From patchwork Wed Apr 22 15:31:26 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 86664 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8DF0F94CBE for ; Wed, 22 Apr 2026 15:31:42 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.85530.1776871894297502843 for ; Wed, 22 Apr 2026 08:31:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=lSkYG2Ic; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id 77E5AC5B1AC; Wed, 22 Apr 2026 15:32:12 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 9E56C5FA8F; Wed, 22 Apr 2026 15:31:31 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 5385E10460BF1; Wed, 22 Apr 2026 17:31:30 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776871891; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=uwrg40Av0G1i85t7a4i3VebYwj2jzMclygTmgDIz/qw=; b=lSkYG2IcuhNT8XC5Rg5oNt13LjTIqN8kUpLY7vw+85uC9CUDCsKxk7P2PbtNweMV32PLRY dlDhrWHbHZFY3LojS8TE/R2fiQ2LFSJ7rA9Mwf7DEL6HooRY5gVpeLyzzAeGcoZopu6XqR VPzuEtE2XWwqmrXClaQk8FUC/r4Q33yZ2cCa6jFAzVyhdfxq8UjuQjM64B8Tb3nTtQDnb2 is1txxMeQtQjPuRH7ZhyDUauFTbmhBRDIY6jQA2QRNgedegYoAYsKw/+pXe3Yv4nej0ujP CT+fm/3bJEJ4S39XTXXLbVNu98GwB8ldlV86jKx37a5NpvrEfDXCCoLP7wpAow== From: Benjamin Robin Date: Wed, 22 Apr 2026 17:31:26 +0200 Subject: [PATCH 1/3] python3-shacl2code: Update to version 1.0.1 MIME-Version: 1.0 Message-Id: <20260422-update-sbom-cve-check-and-depends-v1-1-4646f840ce48@bootlin.com> References: <20260422-update-sbom-cve-check-and-depends-v1-0-4646f840ce48@bootlin.com> In-Reply-To: <20260422-update-sbom-cve-check-and-depends-v1-0-4646f840ce48@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: richard.purdie@linuxfoundation.org, peter.marko@siemens.com, ross.burton@arm.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, Benjamin Robin X-Mailer: b4 0.15.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 15:31:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235730 sbom-cve-check version 1.3.0 now requires spdx-python-model 0.0.5 which is built using shacl2code 1.0.1. Signed-off-by: Benjamin Robin --- .../{python3-shacl2code_0.0.24.bb => python3-shacl2code_1.0.1.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/python/python3-shacl2code_0.0.24.bb b/meta/recipes-devtools/python/python3-shacl2code_1.0.1.bb similarity index 81% rename from meta/recipes-devtools/python/python3-shacl2code_0.0.24.bb rename to meta/recipes-devtools/python/python3-shacl2code_1.0.1.bb index 93ed9a253040..904940926fee 100644 --- a/meta/recipes-devtools/python/python3-shacl2code_0.0.24.bb +++ b/meta/recipes-devtools/python/python3-shacl2code_1.0.1.bb @@ -5,7 +5,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=0582f358628f299f29c23bf5fb2f73c9" PYPI_PACKAGE = "shacl2code" -SRC_URI[sha256sum] = "d8b511054ca564b4514b9186ece7f5eb8048cfc5daa6625def1a3adba13c4f66" +SRC_URI[sha256sum] = "c856822b40c330452b8b31e94a658ad4595a5ef03cdb75ea432ea9c73d0cf7d9" inherit pypi python_hatchling From patchwork Wed Apr 22 15:31:27 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 86666 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 615B5F94CDB for ; Wed, 22 Apr 2026 15:31:43 +0000 (UTC) Received: from smtpout-02.galae.net (smtpout-02.galae.net [185.246.84.56]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.85417.1776871894626680627 for ; Wed, 22 Apr 2026 08:31:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=sOz4yJ0s; spf=pass (domain: bootlin.com, ip: 185.246.84.56, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-02.galae.net (Postfix) with ESMTPS id DCB4F1A33A5; Wed, 22 Apr 2026 15:31:32 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id B3ED65FA8F; Wed, 22 Apr 2026 15:31:32 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 4687610460C02; Wed, 22 Apr 2026 17:31:31 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776871892; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=lykaZvlLu1iAXLNAhBZaL+NTYB7z8umDmLJR52eNsZ4=; b=sOz4yJ0sYhuKyvrfnUeK9bQVb7kSJawyPQfVoITRlzkMD32qmTWtH3rmCv1K8A3xVtCot1 RwlZnH2Jk/HjI7Jh7unDpdPr020CXmwdJfOkrsVC5V31ErKFjjmwnRnztUNX+dC61C1tTR +5IjDzADwUoPkRMjwTuxr6mDBvJA3uW9O+Xc02R49R6AshiroEUQtA1B1sBZFuKl+I25Sb EAMKHXwmdQaeDzrLWLRmdQTw2JbmHSw5i0Sm35xSPOFXOoqC/peyp5djMcHH+tPt/XpqLf 2RhVKqfnFkavU+Rf6f+NVg0765z/YtnR/CCtMFifigFsrFg3DoRWxdDRBK8BeA== From: Benjamin Robin Date: Wed, 22 Apr 2026 17:31:27 +0200 Subject: [PATCH 2/3] python3-spdx-python-model: Update to version 0.0.5 MIME-Version: 1.0 Message-Id: <20260422-update-sbom-cve-check-and-depends-v1-2-4646f840ce48@bootlin.com> References: <20260422-update-sbom-cve-check-and-depends-v1-0-4646f840ce48@bootlin.com> In-Reply-To: <20260422-update-sbom-cve-check-and-depends-v1-0-4646f840ce48@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: richard.purdie@linuxfoundation.org, peter.marko@siemens.com, ross.burton@arm.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, Benjamin Robin X-Mailer: b4 0.15.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 15:31:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235731 sbom-cve-check version 1.3.0 requires spdx-python-model 0.0.5 Signed-off-by: Benjamin Robin --- ...enerate-bindings-allow-to-use-local-files.patch | 58 ---------------------- ...0.0.4.bb => python3-spdx-python-model_0.0.5.bb} | 3 +- 2 files changed, 1 insertion(+), 60 deletions(-) diff --git a/meta/recipes-devtools/python/python3-spdx-python-model/0001-generate-bindings-allow-to-use-local-files.patch b/meta/recipes-devtools/python/python3-spdx-python-model/0001-generate-bindings-allow-to-use-local-files.patch deleted file mode 100644 index ec24d7beb3c5..000000000000 --- a/meta/recipes-devtools/python/python3-spdx-python-model/0001-generate-bindings-allow-to-use-local-files.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 9fb565a0a70c6985fa1efde13cfe7fb4851588ce Mon Sep 17 00:00:00 2001 -From: Benjamin Robin -Date: Tue, 24 Feb 2026 10:59:25 +0100 -Subject: [PATCH] generate-bindings: allow to use local files - -shacl2code needs to download the following URLs during build time: - - https://spdx.org/rdf/3.0.1/spdx-model.ttl - - https://spdx.org/rdf/3.0.1/spdx-json-serialize-annotations.ttl - - https://spdx.org/rdf/3.0.1/spdx-context.jsonld - -There are a lot of package build tools that do not allow to download -a file during the build. So provide a way to use local file: -If the environment variable SHACL2CODE_SPDX_DIR is defined, load -the SPDX model and SPDX context from the directory specified by this -environment variable. - -Upstream-Status: Submitted [https://github.com/spdx/spdx-python-model/pull/19] - -Signed-off-by: Benjamin Robin ---- - gen/generate-bindings | 22 ++++++++++++++++------ - 1 file changed, 16 insertions(+), 6 deletions(-) - -diff --git a/gen/generate-bindings b/gen/generate-bindings -index b963c55a3bc9..bc7041ee3bb9 100755 ---- a/gen/generate-bindings -+++ b/gen/generate-bindings -@@ -14,12 +14,22 @@ echo "# Import all versions" > __init__.py - for v in $SPDX_VERSIONS; do - MODNAME="v$(echo "$v" | sed 's/[^a-zA-Z0-9_]/_/g')" - -- shacl2code generate --input https://spdx.org/rdf/$v/spdx-model.ttl \ -- --input https://spdx.org/rdf/$v/spdx-json-serialize-annotations.ttl \ -- --context https://spdx.org/rdf/$v/spdx-context.jsonld \ -- --license Apache-2.0 \ -- python \ -- -o "$MODNAME.py" -+ if [ -n "${SHACL2CODE_SPDX_DIR}" ] && [ -d "${SHACL2CODE_SPDX_DIR}/$v" ] -+ then -+ shacl2code generate --input "file://${SHACL2CODE_SPDX_DIR}/$v/spdx-model.ttl" \ -+ --input "file://${SHACL2CODE_SPDX_DIR}/$v/spdx-json-serialize-annotations.ttl" \ -+ --context-url "file://${SHACL2CODE_SPDX_DIR}/$v/spdx-context.jsonld" https://spdx.org/rdf/$v/spdx-context.jsonld \ -+ --license Apache-2.0 \ -+ python \ -+ -o "$MODNAME.py" -+ else -+ shacl2code generate --input https://spdx.org/rdf/$v/spdx-model.ttl \ -+ --input https://spdx.org/rdf/$v/spdx-json-serialize-annotations.ttl \ -+ --context https://spdx.org/rdf/$v/spdx-context.jsonld \ -+ --license Apache-2.0 \ -+ python \ -+ -o "$MODNAME.py" -+ fi - - echo "from . import $MODNAME" >> __init__.py - done --- -2.53.0 diff --git a/meta/recipes-devtools/python/python3-spdx-python-model_0.0.4.bb b/meta/recipes-devtools/python/python3-spdx-python-model_0.0.5.bb similarity index 89% rename from meta/recipes-devtools/python/python3-spdx-python-model_0.0.4.bb rename to meta/recipes-devtools/python/python3-spdx-python-model_0.0.5.bb index 00c3b3913c2e..c77bdffada9a 100644 --- a/meta/recipes-devtools/python/python3-spdx-python-model_0.0.4.bb +++ b/meta/recipes-devtools/python/python3-spdx-python-model_0.0.5.bb @@ -5,13 +5,12 @@ LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327" PYPI_PACKAGE = "spdx_python_model" -SRC_URI[sha256sum] = "bdec725398babcbdd4bcb7c16cf23497d06a48d0ef3ea1edb19a3b0d431ab8c1" +SRC_URI[sha256sum] = "4bcf7c6e5e2e8f0b787ed4eb8fb519e2ed776e820cb6d9eb93e44e98eb92ca2d" SRC_URI += " \ https://spdx.org/rdf/3.0.1/spdx-context.jsonld;name=spdx1 \ https://spdx.org/rdf/3.0.1/spdx-json-serialize-annotations.ttl;name=spdx2 \ https://spdx.org/rdf/3.0.1/spdx-model.ttl;name=spdx3 \ - file://0001-generate-bindings-allow-to-use-local-files.patch \ " SRC_URI[spdx1.sha256sum] = "c72b0928f094c83e5c127784edb1ebca2af74a104fcacc007c332b23cbc788bd" From patchwork Wed Apr 22 15:31:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 86665 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8019F9EDF9 for ; Wed, 22 Apr 2026 15:31:42 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.85532.1776871895779365570 for ; Wed, 22 Apr 2026 08:31:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=wKgTPm3Y; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id E77F94E42AB3; Wed, 22 Apr 2026 15:31:33 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id B8D095FA8F; Wed, 22 Apr 2026 15:31:33 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 69EBF10460C0D; Wed, 22 Apr 2026 17:31:32 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776871893; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=hEs2EbIiwTWHyA+eLuDoSLzi/nhVxCvqfyOpIWUo62I=; b=wKgTPm3Ywjtk4Bai7Sat4/iLKRlz6BITMT3Yo8w5Mn0jyrLUynH1v7wJYoEys7uXNtsjiq /LhnesAf9eF58vheIS/pcpZN09bOShNjdIQWkZ0hIUVnkw+3A3CThJ2ep1EAG74qfiD+7x HOgYjWYIE+dMen6b7bp9Fu5/lHx9SFjV1EC0jGPA7fQayFbUspYw3ZY/RUJwYKElXsDDkg tw9vXglII2qoR+XcgT9wt1aKhkWPIJtHsO34U+qz/369nme40+UzqciFsxNjZPA7ATo+5t Jz7OGXlEdl1hrvRX739PaCl9evrHF5B88UnjIIsVSWIX4Smmot30EolHP881EQ== From: Benjamin Robin Date: Wed, 22 Apr 2026 17:31:28 +0200 Subject: [PATCH 3/3] python3-sbom-cve-check: Update to version 1.3.0 MIME-Version: 1.0 Message-Id: <20260422-update-sbom-cve-check-and-depends-v1-3-4646f840ce48@bootlin.com> References: <20260422-update-sbom-cve-check-and-depends-v1-0-4646f840ce48@bootlin.com> In-Reply-To: <20260422-update-sbom-cve-check-and-depends-v1-0-4646f840ce48@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: richard.purdie@linuxfoundation.org, peter.marko@siemens.com, ross.burton@arm.