On Tue Feb 24, 2026 at 5:29 PM CET, Stefano Tondo wrote:
> From: Stefano Tondo <[email protected]>
>
> Extract version information for Git-based source components in SPDX 3.0
> SBOMs to improve SBOM completeness and enable better supply chain tracking.
>
> Problem:
> Git repositories fetched as SRC_URI entries currently appear in SBOMs
> without version information (software_packageVersion is null). This makes
> it difficult to track which specific revision of a dependency was used,
> reducing SBOM usefulness for security and compliance tracking.
>
> Solution:
> - Extract SRCREV for Git sources and use it as packageVersion
> - Use fd.revision attribute (the resolved Git commit)
> - Fallback to SRCREV variable if fd.revision not available
> - Use first 12 characters as version (standard Git short hash)
> - Generate pkg:github PURLs for GitHub repositories (official PURL type)
> - Add comprehensive debug logging for troubleshooting
>
> Impact:
> - Git source components now have version information
> - GitHub repositories get proper PURLs (pkg:github/owner/repo@commit)
> - Enables tracking specific commit dependencies in SBOMs
>
> Signed-off-by: Stefano Tondo <[email protected]>
> ---
Hi Stefano,
Thanks for the new version.
It looks like some selftests are failing with this:
2026-02-25 10:19:06,136 - oe-selftest - INFO -
recipetool.RecipetoolCreateTests.test_recipetool_create_python3_setuptools
(subunit.RemotedTestCase)
2026-02-25 10:19:06,136 - oe-selftest - INFO - ... FAIL
Stderr:
2026-02-25 10:01:07,706 - oe-selftest - INFO - Adding: "include selftest.inc"
in
/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/build-st-2641922/conf/local.conf
2026-02-25 10:01:07,706 - oe-selftest - INFO - Adding: "include bblayers.inc"
in bblayers.conf
2026-02-25 10:19:06,136 - oe-selftest - INFO - 0: 30/38 191/672 (18.93s) (6
failed)
(recipetool.RecipetoolCreateTests.test_recipetool_create_python3_setuptools)
2026-02-25 10:19:06,136 - oe-selftest - INFO -
testtools.testresult.real._StringException: Traceback (most recent call last):
File
"/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/layers/openembedded-core/meta/lib/oeqa/selftest/cases/recipetool.py",
line 487, in test_recipetool_create_python3_setuptools
result = runCmd('recipetool create --no-pypi -o %s %s' % (temprecipe,
srcuri))
File
"/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/layers/openembedded-core/meta/lib/oeqa/utils/commands.py",
line 214, in runCmd
raise AssertionError("Command '%s' returned non-zero exit status %d:\n%s" %
(command, result.status, exc_output))
AssertionError: Command 'recipetool create --no-pypi -o
/tmp/recipetoolqak2seh03s/recipe
https://files.pythonhosted.org/packages/84/30/80932401906eaf787f2e9bd86dc458f1d2e75b064b4c187341f29516945c/python-magic-0.4.15.tar.gz'
returned non-zero exit status 1:
NOTE: Reconnecting to bitbake server...
INFO: Fetching
https://files.pythonhosted.org/packages/84/30/80932401906eaf787f2e9bd86dc458f1d2e75b064b4c187341f29516945c/python-magic-0.4.15.tar.gz...
Loading cache...done.
Loaded 0 entries from dependency cache.
Parsing recipes...ERROR:
/tmp/recipetoolqab0ppgbe1/recipes-recipetool/recipetool/tmp-recipetool-rnbr783h.bb:
AUTOREV/SRCPV set too late for the fetcher to work properly, please set the
variables earlier in parsing. Erroring instead of later obtuse build failures.
ERROR: Parsing halted due to errors, see error messages above
Summary: There were 2 ERROR messages, returning a non-zero exit code.
Traceback (most recent call last):
File
"/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/layers/openembedded-core/scripts/recipetool",
line 111, in <module>
ret = main()
File
"/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/layers/openembedded-core/scripts/recipetool",
line 100, in main
ret = args.func(args)
File
"/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/layers/openembedded-core/scripts/lib/recipetool/create.py",
line 525, in create_recipe
checksums, ftmpdir = scriptutils.fetch_url(tinfoil, fetchuri, srcrev,
srctree, logger, preserve_tmp=args.keep_temp)
File
"/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/layers/openembedded-core/scripts/lib/scriptutils.py",
line 202, in fetch_url
tinfoil.parse_recipes()
File
"/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/layers/bitbake/lib/bb/tinfoil.py",
line 585, in parse_recipes
self.run_actions(config_params)
File
"/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/layers/bitbake/lib/bb/tinfoil.py",
line 568, in run_actions
raise TinfoilUIException(ret)
bb.tinfoil.TinfoilUIException: 1
...
2026-02-25 10:19:25,736 - oe-selftest - INFO -
recipetool.RecipetoolCreateTests.test_recipetool_create_python3_setuptools_pypi
(subunit.RemotedTestCase)
2026-02-25 10:19:25,737 - oe-selftest - INFO - ... FAIL
...
And so on with I believe 17 tests.
https://autobuilder.yoctoproject.org/valkyrie/#/builders/23/builds/3397
https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/3279
Can you have a look at these?
Thanks,
Mathieu
--
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#231994):
https://lists.openembedded.org/g/openembedded-core/message/231994
Mute This Topic: https://lists.openembedded.org/mt/117978678/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
