Joseph, Currently create-spdx will only report on the recipe itself and the packages it produces. It's been a long standing TODO to make reporting of sub-components like NPM packages and rust crates better, but we haven't gotten there yet, partially because I'm not very familiar with these technologies. If you have some experience, it would be great to get some input on how to best handle these things.
One of the biggest problems is that often these technologies do "sneaky" downloads of packages that we don't know about in the recipe, and thus can't really report on. We largely fixed this in rust by making user enumerate the crates they use in SRC_URI (with some tooling to help automatically generate the list), but it looks from the recipe you've linked to, this is what is happening in webui-vue. Because of this its going to be extra hard to report on any components, since we simply aren't aware they exist (at the recipe level). On Tue, Feb 14, 2023 at 2:27 PM Joseph Reynolds <j...@linux.ibm.com> wrote: > > Team, > > Thanks again for continuing to improve Yocto/OE. > > I have a question about the capabilities of the create-spdx.bbclass. I > understand it will can an sBOM entry for each recipe. > > Can create-spdx.bbclass handle multiple components per recipe? For > example, my bitbake recipe produces a web application which packages > many HTML components. I would like to have the recipe included in the > SBOM together with the components which are packaged into the web > application files. Is there a way to do that? > > Specifically, the OpenBMC web application uses various NPM compoents to > provide it functionality in the end-user's browser. > Recipe: > https://github.com/openbmc/openbmc/blob/master/meta-phosphor/recipes-phosphor/webui/webui-vue_git.bb > > Project source: https://github.com/openbmc/webui-vue/ > NPM packages are specified here: > https://github.com/openbmc/webui-vue/blob/master/package-lock.json > Package-lock docs: > https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json > > I want my SBOM to include the webui-vue application together with each > of the NPM packages it uses. How can I do that? > > Sincerely, > Joseph Reynolds > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#177215): https://lists.openembedded.org/g/openembedded-core/message/177215 Mute This Topic: https://lists.openembedded.org/mt/96969479/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
