I do plan on implementing this once the PURL spec PR is merged. I already have a proof of concept: https://git.yoctoproject.org/poky-contrib/commit/?h=jpew/purls&id=538c31488e7300a4ad3320e861324a4858a6f148
The "extra" repository URLs that it generates are done terribly ATM and it needs a few other things to be cleaned up. However, it will also correctly allow end users to add multiple purls (so they can have their own PURLs in addition to the Yocto ones). On Wed, Jan 7, 2026 at 11:10 AM Stefano Tondo via lists.openembedded.org <[email protected]> wrote: > > From: Stefano Tondo <[email protected]> > > Add automatic Package URL (PURL) generation according to the Yocto PURL > specification to enable package identification in vulnerability databases > and improve NTIA SBOM compliance. > > Field added: > - software_packageUrl: Auto-generates Package URLs per Yocto PURL spec > Format: pkg:yocto/<LAYERNAME>/<BPN>@<PV> > See: https://github.com/package-url/purl-spec/pull/372 > > PURL Implementation: > - Type: yocto (official PURL type for Yocto recipes, per PR #372) > - Namespace: Layer name from FILE_LAYERNAME variable > - Name: BPN (base package name with prefixes/suffixes removed) > - Version: PV (package version from recipe) > - Normalization: Lowercase per PURL spec > > New BitBake variable: > - SPDX_PACKAGE_URL: Override auto-generated PURL > > The Yocto PURL type specification (purl-spec PR #372) has been approved > by the PURL maintainers and is ready for implementation. This follows > the agreed format from JPEWdev (Joshua Watt) and petermarko. > > Signed-off-by: Stefano Tondo <[email protected]> > --- > meta/lib/oe/spdx30_tasks.py | 34 ++++++++++++++++++++++++++++++++++ > 1 file changed, 34 insertions(+) > > diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py > index f731a709e3..86430c7008 100644 > --- a/meta/lib/oe/spdx30_tasks.py > +++ b/meta/lib/oe/spdx30_tasks.py > @@ -474,6 +474,36 @@ def create_spdx(d): > if val: > setattr(obj, name, val) > > + def generate_purl(d, package=None): > + """ > + Generate Package URL (purl) for a package according to Yocto PURL > spec. > + Format: pkg:yocto/<LAYERNAME>/<BPN>@<PV> > + > + See: https://github.com/package-url/purl-spec/pull/372 > + """ > + bpn = d.getVar("BPN") > + pv = d.getVar("PV") > + > + # Get layer name using FILE_LAYERNAME > + # This is the correct variable that contains the layer name from > BBFILE_COLLECTIONS > + # (BBFILE_COLLECTIONS itself is not available outside of layer.conf) > + layer = d.getVar("FILE_LAYERNAME") > + > + if not layer: > + layer = "core" # Default to core if layer detection fails > + > + # For sub-packages, use BPN (base package name) > + # Per spec: BPN has prefixes/suffixes removed > + name = bpn > + > + # Normalize name per PURL spec (lowercase only) > + # Note: Underscores are not allowed in recipe names > + name = name.lower() > + > + purl = f"pkg:yocto/{layer}/{name}@{pv}" > + > + return purl > + > license_data = oe.spdx_common.load_spdx_license_data(d) > > deploydir = Path(d.getVar("SPDXDEPLOY")) > @@ -646,6 +676,10 @@ def create_spdx(d): > "software_packageUrl", > package=package > ) > + else: > + # Auto-generate PURL if not manually specified > + auto_purl = generate_purl(d, package) > + spdx_package.software_packageUrl = auto_purl > > pkg_objset.new_scoped_relationship( > [oe.sbom30.get_element_link_id(build)], > -- > 2.52.0 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#229031): https://lists.openembedded.org/g/openembedded-core/message/229031 Mute This Topic: https://lists.openembedded.org/mt/117138938/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
