On Mon Mar 2, 2026 at 5:01 PM CET, Stefano Tondo via lists.openembedded.org
wrote:
> Extract version information for Git-based source components in SPDX 3.0
> SBOMs to improve SBOM completeness and enable better supply chain tracking.
>
> Problem:
> Git repositories fetched as SRC_URI entries currently appear in SBOMs
> without version information (software_packageVersion is null). This makes
> it difficult to track which specific revision of a dependency was used,
> reducing SBOM usefulness for security and compliance tracking.
>
> Solution:
> - Extract SRCREV for Git sources and use it as packageVersion
> - Use fd.revision attribute (the resolved Git commit)
> - Fallback to SRCREV variable if fd.revision not available
> - Use first 12 characters as version (standard Git short hash)
> - Generate pkg:github PURLs for GitHub repositories (official PURL type)
> - Add comprehensive debug logging for troubleshooting
>
> Impact:
> - Git source components now have version information
> - GitHub repositories get proper PURLs (pkg:github/owner/repo@commit)
> - Enables tracking specific commit dependencies in SBOMs
>
> Signed-off-by: Stefano Tondo <[email protected]>
> ---
Hi Stefano,
Thanks for the new version, but we again have a lot of selftests failing:
2026-03-02 17:36:16,484 - oe-selftest - INFO -
devtool.DevtoolAddTests.test_devtool_add_binary (subunit.RemotedTestCase)
2026-03-02 17:36:16,484 - oe-selftest - INFO - ... FAIL
...
2026-03-02 17:36:16,486 - oe-selftest - INFO - 7: 7/29 178/673 (21.91s) (0
failed) (devtool.DevtoolAddTests.test_devtool_add_binary)
2026-03-02 17:36:16,486 - oe-selftest - INFO -
testtools.testresult.real._StringException: Traceback (most recent call last):
File
"/srv/pokybuild/yocto-worker/oe-selftest-debian/build/layers/openembedded-core/meta/lib/oeqa/selftest/cases/devtool.py",
line 419, in test_devtool_add_binary
result = runCmd('devtool add -b %s %s' % (pn, bin_package_path))
File
"/srv/pokybuild/yocto-worker/oe-selftest-debian/build/layers/openembedded-core/meta/lib/oeqa/utils/commands.py",
line 214, in runCmd
raise AssertionError("Command '%s' returned non-zero exit status %d:\n%s" %
(command, result.status, exc_output))
AssertionError: Command 'devtool add -b tst-bin
/tmp/devtoolqalnb521vt/tst-bin.tar.gz' returned non-zero exit status 1:
...
2026-03-02 17:36:37,300 - oe-selftest - INFO -
devtool.DevtoolAddTests.test_devtool_add_fetch (subunit.RemotedTestCase)
2026-03-02 17:36:37,301 - oe-selftest - INFO - ... FAIL
...
2026-03-02 17:36:37,302 - oe-selftest - INFO - 7: 8/29 181/673 (20.82s) (2
failed) (devtool.DevtoolAddTests.test_devtool_add_fetch)
2026-03-02 17:36:37,302 - oe-selftest - INFO -
testtools.testresult.real._StringException: Traceback (most recent call last):
File
"/srv/pokybuild/yocto-worker/oe-selftest-debian/build/layers/openembedded-core/meta/lib/oeqa/selftest/cases/devtool.py",
line 554, in test_devtool_add_fetch
result = runCmd('devtool add --no-pypi %s %s -f %s' % (testrecipe, srcdir,
url))
File
"/srv/pokybuild/yocto-worker/oe-selftest-debian/build/layers/openembedded-core/meta/lib/oeqa/utils/commands.py",
line 214, in runCmd
raise AssertionError("Command '%s' returned non-zero exit status %d:\n%s" %
(command, result.status, exc_output))
AssertionError: Command 'devtool add --no-pypi python-markupsafe
/tmp/devtoolqaamxld4_b/python-markupsafe -f
https://files.pythonhosted.org/packages/c0/41/bae1254e0396c0cc8cf1751cb7d9afc90a602353695af5952530482c963f/MarkupSafe-0.23.tar.gz'
returned non-zero exit status 1:
...
2026-03-02 17:37:54,668 - oe-selftest - INFO -
devtool.DevtoolAddTests.test_devtool_add_fetch_simple (subunit.RemotedTestCase)
2026-03-02 17:37:54,668 - oe-selftest - INFO - ... FAIL
...
2026-03-02 17:41:18,826 - oe-selftest - INFO -
devtool.DevtoolAddTests.test_devtool_add_python_egg_requires
(subunit.RemotedTestCase)
2026-03-02 17:41:18,826 - oe-selftest - INFO - ... FAIL
...
Continuing with 25 test fails.
https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/3314
https://autobuilder.yoctoproject.org/valkyrie/#/builders/48/builds/3204
https://autobuilder.yoctoproject.org/valkyrie/#/builders/23/builds/3434
Can you have a look at these failures?
Thanks,
Mathieu
--
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#232265):
https://lists.openembedded.org/g/openembedded-core/message/232265
Mute This Topic: https://lists.openembedded.org/mt/118096087/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
