Re: [OE-core][PATCH 2/2] spdx3: support SBOM compression based on SPDX_SBOM_EXT

Wed, 13 May 2026 01:04:07 -0700 

On 13/05/2026 09:47, Jérémie Dautheribes via lists.openembedded.org wrote:

Hello Joshua,

On 13/05/2026 00:27, Joshua Watt wrote:

On Tue, May 12, 2026 at 11:02 AM Jérémie Dautheribes via
lists.openembedded.org
<[email protected]> wrote:


Add support for optional zstd compression for all types of SBOMs,
including:
   - image SBOM
   - recipe SBOM
   - SDK SBOM

Zstd compression is applied if SPDX_SBOM_EXT ends with ".zst".
Co-authored-by: Benjamin Robin (Schneider Electric) <[email protected]> Signed-off-by: Jérémie Dautheribes (Schneider Electric) <[email protected]> 
---
  meta/classes/create-spdx-3.0.bbclass |  3 ++-
  meta/lib/oe/sbom30.py                | 11 +++++++++--
  2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/ create-spdx-3.0.bbclass 
index 785edb9865..6cf8fa4688 100644
--- a/meta/classes/create-spdx-3.0.bbclass
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -75,7 +75,8 @@ SPDX_IMPORTS[doc] = "SPDX_IMPORTS is the base variable that describes how to \ 
              SPDX 3 spec. Optional but recommended"

  SPDX_SBOM_EXT ??= ".spdx.json"
-SPDX_SBOM_EXT[doc] = "SBOM file extension name."
+SPDX_SBOM_EXT[doc] = "SBOM file extension name.\
+    If it ends with '.zst', SBOMs are automatically compressed using Zstd." 

  # Agents
  #   Bitbake variables can be used to describe an SPDX Agent that may be used 
diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py
index 0f1f9281ad..2184c1a07f 100644
--- a/meta/lib/oe/sbom30.py
+++ b/meta/lib/oe/sbom30.py
@@ -1036,8 +1036,15 @@ def write_jsonld_doc(d, objset, dest):
          serializer = oe.spdx30.JSONLDInlineSerializer()

      objset.objects.add(objset.doc)
-    with dest.open("wb") as f:
-        serializer.write(objset, f, force_at_graph=True)
+
+    if dest.name.endswith(".zst"):


I'm not sure I like this detection mechanism; I think we usually do
something more explicit for compression rather than relying on the
suffix in other places?


Maybe we should then introduce a SPDX_COMPRESSED_SBOM boolean variable,
which would be used by SPDX_SBOM_EXT_SUFFIX to determine whether ".zst"
is appended to the SBOM file name or not. Then, we could check in the
`write_jsonld_doc` function whether compression is enabled based on this
SPDX_COMPRESSED_SBOM variable.



After further thought, that solution would not work well since
`write_jsonld_doc` is not only used for SBOM generation.

--
Jérémie Dautheribes, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#236941): 
https://lists.openembedded.org/g/openembedded-core/message/236941
Mute This Topic: https://lists.openembedded.org/mt/119282964/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to