[OE-core] [PATCH v2 09/18] spdx30: Add image root metadata package with describes relationship

[Stefano Tondo via lists.openembedded.org]

From: Stefano Tondo <stefano.tondo....@siemens.com>

Create a root metadata software_Package for the image that describes
what the SBOM represents:

- Package name: {image_basename}-{machine}
- Version from BUILDNAME (with '1.0' fallback)
- Primary purpose: container
- Description from IMAGE_DESCRIPTION (with generated fallback)
- Supplier from SPDX_SUPPLIER if available

Add structural relationships:
- Document 'describes' the image package
- Image package 'contains' each recipe's artifacts

This fixes sbom-lint warnings about missing root elements and
provides proper SBOM structure for compliance tools.

Signed-off-by: Stefano Tondo <stefano.tondo....@siemens.com>
---
 meta/lib/oe/spdx30_tasks.py | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index ef47bd4205..0d62de61a3 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -1498,6 +1498,31 @@ def create_image_spdx(d):
         d, "%s-%s-image" % (image_basename, machine)
     )
 
+    # Create root metadata package for the image
+    # This describes what the SBOM represents and fixes sbom-lint warning
+    image_package = objset.add_root(
+        oe.spdx30.software_Package(
+            _id=objset.new_spdxid("image", "root"),
+            creationInfo=objset.doc.creationInfo,
+            name=f"{image_basename}-{machine}",
+            software_packageVersion=d.getVar("BUILDNAME") or "1.0",
+            
software_primaryPurpose=oe.spdx30.software_SoftwarePurpose.container,
+            description=d.getVar("IMAGE_DESCRIPTION") or f"{image_basename} 
image for {machine}",
+        )
+    )
+
+    # Set supplier if available
+    supplier = d.getVar("SPDX_SUPPLIER")
+    if supplier:
+        image_package.suppliedBy = supplier
+
+    # Create describes relationship from document to image
+    objset.new_relationship(
+        [objset.doc],
+        oe.spdx30.RelationshipType.describes,
+        [image_package],
+    )
+
     with manifest_path.open("r") as f:
         manifest = json.load(f)
 
@@ -1565,6 +1590,13 @@ def create_image_spdx(d):
                 artifacts,
             )
 
+            # Link artifacts to the image package
+            objset.new_relationship(
+                [image_package],
+                oe.spdx30.RelationshipType.contains,
+                artifacts,
+            )
+
     if builds:
         rootfs_image, _ = oe.sbom30.find_root_obj_in_jsonld(
             d,
-- 
2.53.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#231589): 
https://lists.openembedded.org/g/openembedded-core/message/231589
Mute This Topic: https://lists.openembedded.org/mt/117922741/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-