On Fri, Feb 20, 2026, 10:10 PM Stefano Tondo <[email protected]> wrote:
> From: Stefano Tondo <[email protected]> > > Create a root metadata software_Package for the image that describes > what the SBOM represents: I think my recipe spdx changes that I sent to the list will eliminate the need for this, since there will be a package that represents the "recipe" you can use instead. > - Package name: {image_basename}-{machine} > - Version from BUILDNAME (with '1.0' fallback) > - Primary purpose: container > This is wrong regardless - Description from IMAGE_DESCRIPTION (with generated fallback) > - Supplier from SPDX_SUPPLIER if available > > Add structural relationships: > - Document 'describes' the image package > - Image package 'contains' each recipe's artifacts > > This fixes sbom-lint warnings about missing root elements and > provides proper SBOM structure for compliance tools. > > Signed-off-by: Stefano Tondo <[email protected]> > --- > meta/lib/oe/spdx30_tasks.py | 32 ++++++++++++++++++++++++++++++++ > 1 file changed, 32 insertions(+) > > diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py > index ef47bd4205..0d62de61a3 100644 > --- a/meta/lib/oe/spdx30_tasks.py > +++ b/meta/lib/oe/spdx30_tasks.py > @@ -1498,6 +1498,31 @@ def create_image_spdx(d): > d, "%s-%s-image" % (image_basename, machine) > ) > > + # Create root metadata package for the image > + # This describes what the SBOM represents and fixes sbom-lint warning > + image_package = objset.add_root( > + oe.spdx30.software_Package( > + _id=objset.new_spdxid("image", "root"), > + creationInfo=objset.doc.creationInfo, > + name=f"{image_basename}-{machine}", > + software_packageVersion=d.getVar("BUILDNAME") or "1.0", > + > software_primaryPurpose=oe.spdx30.software_SoftwarePurpose.container, > + description=d.getVar("IMAGE_DESCRIPTION") or > f"{image_basename} image for {machine}", > + ) > + ) > + > + # Set supplier if available > + supplier = d.getVar("SPDX_SUPPLIER") > + if supplier: > + image_package.suppliedBy = supplier > + > + # Create describes relationship from document to image > + objset.new_relationship( > + [objset.doc], > + oe.spdx30.RelationshipType.describes, > + [image_package], > + ) > + > with manifest_path.open("r") as f: > manifest = json.load(f) > > @@ -1565,6 +1590,13 @@ def create_image_spdx(d): > artifacts, > ) > > + # Link artifacts to the image package > + objset.new_relationship( > + [image_package], > + oe.spdx30.RelationshipType.contains, > + artifacts, > + ) > + > if builds: > rootfs_image, _ = oe.sbom30.find_root_obj_in_jsonld( > d, > -- > 2.53.0 > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231620): https://lists.openembedded.org/g/openembedded-core/message/231620 Mute This Topic: https://lists.openembedded.org/mt/117922741/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
