Re: [OE-core] [PATCH] create-spdx-2.2: Add support for custom Annotations

Mon, 13 Feb 2023 12:04:09 -0800 

On Mon, Feb 13, 2023 at 1:54 PM Saul Wold <[email protected]> wrote:
>
> This change adds a new variable to track which recipe variables
> are added as SPDX Annotations.
>
> Usage: add SPDX_CUSTOME_ANNOTATION_VARS = <some recipe variable>

nit: CUSTOM

>
> The recipe spdx json will contain an annotation stanza that looks
> something like this:
>
>      "annotations": [
>         {
>           "annotationDate": "2023-02-13T19:44:20Z",
>           "annotationType": "OTHER",
>           "annotator": "Tool: oe-spdx-creator - 1.0",
>           "comment": "CUSTOM_VARIABLE=some value or string"
>         },
>
> Signed-off-by: Saul Wold <[email protected]>
> ---
>  meta/classes/create-spdx-2.2.bbclass | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/meta/classes/create-spdx-2.2.bbclass 
> b/meta/classes/create-spdx-2.2.bbclass
> index f0513af083b..e1bbf646ff9 100644
> --- a/meta/classes/create-spdx-2.2.bbclass
> +++ b/meta/classes/create-spdx-2.2.bbclass
> @@ -30,6 +30,8 @@ SPDX_PRETTY ??= "0"
>
>  SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
>
> +SPDX_CUSTOM_ANNOTATION_VARS ??= ""
> +
>  SPDX_ORG ??= "OpenEmbedded ()"
>  SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
>  SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages 
> created from \
> @@ -402,7 +404,6 @@ def collect_dep_sources(d, dep_recipes):
>
>      return sources
>
> -
>  python do_create_spdx() {
>      from datetime import datetime, timezone
>      import oe.sbom
> @@ -479,6 +480,10 @@ python do_create_spdx() {
>      if description:
>          recipe.description = description
>
> +    if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"):
> +        for var in d.getVar('SPDX_CUSTOM_ANNOTATION_VARS').split():
> +            recipe.annotations.append(create_annotation(d, var + "=" + 
> d.getVar(var)))
> +

Seems reasonable. If we need more configuration options, I think we
can add it later with flags, e.g.

 MY_VAR = "foo"
 MY_VAR[spdx-annotator] = "Me!"
 SPDX_CUSTOM_ANNOTATION_VARS = "MY_VAR"

Aslo, in the future if users want package annotations, we can probably do:

 SPDX_CUSTOM_ANNOTATION_VARS:${PN}


>      # Some CVEs may be patched during the build process without incrementing 
> the version number,
>      # so querying for CVEs based on the CPE id can lead to false positives. 
> To account for this,
>      # save the CVEs fixed by patches to source information field in the SPDX.
> --
> 2.25.1
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#177110): 
https://lists.openembedded.org/g/openembedded-core/message/177110
Mute This Topic: https://lists.openembedded.org/mt/96944341/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to