diff options
| author | Daniel Turull <daniel.turull@ericsson.com> | 2025-06-10 17:24:42 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2025-06-17 23:38:18 +0100 |
| commit | 33fd6f6e82cf2c9d20a0532d8cfe850280a83051 (patch) | |
| tree | 91084d1320c8a0490f4cbca974b508c6d6eadaf8 /meta/lib/oe/spdx_common.py | |
| parent | 5132c991e648d9ae8a6701d9da9e80bec65f0d25 (diff) | |
| download | poky-master.tar.gz | |
When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the
source code files that are used during compilation.
It uses debugsource information generated during do_package.
This enables an external tool to use the SPDX information to disregard
vulnerabilities that are not compiled.
As example, when used with the default config with linux-yocto, the spdx size is
reduced from 156MB to 61MB.
Tested with bitbake world on oe-core.
CC: Quentin Schulz <quentin.schulz@cherry.de>
CC: Joshua Watt <JPEWhacker@gmail.com>
CC: Peter Marko <peter.marko@siemens.com>
(From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968)
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/lib/oe/spdx_common.py')
| -rw-r--r-- | meta/lib/oe/spdx_common.py | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/meta/lib/oe/spdx_common.py b/meta/lib/oe/spdx_common.py index 4caefc7673..c2dec65563 100644 --- a/meta/lib/oe/spdx_common.py +++ b/meta/lib/oe/spdx_common.py | |||
| @@ -242,3 +242,44 @@ def fetch_data_to_uri(fd, name): | |||
| 242 | uri = uri + "@" + fd.revision | 242 | uri = uri + "@" + fd.revision |
| 243 | 243 | ||
| 244 | return uri | 244 | return uri |
| 245 | |||
| 246 | def is_compiled_source (filename, compiled_sources, types): | ||
| 247 | """ | ||
| 248 | Check if the file is a compiled file | ||
| 249 | """ | ||
| 250 | import os | ||
| 251 | # If we don't have compiled source, we assume all are compiled. | ||
| 252 | if not compiled_sources: | ||
| 253 | return True | ||
| 254 | |||
| 255 | # We return always true if the file type is not in the list of compiled files. | ||
| 256 | # Some files in the source directory are not compiled, for example, Makefiles, | ||
| 257 | # but also python .py file. We need to include them in the SPDX. | ||
| 258 | basename = os.path.basename(filename) | ||
| 259 | ext = basename.partition(".")[2] | ||
| 260 | if ext not in types: | ||
| 261 | return True | ||
| 262 | # Check that the file is in the list | ||
| 263 | return filename in compiled_sources | ||
| 264 | |||
| 265 | def get_compiled_sources(d): | ||
| 266 | """ | ||
| 267 | Get list of compiled sources from debug information and normalize the paths | ||
| 268 | """ | ||
| 269 | import itertools | ||
| 270 | source_info = oe.package.read_debugsources_info(d) | ||
| 271 | if not source_info: | ||
| 272 | bb.debug(1, "Do not have debugsources.list. Skipping") | ||
| 273 | return [], [] | ||
| 274 | |||
| 275 | # Sources are not split now in SPDX, so we aggregate them | ||
| 276 | sources = set(itertools.chain.from_iterable(source_info.values())) | ||
| 277 | # Check extensions of files | ||
| 278 | types = set() | ||
| 279 | for src in sources: | ||
| 280 | basename = os.path.basename(src) | ||
| 281 | ext = basename.partition(".")[2] | ||
| 282 | if ext not in types and ext: | ||
| 283 | types.add(ext) | ||
| 284 | bb.debug(1, f"Num of sources: {len(sources)} and types: {len(types)} {str(types)}") | ||
| 285 | return sources, types | ||