDwEAGI8QVNt9efGxueSk /6ucFh6IKhAmqsqG0t+ROwo5sN+M5IRYgUdWhfUypzGhUB4eUhNm9HALGXzUXtTGGKHNNF exn2zp2Uq/oxA0k3tq3rrwSu/Akg3ZUGXUVeEnmIphuy0IXUTD/Avb6c1LawJzrV0bXo6b 5KY5otd70Uxc3ofBgxcj+0lbhlZLjWElYzz5Ap5iEOma26Y00gc820uqVjBp/wCyY/zXjT GqcyD6P0iFrMM8fRstC6ZY3oSaXb5+ZydX1Js9QWW+AjKk1eG3B0YxkQidbX5A== From: "Benjamin Robin (Schneider Electric)" Date: Mon, 20 Apr 2026 09:44:37 +0200 Subject: [PATCH 06/10] oe/spdx30_tasks: Remove unused local variables MIME-Version: 1.0 Message-Id: <20260420-spdx3-improvements-v1-6-27e0d5edcdbe@bootlin.com> References: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> In-Reply-To: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: richard.purdie@linuxfoundation.org, peter.marko@siemens.com, ross.burton@arm.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, "Benjamin Robin (Schneider Electric)" X-Mailer: b4 0.15.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 07:44:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235547 The deploy_dir_spdx variable is assigned from "DEPLOY_DIR_SPDX", but never used, so remove it. Same for pkgdest and for pkg_arch variables. Signed-off-by: Benjamin Robin (Schneider Electric) --- meta/lib/oe/spdx30_tasks.py | 6 ------ 1 file changed, 6 deletions(-) diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 819f6a34b9c2..a071d85e10ea 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -605,7 +605,6 @@ def get_is_native(d): def create_recipe_spdx(d): deploydir = Path(d.getVar("SPDXRECIPEDEPLOY")) - deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX")) pn = d.getVar("PN") license_data = oe.spdx_common.load_spdx_license_data(d) @@ -816,10 +815,8 @@ def create_spdx(d): pn = d.getVar("PN") deploydir = Path(d.getVar("SPDXDEPLOY")) - deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX")) spdx_workdir = Path(d.getVar("SPDXWORK")) include_sources = d.getVar("SPDX_INCLUDE_SOURCES") == "1" - pkg_arch = d.getVar("SSTATE_PKGARCH") is_native = get_is_native(d) recipe, recipe_objset = load_recipe_spdx(d) @@ -1122,7 +1119,6 @@ def create_spdx(d): def create_package_spdx(d): - deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX")) deploydir = Path(d.getVar("SPDXRUNTIMEDEPLOY")) direct_deps = oe.spdx_common.collect_direct_deps(d, "do_create_spdx") @@ -1143,7 +1139,6 @@ def create_package_spdx(d): d, "%s-package-common" % d.getVar("PN") ) - pkgdest = Path(d.getVar("PKGDEST")) for package in d.getVar("PACKAGES").split(): localdata = bb.data.createCopy(d) pkg_name = d.getVar("PKG:%s" % package) or package @@ -1341,7 +1336,6 @@ def collect_build_package_inputs(d, objset, build, packages, files_by_hash=None) def create_rootfs_spdx(d): - deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX")) deploydir = Path(d.getVar("SPDXROOTFSDEPLOY")) root_packages_file = Path(d.getVar("SPDX_ROOTFS_PACKAGES")) image_basename = d.getVar("IMAGE_BASENAME") From patchwork Mon Apr 20 07:44:38 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 86444 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67BA7F36C45 for ; Mon, 20 Apr 2026 07:44:58 +0000 (UTC) Received: from smtpout-02.galae.net (smtpout-02.galae.net [185.246.84.56]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.14478.1776671095056661846 for ; Mon, 20 Apr 2026 00:44:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=1g7CkXu4; spf=pass (domain: bootlin.com, ip: 185.246.84.56, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-02.galae.net (Postfix) with ESMTPS id 7E3E81A3359; Mon, 20 Apr 2026 07:44:53 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 4E5165FFA5; Mon, 20 Apr 2026 07:44:53 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id DC69F10460B76; Mon, 20 Apr 2026 09:44:51 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776671092; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=nuMsPEKL/baZqyeBXfeMlyVqIlnGgYZv+Ob4E1Fb2U4=; b=1g7CkXu4JGcyqD/FitdoWvY4GPD63Ca8ux6tDZVqoOVBt0BducVgSguzQPoB0EPov8dzSa VXM3p0rWJ5HufoS+cMcdySRpFiBuw2jj61fXgx7ViQV6VBMk2NL5M+sl1lFoCYbqUxjpuv Yy2EQfINryWmielD3kleQkIqvrNaEnkdSvdiG7y3N7QDAox7p5rS/0tgqbwxQYcMNM/YcN 6t4F2BQA+MUSTPNVNLQIsZCYO3b0gwUbLHoF6t5cloava9Xj1hhqAJVQcStQ8Y5kfpsguF PO5CBx5r2z2WLXr7SeMZWmnU5VBrfPb3ypr5jEubvlP6s4nbH8XHarIFxlAwqA== From: "Benjamin Robin (Schneider Electric)" Date: Mon, 20 Apr 2026 09:44:38 +0200 Subject: [PATCH 07/10] oe/spdx_common: Remove redundant '\d' in RegExp MIME-Version: 1.0 Message-Id: <20260420-spdx3-improvements-v1-7-27e0d5edcdbe@bootlin.com> References: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> In-Reply-To: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: richard.purdie@linuxfoundation.org, peter.marko@siemens.com, ross.burton@arm.