On 2/14/23 10:52, Saul Wold (local) wrote:
On 2/13/23 12:03, Joshua Watt wrote:
On Mon, Feb 13, 2023 at 1:54 PM Saul Wold <[email protected]>
wrote:
This change adds a new variable to track which recipe variables
are added as SPDX Annotations.
Usage: add SPDX_CUSTOME_ANNOTATION_VARS = <some recipe variable>
nit: CUSTOM
v2 will come shortly (I will try to address the flags)
Sorry, I wasn't trying to say we needed to do that today; that was for
posterity. I'm fine with omitting the flags and adding them in later if
necessary; I don't have crystal ball to tell whats needed today, so it
might be best to wait until we know.
The recipe spdx json will contain an annotation stanza that looks
something like this:
"annotations": [
{
"annotationDate": "2023-02-13T19:44:20Z",
"annotationType": "OTHER",
"annotator": "Tool: oe-spdx-creator - 1.0",
"comment": "CUSTOM_VARIABLE=some value or string"
},
Signed-off-by: Saul Wold <[email protected]>
---
meta/classes/create-spdx-2.2.bbclass | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/meta/classes/create-spdx-2.2.bbclass
b/meta/classes/create-spdx-2.2.bbclass
index f0513af083b..e1bbf646ff9 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -30,6 +30,8 @@ SPDX_PRETTY ??= "0"
SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
+SPDX_CUSTOM_ANNOTATION_VARS ??= ""
+
SPDX_ORG ??= "OpenEmbedded ()"
SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX
packages created from \
@@ -402,7 +404,6 @@ def collect_dep_sources(d, dep_recipes):
return sources
-
python do_create_spdx() {
from datetime import datetime, timezone
import oe.sbom
@@ -479,6 +480,10 @@ python do_create_spdx() {
if description:
recipe.description = description
+ if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"):
+ for var in d.getVar('SPDX_CUSTOM_ANNOTATION_VARS').split():
+ recipe.annotations.append(create_annotation(d, var +
"=" + d.getVar(var)))
+
Seems reasonable. If we need more configuration options, I think we
can add it later with flags, e.g.
MY_VAR = "foo"
MY_VAR[spdx-annotator] = "Me!"
SPDX_CUSTOM_ANNOTATION_VARS = "MY_VAR"
What did you think the output should be here? ie what does the comment
line contain?
Today the annotation would contain:
"comment": "MY_VAR=foo"
What should the comment line contain if a flag or multiple flags
exists? Or the CUSTOM_ANNOTATION code only looks for one flag
[spdx-annotator]?
"comment": "Me!=foo"
Thoughts?
Aslo, in the future if users want package annotations, we can
probably do:
SPDX_CUSTOM_ANNOTATION_VARS:${PN}
Do you really mean SPDX_CUSTOM_ANNOTATIONS_VARS:pn-${PN}
I tested this and it appears to work, along with the :append:pn-${PN}
style.
Sau!
# Some CVEs may be patched during the build process without
incrementing the version number,
# so querying for CVEs based on the CPE id can lead to false
positives. To account for this,
# save the CVEs fixed by patches to source information field
in the SPDX.
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#177166):
https://lists.openembedded.org/g/openembedded-core/message/177166
Mute This Topic: https://lists.openembedded.org/mt/96944341/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
