Changes the SPDX 3 output to include a "recipe" package that describe static information available at parse time (without building). This is primarily useful for gathering SPDX 3 VEX information about some or all recipes, enabling SPDX 3 to be used in place of cve_check.bbclass and vex.bbclass.
Special thanks to Benjamin Robin <[email protected]> for helping work through this. V2: Fixes a bug where do_populate_sysroot was running when it should not be. Drops the patch to ignore ASSUME_PROVIDES recipes, since this is incorrect (this is already handled by bitbake in the taskgraph, and doesn't need to be manually removed). V3: Fixes a bug where meta-world-recipe-sbom was reporting a circular dependency. meta-world-recipe-sbom also no longer runs in world builds, as there's no reason to this. Finally, fixes a bug where NO_GENERIC_LICENSE files would fail to be found in do_create_spdx (because do_unpack was not run). V4: Fixes test cases. Adds SPDX_PACKAGE_INCLUDE_VEX to control if VEX information is linked to binary packages, or just recipes. Defaults to "0" to significantly reduce the size of the SPDX output. V5: Fixes dummy-sdk-packages to not generate SPDX output, since it does funny things with its arch which prevents it from rebuilding SPDX data properly, and no SPDX data is needed for it anyway Joshua Watt (13): llvm-project-source: Use allarch.bbclass gcc-source: Use allarch.bbclass spdx3: Add recipe SPDX data spdx3: Add recipe SBoM task spdx3: Add is-native property spdx30: Include patch file information in VEX spdx: De-duplicate CreationInfo spdx_common: Check for dependent task in task flags spdx30: Skip install package CVE information dummy-sdk-package: Disable SPDX spdx: Remove fatal errors for missing providers spdx3: Use common variable for vardeps glibc-testsuite: Do not generate SPDX meta/classes-global/sstate.bbclass | 4 +- .../create-spdx-image-3.0.bbclass | 4 +- .../create-spdx-sdk-3.0.bbclass | 4 +- meta/classes-recipe/kernel.bbclass | 2 +- meta/classes-recipe/nospdx.bbclass | 1 + meta/classes/create-spdx-2.2.bbclass | 15 +- meta/classes/create-spdx-3.0.bbclass | 87 ++- meta/classes/spdx-common.bbclass | 22 +- meta/conf/distro/include/maintainers.inc | 1 + meta/lib/oe/sbom30.py | 192 ++++--- meta/lib/oe/spdx30.py | 2 +- meta/lib/oe/spdx30_tasks.py | 496 +++++++++++++----- meta/lib/oe/spdx_common.py | 11 + meta/lib/oeqa/selftest/cases/spdx.py | 41 +- .../glibc/glibc-testsuite_2.42.bb | 1 + meta/recipes-core/meta/dummy-sdk-package.inc | 1 + .../meta/meta-world-recipe-sbom.bb | 29 + .../clang/llvm-project-source.inc | 8 +- meta/recipes-devtools/gcc/gcc-source.inc | 16 +- 19 files changed, 667 insertions(+), 270 deletions(-) create mode 100644 meta/recipes-core/meta/meta-world-recipe-sbom.bb -- 2.53.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#232384): https://lists.openembedded.org/g/openembedded-core/message/232384 Mute This Topic: https://lists.openembedded.org/mt/118135789/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