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, "Benjamin Robin (Schneider Electric)" X-Mailer: b4 0.15.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 07:44:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235548 The \w metacharacter matches word characters. A word character is a character a-z, A-Z, 0-9, including _ The \d metacharacter matches digits from 0 to 9. Signed-off-by: Benjamin Robin (Schneider Electric) --- meta/lib/oe/spdx_common.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/lib/oe/spdx_common.py b/meta/lib/oe/spdx_common.py index c0ef11f19950..47d14b55c701 100644 --- a/meta/lib/oe/spdx_common.py +++ b/meta/lib/oe/spdx_common.py @@ -15,7 +15,7 @@ from pathlib import Path from dataclasses import dataclass LIC_REGEX = re.compile( - rb"^\W*SPDX-License-Identifier:\s*([ \w\d.()+-]+?)(?:\s+\W*)?$", + rb"^\W*SPDX-License-Identifier:\s*([ \w.()+-]+?)(?:\s+\W*)?$", re.MULTILINE, ) From patchwork Mon Apr 20 07:44:39 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 86445 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 599E9F36C41 for ; Mon, 20 Apr 2026 07:44:58 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.14874.1776671096247635251 for ; Mon, 20 Apr 2026 00:44:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=Y3eoITPf; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id 6E385C5C98B; Mon, 20 Apr 2026 07:45:34 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id AB37E5FFA5; Mon, 20 Apr 2026 07:44:54 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 0754310460B77; Mon, 20 Apr 2026 09:44:52 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776671093; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=pzWGKDshtKNTCjUbPQZaCjTWMfUwLmySdV3gSl83BII=; b=Y3eoITPfELCk/y4cddTAHHX2rl+uKQhf8e/wNPTqvm6QrpJqLUt2Akid0R9IyLY45xRH6r XncnvBJemkfp3FyaEgnMBCiJE36zgckNLTa4uGbGM34La5Hhyo5p5Z0RMT4ffzlc4a/+p9 779YHh1lwENijPJsQ5cn9Z/jV7q8CifI9ntnSXLlgymh9JveZYdKbUXXbmPh0wl7QPFq05 F/MMV8YMZQKSFl6OVS0POFM9NFB1+kVgEiUYTyojxFBSIdXSm/7ypC/pBBWdx6s3fI68bi luEJjKttnCYvQDgqCMMMyEihWj1iQ3XiCphCqDpXN30zeEDd7P//O0ATzhSymw== From: "Benjamin Robin (Schneider Electric)" Date: Mon, 20 Apr 2026 09:44:39 +0200 Subject: [PATCH 08/10] oe/spdx_common: Remove unused local variables MIME-Version: 1.0 Message-Id: <20260420-spdx3-improvements-v1-8-27e0d5edcdbe@bootlin.com> References: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> In-Reply-To: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: richard.purdie@linuxfoundation.org, peter.marko@siemens.com, ross.burton@arm.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, "Benjamin Robin (Schneider Electric)" X-Mailer: b4 0.15.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 07:44:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235549 The deploy_dir_spdx variable is assigned from "DEPLOY_DIR_SPDX", but never used, so remove it. Same for pn variable. Signed-off-by: Benjamin Robin (Schneider Electric) --- meta/lib/oe/spdx_common.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/meta/lib/oe/spdx_common.py b/meta/lib/oe/spdx_common.py index 47d14b55c701..6b1a409c40c2 100644 --- a/meta/lib/oe/spdx_common.py +++ b/meta/lib/oe/spdx_common.py @@ -135,8 +135,6 @@ def collect_package_providers(d, direct_deps): Returns a dictionary where each RPROVIDES is mapped to the package that provides it """ - deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX")) - providers = {} all_deps = direct_deps + [Dep(d.getVar("PN"), d.getVar("BB_HASHFILENAME"), True)] @@ -175,7 +173,6 @@ def get_patched_src(d): """ spdx_workdir = d.getVar("SPDXWORK") spdx_sysroot_native = d.getVar("STAGING_DIR_NATIVE") - pn = d.getVar("PN") workdir = d.getVar("WORKDIR") From patchwork