From: Stefano Tondo <[email protected]> Include the recipe's base PURL (from oe.purl.get_base_purl) in the external identifiers for built packages alongside any PURLs from SPDX_PACKAGE_URLS.
This ensures that every built package has a pkg:yocto PURL (e.g., pkg:yocto/core/[email protected]) in its external identifiers, improving tool interoperability and supply chain tracking. Signed-off-by: Stefano Tondo <[email protected]> --- meta/lib/oe/spdx30_tasks.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 9f5a37b8bf..ef47bd4205 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -853,6 +853,7 @@ def create_spdx(d): [oe.sbom30.get_element_link_id(recipe_spdx_license)], ) + dep_sources = {} if oe.spdx_common.process_sources(d) and include_sources: bb.debug(1, "Adding source files to SPDX") @@ -886,6 +887,8 @@ def create_spdx(d): debug_source_ids = set() source_hash_cache = {} + recipe_purl = oe.purl.get_base_purl(d) + # Write out the package SPDX data now. It is not complete as we cannot # write the runtime data, so write it to a staging area and a later task # will write out the final collection @@ -953,7 +956,12 @@ def create_spdx(d): if purls: spdx_package.software_packageUrl = purls[0] - for p in sorted(set(purls)): + # Combine SPDX_PACKAGE_URLS with recipe base PURL + all_purls = set(purls) + if recipe_purl: + all_purls.add(recipe_purl) + + for p in sorted(all_purls): spdx_package.externalIdentifier.append( oe.spdx30.ExternalIdentifier( externalIdentifierType=oe.spdx30.ExternalIdentifierType.packageUrl, -- 2.53.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231564): https://lists.openembedded.org/g/openembedded-core/message/231564 Mute This Topic: https://lists.openembedded.org/mt/117922383/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
