summaryrefslogtreecommitdiffstats
path: root/meta/lib/oe/sbom30.py
Commit message (Collapse)AuthorAgeFilesLines
* lib: sbom30: Add action statement for affected VEX statementsJoshua Watt2025-03-061-0/+1
| | | | | | | | | | | VEX Affected relationships have a mandatory action statement that indicates the mitigation for a vulnerability. Since we don't track this add a statement indicating that no mitigation is known. (From OE-Core rev: 39545c955474a43d11a45d74a88a5999b02cb8b3) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib/oe/sbom30: Fix SHA256 hash dictionaryJoshua Watt2025-02-051-1/+1
| | | | | | | | | | | Fixes a bug in the code that created the hash dictionary that was accidentally excluding items with a SHA256 hash instead of including them (From OE-Core rev: 90765467e42241d8b572d035389d7062a0316a9f) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib: spdx: Upgrade to final 3.0.1 releaseJoshua Watt2025-01-201-1/+1
| | | | | | | | | | | The 3.0.1 release of SPDX has been officially released with a few minor modifications. Regenerate the bindings to use this version. (From OE-Core rev: 54233a7d6fe414d22449fb02fac26b66a820b17a) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta/lib/oe/sbom30.py: set alias for scan declared licensesHongxu Jia2025-01-081-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | when using SPDX_INCLUDE_SOURCES, it calls scan_declared_licenses to scan licenses from source file, set alias for the newly added license and and license alias to hasDeclaredLicense relationship $ echo 'MACHINE = "qemux86-64"' >> conf/local.conf $ echo 'SPDX_INCLUDE_SOURCES = "1"' >> conf/local.conf $ bitbake shadow $ vim tmp/deploy/spdx/3.0.1/corei7-64/recipes/recipe-shadow.spdx.json Before this commit ... { "type": "Relationship", ... "from": "http://spdx.org/spdxdocs/shadow-10e66933-65cf-5a2d-9a1d-99b12a405441/d0cdb0d02e54d55e52fccf8631f8290b161ad43fe31fffe09e8e25041d2280cf/sourcefile/11048", "relationshipType": "hasDeclaredLicense", "to": [ "http://spdx.org/spdxdocs/shadow-10e66933-65cf-5a2d-9a1d-99b12a405441/d0cdb0d02e54d55e52fccf8631f8290b161ad43fe31fffe09e8e25041d2280cf/license/3_24_0/BSD-3-Clause", ] }, ... After this commit ... { "type": "Relationship", ... "from": "http://spdx.org/spdxdocs/shadow-10e66933-65cf-5a2d-9a1d-99b12a405441/d0cdb0d02e54d55e52fccf8631f8290b161ad43fe31fffe09e8e25041d2280cf/sourcefile/11048", "relationshipType": "hasDeclaredLicense", "to": [ "http://spdxdocs.org/openembedded-alias/by-doc-hash/cc72db638e3f8e283e722af0ecc77d19f93cc6736700ee76477e3773b6b07b05/shadow/UNIHASH/license/3_24_0/BSD-3-Clause" ] }, ... (From OE-Core rev: 1f109e22dd22e6071685a8e55bdfe3069bc8fadb) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta/lib/oe/sbom30.py: fix alias in simplelicensing_customIdToUri not extractedhongxu2025-01-081-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After commit [spdx 3.0: Rework how SPDX aliases are linked] applied, it set license_text_map with SPDX alias other than actual ID The property of simplelicensing_customIdToUri is ListProp(ObjectProp(DictionaryEntry))), and class DictionaryEntry has key and value, the property of value is StringProp other than ObjectProp in which could not support to decode/extract SPDX alias with actual ID in image jsonld file ----------- "simplelicensing_customIdToUri": [ { "type": "DictionaryEntry", "key": "LicenseRef-PD", "value": "http://spdxdocs.org/openembedded-alias/by-doc-hash/d53e90e23b12c4ad640809a74a810e86f31c76cdbdf36487712d22a33d53362a/sqlite3-native/UNIHASH/license-text/PD" } ], ----------- Add special code in the linking to manually go through all of the simplelicensing_customIdToUri DictionaryEntry items and resolve any aliases to actual objects ----------- "simplelicensing_customIdToUri": [ { "type": "DictionaryEntry", "key": "LicenseRef-PD", "value": "http://spdx.org/spdxdocs/sqlite3-native-e5cc0672-d8dd-57e8-a2df-fe4615831fda/162c62b5b011cd3f82f413b3dae4d6d1542201552c964d5ce69fe170e0720b85/license-text/PD" } ] ----------- Suggested-by: Joshua Watt <jpewhacker@gmail.com> (From OE-Core rev: f16c2eae5a7e1a483e1d537d8711d83fede75691) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta/lib/oe/sbom30.py: correct aliashongxu2025-01-081-1/+1