Mon Apr 20 07:44:40 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 86453 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 542F4F36C57 for ; Mon, 20 Apr 2026 07:45:00 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.14479.1776671098009183107 for ; Mon, 20 Apr 2026 00:44:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=EiEcMka2; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 6D6A94E42A72; Mon, 20 Apr 2026 07:44:56 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 3DC795FFA5; Mon, 20 Apr 2026 07:44:56 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 61BFA10460B79; Mon, 20 Apr 2026 09:44:54 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776671095; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=3s8QPZqD7mRCLXgUrtoPxctcqmmnbmwnJWvjfAdsiLQ=; b=EiEcMka2tgf+Ud5eAA7cWn27WGM85F10QSBjxAj8IX5UTmPlJ2n3QZk/vsus6o2gpBpm6o bSmScKfhupXx6C6glql4sHjGEX3a8WfG0Q88Mq1zlZmGZ9k9DAPznycIOavkmbties0uq0 ISVOGQC0ufWrybOryVfE9g5Ye4pyK3wQBgjvGSdiOOHWfcEsPnCGerj1RS3AF75DjE30Aw qPf6+fDLaOU/Ev1MyL4FqIBoAWJF4GC1KK5Ya7Th9MCvUoVDVTDdkjrRCMsDSmnRlr3vMZ 9eemgNGISUr+mvKmPGm1MUDqtMNdmm14PLcQVTL6VJHPZsIw5WkV2ZeLdMfSdw== From: "Benjamin Robin (Schneider Electric)" Date: Mon, 20 Apr 2026 09:44:40 +0200 Subject: [PATCH 09/10] oe/spdx30_task: Add status notes to VEX relationship MIME-Version: 1.0 Message-Id: <20260420-spdx3-improvements-v1-9-27e0d5edcdbe@bootlin.com> References: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> In-Reply-To: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: richard.purdie@linuxfoundation.org, peter.marko@siemens.com, ross.burton@arm.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, "Benjamin Robin (Schneider Electric)" X-Mailer: b4 0.15.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 07:45:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235550 Without the status note, we are losing the reason why the CVE is considered vulnerable or fixed. The information provided in CVE_STATUS is otherwise lost. Signed-off-by: Benjamin Robin (Schneider Electric) --- meta/lib/oe/sbom30.py | 12 +++++++++--- meta/lib/oe/spdx30_tasks.py | 9 +++++++-- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py index 5d020b934cc0..0f1f9281ad32 100644 --- a/meta/lib/oe/sbom30.py +++ b/meta/lib/oe/sbom30.py @@ -704,7 +704,8 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): ) return self.add(v) - def new_vex_patched_relationship(self, from_, to): + def new_vex_patched_relationship(self, from_, to, notes: None): + props = {'security_statusNotes': notes} if notes else {} return self._new_relationship( oe.spdx30.security_VexFixedVulnAssessmentRelationship, from_, @@ -712,9 +713,11 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): to, spdxid_name="vex-fixed", security_vexVersion=VEX_VERSION, + **props, ) - def new_vex_unpatched_relationship(self, from_, to): + def new_vex_unpatched_relationship(self, from_, to, notes: None): + props = {'security_statusNotes': notes} if notes else {} return self._new_relationship( oe.spdx30.security_VexAffectedVulnAssessmentRelationship, from_, @@ -723,9 +726,11 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): spdxid_name="vex-affected", security_vexVersion=VEX_VERSION, security_actionStatement="Mitigation action unknown", + **props, ) - def new_vex_ignored_relationship(self, from_, to, *, impact_statement): + def new_vex_ignored_relationship(self, from_, to, *, impact_statement, notes: None): + props = {'security_statusNotes': notes} if notes else {} return self._new_relationship( oe.spdx30.security_VexNotAffectedVulnAssessmentRelationship, from_, @@ -734,6 +739,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): spdxid_name="vex-not-affected", security_vexVersion=VEX_VERSION, security_impactStatement=impact_statement, + **props, ) def import_bitbake_build_objset(self): diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index a071d85e10ea..ffedc1e25b59 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -724,7 +724,8 @@ def create_recipe_spdx(d): if status == "Patched": spdx_vex = recipe_objset.new_vex_patched_relationship( - [spdx_cve_id], [recipe] + [spdx_cve_id], [recipe], + notes=": ".join(v for v in (detail, description) if v) ) patches = [] for idx, filepath in enumerate(resources): @@ -749,12 +750,16 @@ def create_recipe_spdx(d): ) elif status == "Unpatched": - recipe_objset.new_vex_unpatched_relationship([spdx_cve_id], [recipe]) + recipe_objset.new_vex_unpatched_relationship( + [spdx_cve_id], [recipe], + notes=": ".join(v for v in (detail, description) if v) + ) elif status == "Ignored": spdx_vex = recipe_objset.new_vex_ignored_relationship( [spdx_cve_id], [recipe], impact_statement=description, + notes=detail, ) vex_just_type = d.getVarFlag("CVE_CHECK_VEX_JUSTIFICATION", detail) From patchwork Mon Apr 20 07:44:41 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 86452 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3824DF36C55 for ; Mon, 20 Apr 2026 07:45:00 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.14480.1776671098952934779 for ; Mon, 20 Apr 2026 00:44:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=wJ9UX4EX; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 611DC4E42A74; Mon, 20 Apr 2026 07:44:57 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 38DB05FFA5; Mon, 20 Apr 2026 07:44:57 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id A024010460B7A; Mon, 20 Apr 2026 09:44:55 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776671096; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=TPs+Mz9OryRweTDKXwkebPBiH615j5168YhYTjDALss=; b=wJ9UX4EXSV4cpFRIj7MLbk+pOdMG4Q4R2AXZUqB94EFFL/e8/+9jWWyIkSczjhZI1Oc6zi AYQr5iB9vaINFZN49QpdNx0E8mCENsOcff7oj6B0ij1ygNKml4tfpCPLsi3//epv5oPjKM ml2KmDXdpBn/DycLpFDpkHJVfJm16nP2y4wkoO2KnHwUBKFitOYSG1LWku7TDrWI5nYnnt 5Hv8B22twsK2LbfOoHM1kV/gB53mMOwCOJmKNOv6ZyNjkZ+Yb89/FkiGIsrAMgkCDFqCfI ybMGss2R7f3eqsHj37L9DUKpR9ruj8rPWSeJ+44niin+4m/cYSr94oQTFI1z4g== From: "Benjamin Robin (Schneider Electric)" Date: Mon, 20 Apr 2026 09:44:41 +0200 Subject: [PATCH 10/10] oe/spdx30_task: Prevent duplication of sources in hasInput rel MIME-Version: 1.0 Message-Id: <20260420-spdx3-improvements-v1-10-27e0d5edcdbe@bootlin.com> References: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> In-Reply-To: <20260420-spdx3-improvements-v1-0-27e0d5edcdbe@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: richard.purdie@linuxfoundation.org, peter.marko@siemens.com, ross.burton@arm.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, "Benjamin Robin (Schneider Electric)" X-Mailer: b4 0.15.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Apr 2026 07:45:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235551 If the debug_sources are already inside the build_inputs, we must not add them again, otherwise, the source files are going to be referenced multiple times inside the hasInput relationship. Signed-off-by: Benjamin Robin (Schneider Electric) --- meta/lib/oe/spdx30_tasks.py | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index ffedc1e25b59..1821dd7de4a9 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -893,7 +893,7 @@ def create_spdx(d): sorted(oe.sbom30.get_element_link_id(b) for b in dep_builds), ) - debug_source_ids = set() + debug_sources = set() source_hash_cache = {} # Write out the package SPDX data now. It is not complete as we cannot @@ -1057,13 +1057,10 @@ def create_spdx(d): ) if include_sources: - debug_sources = get_package_sources_from_debug( + debug_sources |= get_package_sources_from_debug( d, package, package_files, dep_sources, source_hash_cache, excluded_files=excluded_files, ) - debug_source_ids |= set( - oe.sbom30.get_element_link_id(d) for d in debug_sources - ) oe.sbom30.write_recipe_jsonld_doc( d, pkg_objset, "packages-staging", deploydir, create_spdx_id_links=False @@ -1089,12 +1086,17 @@ def create_spdx(d): sorted(list(sysroot_files)), ) - if build_inputs or debug_source_ids: + if build_inputs or debug_sources: + debug_source_ids = sorted( + oe.sbom30.get_element_link_id(d) + for d in debug_sources.difference(build_inputs) + ) + build_objset.new_scoped_relationship( [build], oe.spdx30.RelationshipType.hasInput, oe.spdx30.LifecycleScopeType.build, - sorted(list(build_inputs)) + sorted(list(debug_source_ids)), + sorted(build_inputs) + debug_source_ids, ) if d.getVar("SPDX_INCLUDE_PACKAGECONFIG", True) != "0":