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, Benjamin Robin X-Mailer: b4 0.15.2 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 15:31:42 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/235733 For details on this new release, see: https://github.com/bootlin/sbom-cve-check/releases/tag/v1.3.0 Signed-off-by: Benjamin Robin --- ...o-use-correct-type-for-the-version-attrib.patch | 31 ---------------------- ...ck_1.2.0.bb => python3-sbom-cve-check_1.3.0.bb} | 4 +-- 2 files changed, 1 insertion(+), 34 deletions(-) diff --git a/meta/recipes-devtools/sbom-cve-check/files/0001-export_yocto-use-correct-type-for-the-version-attrib.patch b/meta/recipes-devtools/sbom-cve-check/files/0001-export_yocto-use-correct-type-for-the-version-attrib.patch deleted file mode 100644 index 392f0b99ea70..000000000000 --- a/meta/recipes-devtools/sbom-cve-check/files/0001-export_yocto-use-correct-type-for-the-version-attrib.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 1a5ae49c520d3569ed12f0c6373b4223d428f92b Mon Sep 17 00:00:00 2001 -From: Ross Burton -Date: Thu, 9 Apr 2026 11:55:19 +0100 -Subject: [PATCH] export_yocto: use correct type for the version attribute - -This should be a string, not an integer: - -https://git.openembedded.org/openembedded-core/tree/meta/classes/cve-check.bbclass?h=yocto-5.2.4#n235 - -Upstream-Status: Backport -Signed-off-by: Ross Burton ---- - src/sbom_cve_check/export/export_yocto.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/sbom_cve_check/export/export_yocto.py b/src/sbom_cve_check/export/export_yocto.py -index c8261f4..78d72c0 100644 ---- a/src/sbom_cve_check/export/export_yocto.py -+++ b/src/sbom_cve_check/export/export_yocto.py -@@ -172,7 +172,7 @@ class YoctoCveCheckExport(BaseExport): - :return: Generator context. - """ - yield -- json_obj = {"version": 1, "package": self._packages} -+ json_obj = {"version": "1", "package": self._packages} - with self._open_output_as_text() as f: - json.dump(json_obj, f, indent=2) - --- -2.43.0 - diff --git a/meta/recipes-devtools/sbom-cve-check/python3-sbom-cve-check_1.2.0.bb b/meta/recipes-devtools/sbom-cve-check/python3-sbom-cve-check_1.3.0.bb similarity index 69% rename from meta/recipes-devtools/sbom-cve-check/python3-sbom-cve-check_1.2.0.bb rename to meta/recipes-devtools/sbom-cve-check/python3-sbom-cve-check_1.3.0.bb index 2a09d8ea4c38..96fc167ecbc3 100644 --- a/meta/recipes-devtools/sbom-cve-check/python3-sbom-cve-check_1.2.0.bb +++ b/meta/recipes-devtools/sbom-cve-check/python3-sbom-cve-check_1.3.0.bb @@ -5,9 +5,7 @@ LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://LICENSE;md5=570a9b3749dd0463a1778803b12a6dce" PYPI_PACKAGE = "sbom_cve_check" -SRC_URI[sha256sum] = "0b01474c541fb4b9d29d36f86fae6d0f27ff2b991fcb59b2fbeb70c1eaa09664" - -SRC_URI += "file://0001-export_yocto-use-correct-type-for-the-version-attrib.patch" +SRC_URI[sha256sum] = "dad6f9df848f6dd7b69922baef0ec187b66ad0847fe0cf62614529e27203e842" inherit pypi python_hatchling