From: Stefano Tondo <[email protected]>
This v3 addresses Joshua Watt's feedback by dropping patches that
conflict with his planned upstream changes and fixing test failures
reported on the autobuilder.
Changes since v2:
- Dropped 7 patches based on reviewer feedback and autobuilder
test results (18 -> 11 patches)
- Fixed supplier agent creation to use direct variable pattern
instead of broken indirection (02/11)
- Fixed test to handle ListProxy type for ExternalRef.locator
instead of assuming plain list (08/11)
- Fixed test to use correct SPDX 3.0 attribute name
software_packageVersion instead of version (09/11)
Dropped patches (with rationale):
- sbom30: Fix object deduplication (v2 06/18)
Joshua: elements should have unique spdxid in single document;
if not, it's a bug to fix differently
- spdx30: Add image root metadata package (v2 09/18)
Joshua: his recipe SPDX changes will eliminate the need;
primaryPurpose=container is wrong regardless
- spdx30_tasks: Fix non-deterministic BUILDNAME (v2 10/18)
Depended on the dropped image root metadata patch
- spdx30: Add rootfs version and dependency scope (v2 11/18)
test_lifecycle_scope_dependencies failed on autobuilder
- spdx-common: Declare SPDX_FORCE_*_SCOPE variables (v2 15/18)
Depended on the dropped lifecycle scope infrastructure
- oeqa/selftest: Test for lifecycle scope (v2 16/18)
Tests the dropped lifecycle scope feature
- spdx-common: Make SPDX_LICENSES extensible (v2 18/18)
Joshua: license list is specified by SPDX spec, not us;
custom licenses should use LicenseRef
Remaining patches focus on PURL coverage, source metadata enrichment,
CPE escaping, and variable documentation.
All oe-selftest SPDX tests pass locally:
- test_base_files: PASSED
- test_extra_opts: PASSED
- test_download_location_defensive_handling: PASSED
- test_version_extraction_patterns: PASSEDJoshua Watt's feedback by dropping
patches that
conflict with his planned upstream changes and fixing test failures
reported on the autobuilder.
Changes since v2:
- Dropped 7 patches based on reviewer feedback and autobuilder
test results (18 -> 11 patches)
- Fixed supplier agent creation to use direct variable pattern
instead of broken indirection (02/11)
- Fixed test to handle ListProxy type for ExternalRef.locator
instead of assuming plain list (08/11)
- Fixed test to use correct SPDX 3.0 attribute name
software_packageVersion instead of version (09/11)
Dropped patches (with rationale):
- sbom30: Fix object deduplication (v2 06/18)
Joshua: elements should have unique spdxid in single document;
if not, it's a bug to fix differently
- spdx30: Add image root metadata package (v2 09/18)
Joshua: his recipe SPDX changes will eliminate the need;
primaryPurpose=container is wrong regardless
- spdx30_tasks: Fix non-deterministic BUILDNAME (v2 10/18)
Depended on the dropped image root metadata patch
- spdx30: Add rootfs version and dependency scope (v2 11/18)
test_lifecycle_scope_dependencies failed on autobuilder
- spdx-common: Declare SPDX_FORCE_*_SCOPE variables (v2 15/18)
Depended on the dropped lifecycle scope infrastructure
- oeqa/selftest: Test for lifecycle scope (v2 16/18)
Tests the dropped lifecycle scope feature
- spdx-common: Make SPDX_LICENSES extensible (v2 18/18)
Joshua: license list is specified by SPDX spec, not us;
custom licenses should use LicenseRef
Remaining patches focus on PURL coverage, source metadata enrichment,
CPE escaping, and variable documentation.
All oe-selftest SPDX tests pass locally:
- test_base_files: PASSED
- test_extra_opts: PASSED
- test_download_location_defensive_handling: PASSED
- test_version_extraction_patterns: PASSED
Stefano Tondo (11):
spdx30: Add configurable file filtering support
spdx30: Add supplier support for image and SDK SBOMs
spdx30: Add ecosystem-specific PURL generation
spdx30: Add version extraction from SRCREV for Git source components
spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting
spdx30: Enrich source downloads with external refs and PURLs
spdx30: Include recipe base PURL in package external identifiers
oeqa/selftest: Add test for download_location defensive handling
spdx.py: Add test for version extraction patterns
cve_check: Escape special characters in CPE 2.3 formatted strings
spdx-common: Add documentation for undocumented SPDX variables
meta/classes/create-spdx-3.0.bbclass | 20 ++
meta/classes/spdx-common.bbclass | 63 +++++
meta/lib/oe/cve_check.py | 37 ++-
meta/lib/oe/spdx30_tasks.py | 339 ++++++++++++++++++++++++++-
meta/lib/oeqa/selftest/cases/spdx.py | 75 ++++++
5 files changed, 527 insertions(+), 7 deletions(-)
--
2.53.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#231877):
https://lists.openembedded.org/g/openembedded-core/message/231877
Mute This Topic: https://lists.openembedded.org/mt/117978668/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
