On 2/13/23 12:03, Joshua Watt wrote:
On Mon, Feb 13, 2023 at 1:54 PM Saul Wold <[email protected]> wrote:
This change adds a new variable to track which recipe variables
are added as SPDX Annotations.
Usage: add SPDX_CUSTOME_ANNOTATION_VARS = <some recipe variable>
nit: CUSTOM
v2 will come shortly (I will try to address the flags)
The recipe spdx json will contain an annotation stanza that looks
something like this:
"annotations": [
{
"annotationDate": "2023-02-13T19:44:20Z",
"annotationType": "OTHER",
"annotator": "Tool: oe-spdx-creator - 1.0",
"comment": "CUSTOM_VARIABLE=some value or string"
},
Signed-off-by: Saul Wold <[email protected]>
---
meta/classes/create-spdx-2.2.bbclass | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/meta/classes/create-spdx-2.2.bbclass
b/meta/classes/create-spdx-2.2.bbclass
index f0513af083b..e1bbf646ff9 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -30,6 +30,8 @@ SPDX_PRETTY ??= "0"
SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
+SPDX_CUSTOM_ANNOTATION_VARS ??= ""
+
SPDX_ORG ??= "OpenEmbedded ()"
SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages
created from \
@@ -402,7 +404,6 @@ def collect_dep_sources(d, dep_recipes):
return sources
-
python do_create_spdx() {
from datetime import datetime, timezone
import oe.sbom
@@ -479,6 +480,10 @@ python do_create_spdx() {
if description:
recipe.description = description
+ if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"):
+ for var in d.getVar('SPDX_CUSTOM_ANNOTATION_VARS').split():
+ recipe.annotations.append(create_annotation(d, var + "=" +
d.getVar(var)))
+
Seems reasonable. If we need more configuration options, I think we
can add it later with flags, e.g.
MY_VAR = "foo"
MY_VAR[spdx-annotator] = "Me!"
SPDX_CUSTOM_ANNOTATION_VARS = "MY_VAR"
What did you think the output should be here? ie what does the comment
line contain?
Today the annotation would contain:
"comment": "MY_VAR=foo"
What should the comment line contain if a flag or multiple flags exists?
Or the CUSTOM_ANNOTATION code only looks for one flag [spdx-annotator]?
"comment": "Me!=foo"
Thoughts?
Aslo, in the future if users want package annotations, we can probably do:
SPDX_CUSTOM_ANNOTATION_VARS:${PN}
Do you really mean SPDX_CUSTOM_ANNOTATIONS_VARS:pn-${PN}
I tested this and it appears to work, along with the :append:pn-${PN} style.
Sau!
# Some CVEs may be patched during the build process without incrementing
the version number,
# so querying for CVEs based on the CPE id can lead to false positives.
To account for this,
# save the CVEs fixed by patches to source information field in the SPDX.
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#177160):
https://lists.openembedded.org/g/openembedded-core/message/177160
Mute This Topic: https://lists.openembedded.org/mt/96944341/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