| | | | | | | | | | | | | | | | | After commit [spdx 3.0: Rework how SPDX aliases are linked] applied, it added extra "/" to namespace, which causing the replacement of UNIHASH missing a "/" http://spdxdocs.org/openembedded-alias/by-doc-hash/0b308e4b9ad979f642d8787c61f76c31bdcad04837eeaaf8bc383f33f99bbeb8/flex-nativeUNIHASH/build/recipe After applying this commit to remove "/" from namespace. http://spdxdocs.org/openembedded-alias/by-doc-hash/0b308e4b9ad979f642d8787c61f76c31bdcad04837eeaaf8bc383f33f99bbeb8/flex-native/UNIHASH/build/recipe (From OE-Core rev: 708cbf00d46169ca05660b1f9f3e0653b499e9ef) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* spdx 3.0: Rework how SPDX aliases are linkedJoshua Watt2024-12-121-100/+59
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The SPDX code needs to be able to look up an Element by its SPDX ID, locating the file that (should) contain the SPDX ID and opening it for parsing. Previously, the code would do this be hashing each Element SPDX ID and Alias, and the creating a symbolic link to the file that contains the element with a name of the hash. This worked well as it was possible to look up any arbitrary SPDX ID or alias by simply hashing it and following the symbolic link to get the file. However, the down side of this approach is that it creates a lot of symbolic links, since it will make one or two per Element in the document. This can be a problem when using SPDX_INCLUDE_SOURCES, for example. This change reworks this strategy so that the only Element that gets a symbolic link based on the hash is the singular SpdxDocument that is create for each file. All other Elements are assigned an alias with a special prefix that encodes the hash of SpdxDocument alias. Thus, when attempting to look up an arbitrary alias, the code sees the special prefix, extract the hash, opens the file based on the symlink with that hash name, then finds the matching Element in the file. This drastically reduces the number of symbolic links by making only one per file. This also means that the custom link extension can be removed since it is now superfluous. (From OE-Core rev: 838d64c09657ac53175737fc4e7fd6f01f3dcf47) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib: oeqa: spdx: Add tests for extra optionsJoshua Watt2024-12-051-9/+4
| | | | | | | | | | | | | | | Adds a test for several of the extra options provided by the SPDX classes. In particular, these are the options that can produce non-reproducible results, so are not enabled by default in OE core. This test takes care to configure the build so that the tests do run in a reproducible manner so that pre-built test objects can be pulled from sstate (From OE-Core rev: 14f534f15f7fe6362723d7f064d39783c5bd758f) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib: sbom30: Fix agent referenceJoshua Watt2024-12-051-1/+1
| | | | | | | | | | | When a agent reference was being used, the code was not using the correct base variable to look up the agent (From OE-Core rev: f3f13f48e214b25cf302b8ce397b630f5aa283fa) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib: sbom30: Fix import handlingJoshua Watt2024-12-051-1/+1
| | | | | | | | | | | Fixes a bug in the way that imports where being handled, due to a misspelled variable (From OE-Core rev: 10e2a1fbcf4828f3a6c7fd327976fefa3ffb252e) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib/oe/sbom30: Prefix aliases with "http://spdx.org/spdxdocs/"Joshua Watt2024-11-231-1/+3
| | | | | | | | | | | | While the SPDX ID aliases are primarily intended for internal use by the SPDX code, they are used in places where a valid SPDX ID is expected. In order to make sure that they still conform to this, prefix them with "http://spdx.org/spdxdocs/openembedded-alias" (From OE-Core rev: 5e0ff36e025f5e842fa90b8219b53257d65ea66a) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib: sbom30: Fix build parametersJoshua Watt2024-11-231-1/+1
| | | | | | | | | | Fixes the build parameters code, since the build_parameter property was changed to be singular in SPDX 3.0.1 (From OE-Core rev: e6e1e4585198b819319bab61ac2676e82f177020) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta/lib/oe/sbom30.py: correct typoHongxu Jia2024-11-011-1/+1
| | | | | | | | | | | The isinstance expected 2 arguments (From OE-Core rev: 038dcdca760404a44e0bcef389b4b60903f14a1f) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Reviewed-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta/lib/oe/sbom30.py: correct python list comprehensionHongxu Jia2024-11-011-2/+2
