On Mon, 2024-06-24 at 13:10 -0600, Joshua Watt via lists.openembedded.org wrote:
> +python spdx30_build_started_handler () {
> + import oe.spdx30
> + import oe.sbom30
> + import os
> + from pathlib import Path
> +
> + # Create a copy of the datastore. Set PN to "bitbake" so that SPDX IDs
> can
> + # be generated
> + d = e.data.createCopy()
> + d.setVar("PN", "bitbake")
> + d.setVar("BB_TASKHASH", "bitbake")
> + load_spdx_license_data(d)
> +
> + deploy_dir_spdx = Path(e.data.getVar("DEPLOY_DIR_SPDX"))
> +
> + nonce = os.urandom(16).hex()
> +
> + objset = oe.sbom30.ObjectSet.new_objset(d, "bitbake", False)
> +
> + build = objset.add_root(oe.spdx30.build_Build(
> + _id=objset.new_spdxid(nonce, include_unihash=False),
> + creationInfo=objset.doc.creationInfo,
> + build_buildType=oe.sbom30.SPDX_BUILD_TYPE,
> + build_buildStartTime=oe.sbom30.spdx_now()
> + ))
> +
> + host_import_key = d.getVar("SPDX_BUILD_HOST")
> + if host_import_key:
> + objset.new_scoped_relationship(
> + [build],
> + oe.spdx30.RelationshipType.hasHost,
> + oe.spdx30.LifecycleScopeType.build,
> + [objset.new_import("SPDX_BUILD_HOST")],
> + )
> +
> + invoked_by = objset.new_agent("SPDX_INVOKED_BY")
> + if invoked_by:
> + invoked_by_spdx = objset.new_scoped_relationship(
> + [build],
> + oe.spdx30.RelationshipType.invokedBy,
> + oe.spdx30.LifecycleScopeType.build,
> + [invoked_by],
> + )
> +
> + on_behalf_of = objset.new_agent("SPDX_ON_BEHALF_OF")
> + if on_behalf_of:
> + objset.new_scoped_relationship(
> + [on_behalf_of],
> + oe.spdx30.RelationshipType.delegatedTo,
> + oe.spdx30.LifecycleScopeType.build,
> + invoked_by_spdx,
> + )
> +
> + for obj in objset.foreach_type(oe.spdx30.Element):
> + obj.extension.append(oe.sbom30.OELinkExtension(link_spdx_id=False))
> + obj.extension.append(oe.sbom30.OEIdAliasExtension())
> +
> + oe.sbom30.write_jsonld_doc(d, objset, deploy_dir_spdx /
> "bitbake.spdx.json")
> +}
> +
> +addhandler spdx30_build_started_handler
> +spdx30_build_started_handler[eventmask] = "bb.event.ConfigParsed"
Reading through, this caught my eye. Do we really need to do that at
ConfigParsed? I suspect you'll hit this a lot more than you expect
since each new execution thread could parse the config and trigger
this. Would BuildStarted not be more appropriate?
I'm also worried about determinism here. I didn't look into what data
this is writing out but it worries me...
Cheers,
Richard
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#201137):
https://lists.openembedded.org/g/openembedded-core/message/201137
Mute This Topic: https://lists.openembedded.org/mt/106856878/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
