On Sat Feb 21, 2026 at 5:25 AM CET, Stefano Tondo via lists.openembedded.org wrote: > From: Stefano Tondo <[email protected]> > > Previous implementation only captured explicit RDEPENDS from recipe > variables, missing implicit runtime dependencies auto-detected by > Yocto's packaging system (shared libraries like libc6, libssl3, libz1). > > This commit updates get_dependencies_by_scope() to: > - Accept package parameter to read package-specific manifests > - Read package manifests (PKGDATA) after packaging completes > - Parse RDEPENDS including auto-detected shared library dependencies > - Handle split packages correctly (multiple packages per recipe) > - Fall back to recipe-level RDEPENDS if manifest unavailable > > Also clarifies that recursive dependency expansion is unnecessary: > - Each package is processed separately in create_package_spdx() > - Each package's direct dependencies are added as SPDX relationships > - The resulting SBOM contains the complete dependency graph > - SBOM consumers can traverse the graph for transitive dependencies > > Fixes lifecycle scope classification to capture ALL runtime dependencies > (explicit + implicit). > > Signed-off-by: Stefano Tondo <[email protected]> > Cc: "Ross Burton" <[email protected]> > ---
Hi Stefano, Thanks for your patch. It looks like the added spdx.SPDX30Check.test_lifecycle_scope_dependencies test is failing: 2026-02-22 10:51:36,579 - oe-selftest - INFO - spdx.SPDX30Check.test_lifecycle_scope_dependencies (subunit.RemotedTestCase) 2026-02-22 10:51:36,583 - oe-selftest - INFO - ... FAIL ... 026-02-22 10:22:36,898 - oe-selftest - INFO - Found ANNOTATION2: ANNOTATION2=TestAnnotation2 2026-02-22 10:22:36,899 - oe-selftest - INFO - Found ANNOTATION1: ANNOTATION1=TestAnnotation1 2026-02-22 10:51:01,398 - oe-selftest - INFO - The spdxId of gcc-15.2.0/README in recipe-gcc.spdx.json is http://spdx.org/spdxdocs/gcc-f2eaeb0d-b54b-53ba-899a-8c36c21139bf/77722cdb050cf950f66e3b9cb87574fcb0bf404cd0c167d12d2b2060e65cb176/sourcefile/21 2026-02-22 10:51:36,583 - oe-selftest - INFO - 4: 41/51 658/670 (8.81s) (0 failed) (spdx.SPDX30Check.test_lifecycle_scope_dependencies) 2026-02-22 10:51:36,583 - oe-selftest - INFO - testtools.testresult.real._StringException: Traceback (most recent call last): File "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/layers/openembedded-core/meta/lib/oeqa/selftest/cases/spdx.py", line 474, in test_lifecycle_scope_dependencies self.assertTrue( ~~~~~~~~~~~~~~~^ len(runtime_deps) > 0, ^^^^^^^^^^^^^^^^^^^^^^ "No runtime dependencies found - lifecycle scope may not be working" ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ) ^ File "/usr/lib/python3.13/unittest/case.py", line 744, in assertTrue raise self.failureException(msg) AssertionError: False is not true : No runtime dependencies found - lifecycle scope may not be working https://autobuilder.yoctoproject.org/valkyrie/#/builders/23/builds/3371 https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/3253 https://autobuilder.yoctoproject.org/valkyrie/#/builders/48/builds/3131 Can you have a look at the issue? Thanks, Mathieu -- Mathieu Dubois-Briand, Bootlin Embedded Linux and Kernel engineering https://bootlin.com
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231632): https://lists.openembedded.org/g/openembedded-core/message/231632 Mute This Topic: https://lists.openembedded.org/mt/117922394/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