| | | | | | | | | | | | | | | | | | | The python list comprehension is not right for list: >>> license_text_map = {'LicenseRef-FSF-Unlimited': 'http://spdx.org/spdxdocs/gettext-minimal-native-1fa0d5cb-2bb8-5631-9fab-cd219801733f/8d31e22acc4a8979f24dc24042692fb548fc8fc8d85d775ddac406abb122ceea/license-text/FSF-Unlimited'} >>> license_text = ((k, license_text_map[k]) for k in sorted(license_text_map.keys())) >>> print(license_text) <generator object <genexpr> at 0x7f8575173270> >>> [(k,v) for k, v in license_text] [] Change the () to [] to make it a list instead of a generator expression. (From OE-Core rev: e13c54645bf716ddfb19606fd212cc349b570ad4) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Reviewed-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* spdx30: Link license and build by aliasJoshua Watt2024-10-151-19/+24
| | | | | | | | | | | | | The license information and Build created by do_create_spdx are changed to be referenced by their link alias instead of the actual SPDX ID. This fixes a case where do_create_package_spdx would pull these from mismatching sstate, and then the SPDX IDs would be unresolved when assembling the final document (From OE-Core rev: c0fcdc72a7c8fca86a874d1b04298fe9e500c796) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* create-spdx-3.0: Upgrade to SPDX 3.0.1Joshua Watt2024-09-301-8/+7
| | | | | | | | | | | Upgrades the SPDX 3.0 implementation from 3.0.0 -> 3.0.1. This version introduced some breaking changes. Effectively, 3.0.0 was a pre-release version that we do not need to support any longer. (From OE-Core rev: 7e6509a19f6146f0dad0be7037ff4b3268d0128c) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib/oe/sbom30.py: Fix build parametersJoshua Watt2024-09-041-1/+1
| | | | | | | | | | The property to specify the build parameters is `build_parameters` not just `parameters` (From OE-Core rev: 61afc6322c9b8664de4f32b629c6e6ade775aeba) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sdpx: Avoid loading of SPDX_LICENSE_DATA into global configRichard Purdie2024-08-071-4/+4
| | | | | | | | | | | | | Loading a load of json files into a memory structure and stashing in a bitbake variable is relatively anti-social making bitbake -e output hard to read for example as well as other potential performance issues. Defer loading of that data until it is actually needed/used in a funciton where it is now passed as a parameter. (From OE-Core rev: 6f21cc9598178288784ff451ab3c40b174c0ef3e) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* create-spdx-*: Support multilibs via SPDX_MULTILIB_SSTATE_ARCHSMark Hatle2024-07-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When a create-spdx-* classes is processing documents, it needs to find the document in a path that is related to the SSTATE_ARCH when a packge is generated. The SSTATE_ARCH can be affected by multilib configurations, resulting is something like armv8a-mlib. When the image (or SDK) is being generated and the components are collected, the system has no knowledge of the multilib arch and will fail to find it, such as: ERROR: meta-toolchain-1.0-r0 do_populate_sdk: No SPDX file found for package libilp32-libgcc-dbg, False sstate:libilp32-libgcc:armv8a-ilp32-mllibilp32-elf:14.1.0:r0:armv8a-ilp32:12: sstate:libilp32-libgcc::14.1.0:r0::12: Adding in the new SPDX_MULTILIB_SSTATE_ARCHS will provide a full set of SSTATE_ARCHS including ones that contain the multilib extension which will allow create-spdx-* to correctly find the document it is looking for. This would also be valuable to any other function doing a similar search through SSTATE_ARCH that may have been extended with multilib configurations. (From OE-Core rev: f1499c36c1054fc90f7b7268cc95285f2eca72f7) Signed-off-by: Mark Hatle <mark.hatle@amd.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/spdx-common: Move to libraryJoshua Watt2024-07-161-19/+2
| | | | | | | | | Moves the bulk of the code in the spdx-common bbclass into library code (From OE-Core rev: 3f9b7c7f6b15493b6890031190ca8d1a10f2f384) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx-3.0: Add classesJoshua Watt2024-07-161-0/+1138
Adds a class to generate SPDX 3.0 output and an image class that is used when generating images (From OE-Core rev: b63f6f50458fc6898e4deda5d6739e7bf3639c15) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>