You have extraneous changes that don't belong in this patch set, but otherwise I'm fine with the addition of SPDX_IMAGE_SUPPLIER and SPDX_SDK_SUPPLIER
On Fri, Mar 6, 2026 at 7:00 AM Stefano Tondo via lists.openembedded.org <[email protected]> wrote: > > This commit adds support for setting supplier information on image and SDK > SBOMs using the suppliedBy property on root elements. > > New configuration variables: > > SPDX_IMAGE_SUPPLIER (optional): > - Base variable name to describe the Agent supplying the image SBOM > - Follows the same Agent variable pattern as SPDX_PACKAGE_SUPPLIER > - Sets suppliedBy on all root elements of the image SBOM > > SPDX_SDK_SUPPLIER (optional): > - Base variable name to describe the Agent supplying the SDK SBOM > - Follows the same Agent variable pattern as SPDX_PACKAGE_SUPPLIER > - Sets suppliedBy on all root elements of the SDK SBOM > > Implementation: > > - create_image_sbom_spdx(): After create_sbom() returns, uses > objset.new_agent() to create supplier and sets suppliedBy on > sbom.rootElement > > - create_sdk_sbom(): After create_sbom() returns, uses objset.new_agent() > to create supplier and sets suppliedBy on sbom.rootElement > > - Uses existing agent infrastructure (objset.new_agent()) for proper > de-duplication and metadata handling > > - No changes to generic create_sbom() function which is used for recipes, > images, and SDKs > > Usage example in local.conf: > > SPDX_IMAGE_SUPPLIER_name = "Acme Corporation" > SPDX_IMAGE_SUPPLIER_type = "organization" > SPDX_IMAGE_SUPPLIER_id_email = "[email protected]" > > This enables compliance workflows that require supplier metadata on image > and SDK SBOMs while following existing OpenEmbedded SPDX patterns. > > Signed-off-by: Stefano Tondo <[email protected]> > --- > meta/classes/create-spdx-3.0.bbclass | 10 ++++++++++ > meta/lib/oe/spdx30_tasks.py | 26 +++++++++++++++++++++++--- > 2 files changed, 33 insertions(+), 3 deletions(-) > > diff --git a/meta/classes/create-spdx-3.0.bbclass > b/meta/classes/create-spdx-3.0.bbclass > index d4575d61c4..def2dacbc3 100644 > --- a/meta/classes/create-spdx-3.0.bbclass > +++ b/meta/classes/create-spdx-3.0.bbclass > @@ -124,6 +124,16 @@ SPDX_ON_BEHALF_OF[doc] = "The base variable name to > describe the Agent on who's > SPDX_PACKAGE_SUPPLIER[doc] = "The base variable name to describe the Agent > who \ > is supplying artifacts produced by the build" > > +SPDX_IMAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who > \ > + is supplying the image SBOM. The supplier will be set on all root > elements \ > + of the image SBOM using the suppliedBy property. If not set, no supplier > \ > + information will be added to the image SBOM." > + > +SPDX_SDK_SUPPLIER[doc] = "The base variable name to describe the Agent who \ > + is supplying the SDK SBOM. The supplier will be set on all root elements > \ > + of the SDK SBOM using the suppliedBy property. If not set, no supplier \ > + information will be added to the SDK SBOM." > + > SPDX_PACKAGE_VERSION ??= "${PV}" > SPDX_PACKAGE_VERSION[doc] = "The version of a package, > software_packageVersion \ > in software_Package" > diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py > index bd703b5bec..0888d9d7e4 100644 > --- a/meta/lib/oe/spdx30_tasks.py > +++ b/meta/lib/oe/spdx30_tasks.py > @@ -162,7 +162,7 @@ def add_package_files( > bb.debug(1, f"Total compiled files: {len(compiled_sources)}") > > # File filtering configuration > - spdx_file_filter = (d.getVar("SPDX_FILE_FILTER") or "all").lower() > + spdx_file_filter = (d.getVar("SPDX_FILES_INCLUDED") or "all").lower() > essential_patterns = (d.getVar("SPDX_FILE_ESSENTIAL_PATTERNS") or > "").split() > exclude_patterns = (d.getVar("SPDX_FILE_EXCLUDE_PATTERNS") or "").split() > > @@ -244,7 +244,7 @@ def add_package_files( > def get_package_sources_from_debug( > d, package, package_files, sources, source_hash_cache > ): > - spdx_file_filter = (d.getVar("SPDX_FILE_FILTER") or "all").lower() > + spdx_file_filter = (d.getVar("SPDX_FILES_INCLUDED") or "all").lower() > > def file_path_match(file_path, pkg_file): > if file_path.lstrip("/") == pkg_file.name.lstrip("/"): > @@ -283,7 +283,7 @@ def get_package_sources_from_debug( > if spdx_file_filter in ("none", "essential"): > bb.debug( > 1, > - f"Skipping debug source lookup for {file_path} in > {package} (filtered by SPDX_FILE_FILTER={spdx_file_filter})", > + f"Skipping debug source lookup for {file_path} in > {package} (filtered by SPDX_FILES_INCLUDED={spdx_file_filter})", > ) > continue > else: > @@ -1330,6 +1330,16 @@ def create_image_sbom_spdx(d): > > objset, sbom = oe.sbom30.create_sbom(d, image_name, root_elements) > > + # Set supplier on root elements if SPDX_IMAGE_SUPPLIER is defined > + supplier = objset.new_agent("SPDX_IMAGE_SUPPLIER", add=False) > + if supplier is not None: > + supplier_id = supplier if isinstance(supplier, str) else supplier._id > + if not isinstance(supplier, str): > + objset.add(supplier) > + for elem in sbom.rootElement: > + if hasattr(elem, "suppliedBy"): > + elem.suppliedBy = supplier_id > + > oe.sbom30.write_jsonld_doc(d, objset, spdx_path) > > def make_image_link(target_path, suffix): > @@ -1441,6 +1451,16 @@ def create_sdk_sbom(d, sdk_deploydir, spdx_work_dir, > toolchain_outputname): > d, toolchain_outputname, sorted(list(files)), [rootfs_objset] > ) > > + # Set supplier on root elements if SPDX_SDK_SUPPLIER is defined > + supplier = objset.new_agent("SPDX_SDK_SUPPLIER", add=False) > + if supplier is not None: > + supplier_id = supplier if isinstance(supplier, str) else supplier._id > + if not isinstance(supplier, str): > + objset.add(supplier) > + for elem in sbom.rootElement: > + if hasattr(elem, "suppliedBy"): > + elem.suppliedBy = supplier_id > + > oe.sbom30.write_jsonld_doc( > d, objset, sdk_deploydir / (toolchain_outputname + ".spdx.json") > ) > -- > 2.53.0 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#232617): https://lists.openembedded.org/g/openembedded-core/message/232617 Mute This Topic: https://lists.openembedded.org/mt/118170493/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
