[OE-core][PATCH 1/2] spdx3: introduce SPDX_SBOM_EXT variable

Tue, 12 May 2026 10:02:37 -0700 

In preparation for upcoming work, introduce a new SPDX_SBOM_EXT variable
explicitly telling the file extension name for SBOMs.

Keep the default value ".spdx.json" to maintain compatibility with the
current behavior.

Co-authored-by: Benjamin Robin (Schneider Electric) <[email protected]>
Signed-off-by: Jérémie Dautheribes (Schneider Electric) 
<[email protected]>
---
 meta/classes-recipe/sbom-cve-check.bbclass |  2 +-
 meta/classes/create-spdx-3.0.bbclass       |  3 +++
 meta/classes/sbom-cve-check-recipe.bbclass |  2 +-
 meta/lib/oe/spdx30_tasks.py                | 12 +++++++-----
 4 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/meta/classes-recipe/sbom-cve-check.bbclass 
b/meta/classes-recipe/sbom-cve-check.bbclass
index fe145a2212..ddecb82e52 100644
--- a/meta/classes-recipe/sbom-cve-check.bbclass
+++ b/meta/classes-recipe/sbom-cve-check.bbclass
@@ -14,7 +14,7 @@ python do_sbom_cve_check() {
     """
     Task: Run sbom-cve-check analysis on SBOM.
     """
-    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
+    sbom_path = 
d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}${SPDX_SBOM_EXT}")
     image_name = d.getVar("IMAGE_NAME")
     link_name = d.getVar("IMAGE_LINK_NAME")
     run_sbom_cve_check(d, sbom_path, image_name, link_name)
diff --git a/meta/classes/create-spdx-3.0.bbclass 
b/meta/classes/create-spdx-3.0.bbclass
index 56fd01fd53..785edb9865 100644
--- a/meta/classes/create-spdx-3.0.bbclass
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -74,6 +74,9 @@ SPDX_IMPORTS[doc] = "SPDX_IMPORTS is the base variable that 
describes how to \
             algorithms, as described by the HashAlgorithm vocabulary in the\
             SPDX 3 spec. Optional but recommended"
 
+SPDX_SBOM_EXT ??= ".spdx.json"
+SPDX_SBOM_EXT[doc] = "SBOM file extension name."
+
 # Agents
 #   Bitbake variables can be used to describe an SPDX Agent that may be used
 #   during the build. An Agent is specified using a set of variables which all
diff --git a/meta/classes/sbom-cve-check-recipe.bbclass 
b/meta/classes/sbom-cve-check-recipe.bbclass
index c80b8ac83f..eaad73ddaf 100644
--- a/meta/classes/sbom-cve-check-recipe.bbclass
+++ b/meta/classes/sbom-cve-check-recipe.bbclass
@@ -16,7 +16,7 @@ python do_sbom_cve_check_recipe() {
     """
     Task: Run sbom-cve-check analysis on a recipe SBOM.
     """
-    sbom_path = 
d.expand("${DEPLOY_DIR_IMAGE}/${SPDX_RECIPE_SBOM_NAME}.spdx.json")
+    sbom_path = 
d.expand("${DEPLOY_DIR_IMAGE}/${SPDX_RECIPE_SBOM_NAME}${SPDX_SBOM_EXT}")
     recipe = d.getVar("SPDX_RECIPE_SBOM_NAME")
     run_sbom_cve_check(d, sbom_path, recipe)
 }
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 1821dd7de4..63d93c7901 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -1526,8 +1526,9 @@ def create_image_sbom_spdx(d):
     image_link_name = d.getVar("IMAGE_LINK_NAME")
     imgdeploydir = Path(d.getVar("SPDXIMAGEDEPLOYDIR"))
     machine = d.getVar("MACHINE")
+    sbom_ext = d.getVar("SPDX_SBOM_EXT")
 
-    spdx_path = imgdeploydir / (image_name + ".spdx.json")
+    spdx_path = imgdeploydir / f"{image_name}{sbom_ext}"
 
     root_elements = []
 
@@ -1567,7 +1568,7 @@ def create_image_sbom_spdx(d):
             if link != target_path:
                 link.symlink_to(os.path.relpath(target_path, link.parent))
 
-    make_image_link(spdx_path, ".spdx.json")
+    make_image_link(spdx_path, sbom_ext)
 
 
 def sdk_create_spdx(d, sdk_type, spdx_work_dir, toolchain_outputname):
@@ -1603,6 +1604,7 @@ def sdk_create_spdx(d, sdk_type, spdx_work_dir, 
toolchain_outputname):
 
 
 def create_sdk_sbom(d, sdk_deploydir, spdx_work_dir, toolchain_outputname):
+    sbom_ext = d.getVar("SPDX_SBOM_EXT")
     # Load the document written earlier
     rootfs_objset = oe.sbom30.load_jsonld(
         d, spdx_work_dir / "sdk-rootfs.spdx.json", required=True
@@ -1681,15 +1683,15 @@ def create_sdk_sbom(d, sdk_deploydir, spdx_work_dir, 
toolchain_outputname):
                 elem.suppliedBy = supplier_id
 
     oe.sbom30.write_jsonld_doc(
-        d, objset, sdk_deploydir / (toolchain_outputname + ".spdx.json")
+        d, objset, sdk_deploydir / f"{toolchain_outputname}{sbom_ext}"
     )
 
 
 def create_recipe_sbom(d, deploydir):
     sbom_name = d.getVar("SPDX_RECIPE_SBOM_NAME")
-
+    sbom_ext = d.getVar("SPDX_SBOM_EXT")
     recipe, recipe_objset = load_recipe_spdx(d)
 
     objset, sbom = oe.sbom30.create_sbom(d, sbom_name, [recipe], 
[recipe_objset])
 
-    oe.sbom30.write_jsonld_doc(d, objset, deploydir / (sbom_name + 
".spdx.json"))
+    oe.sbom30.write_jsonld_doc(d, objset, deploydir / f"{sbom_name}{sbom_ext}")

-- 
2.54.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#236896): 
https://lists.openembedded.org/g/openembedded-core/message/236896
Mute This Topic: https://lists.openembedded.org/mt/119282963/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
  • [OE-core][PATCH 0/2] ... Jérémie Dautheribes via lists . openembedded . org
    • [OE-core][PATCH ... Jérémie Dautheribes via lists . openembedded . org
    • [OE-core][PATCH ... Jérémie Dautheribes via lists . openembedded . org
      • Re: [OE-core... Richard Purdie via lists.openembedded.org
      • Re: [OE-core... Joshua Watt via lists.openembedded.org
        • Re: [OE-... Joshua Watt via lists.openembedded.org
          • Re: ... Benjamin Robin via lists.openembedded.org
            • ... Jérémie Dautheribes via lists . openembedded . org
        • Re: [OE-... Benjamin Robin via lists.openembedded.org
        • Re: [OE-... Jérémie Dautheribes via lists . openembedded . org
          • Re: ... Peter Kjellerstedt via lists.openembedded.org

Reply via email to