Re: [OE-core] [PATCH v2] create-spdx: Don't collect natives sources
On Fri, Sep 24, 2021, 2:16 AM Richard Purdie <
richard.pur...@linuxfoundation.org> wrote:
> On Thu, 2021-09-23 at 17:14 -0500, Joshua Watt wrote:
> > On 9/23/21 5:07 PM, Joshua Watt wrote:
> > >
> > > On 9/23/21 4:29 PM, Saul Wold wrote:
> > > >
> > > >
> > > > On 9/23/21 2:05 PM, Joshua Watt wrote:
> > > > >
> > > > > On 9/23/21 3:53 PM, Saul Wold wrote:
> > > > > > Extend the SPDXPackage to include is_native so it can be used
> later in
> > > > > > the processing.
> > > > > >
> > > > > > When the collect_dep_sources() runs, it collects sources from
> both
> > > > > > native
> > > > > > and non-native recipes. Later when the GENERATED_FROM matching
> > > > > > occurs it
> > > > > > may find the file (via checksum) from the native recipe since
> it's the
> > > > > > same checksum as the target file. The that are generated
> DocumentRefs
> > > > > > point to the native recipe rather than the target recipe
> DocumentRef.
> > > > > >
> > > > > > Signed-off-by: Saul Wold
> > > > > > ---
> > > > > > meta/classes/create-spdx.bbclass | 11 +--
> > > > > > meta/lib/oe/spdx.py | 1 +
> > > > > > 2 files changed, 10 insertions(+), 2 deletions(-)
> > > > > >
> > > > > > diff --git a/meta/classes/create-spdx.bbclass
> > > > > > b/meta/classes/create-spdx.bbclass
> > > > > > index 3c73c21c04..e565f0bf6c 100644
> > > > > > --- a/meta/classes/create-spdx.bbclass
> > > > > > +++ b/meta/classes/create-spdx.bbclass
> > > > > > @@ -336,6 +336,10 @@ def collect_dep_sources(d, dep_recipes):
> > > > > > sources = {}
> > > > > > for dep in dep_recipes:
> > > > > > +# Don't collect sources from native recipes as they
> > > > > > +# match non-native sources also.
> > > > > > +if dep.recipe.is_native == "True":
> > > > > > +continue
> > > > > > recipe_files = set(dep.recipe.hasFiles)
> > > > > > for spdx_file in dep.doc.files:
> > > > > > @@ -382,7 +386,6 @@ python do_create_spdx() {
> > > > > > include_sources = d.getVar("SPDX_INCLUDE_SOURCES") == "1"
> > > > > > archive_sources = d.getVar("SPDX_ARCHIVE_SOURCES") == "1"
> > > > > > archive_packaged = d.getVar("SPDX_ARCHIVE_PACKAGED") == "1"
> > > > > > -is_native = bb.data.inherits_class("native", d)
> > > > > > creation_time =
> > > > > > datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
> > > > > > @@ -401,6 +404,10 @@ python do_create_spdx() {
> > > > > > recipe.name = d.getVar("PN")
> > > > > > recipe.versionInfo = d.getVar("PV")
> > > > > > recipe.SPDXID = oe.sbom.get_recipe_spdxid(d)
> > > > > > +if bb.data.inherits_class("native", d):
> > > > > > +recipe.is_native = "True"
> > > > > > +else:
> > > > > > +recipe.is_native = "False"
> > > > > > for s in d.getVar('SRC_URI').split():
> > > > > > if not s.startswith("file://"):
> > > > > > @@ -480,7 +487,7 @@ python do_create_spdx() {
> > > > > > sources = collect_dep_sources(d, dep_recipes)
> > > > > > found_licenses = {license.name:recipe_ref.externalDocumentId
>
> > > > > > + ":" + license.licenseId for license in
> > > > > > doc.hasExtractedLicensingInfos}
> > > > > > -if not is_native:
> > > > > > +if recipe.is_native is "False":
> > > > > > bb.build.exec_func("read_subpackage_metadata", d)
> > > > > > pkgdest = Path(d.getVar("PKGDEST"))
> > > > > > diff --git a/meta/lib/oe/spdx.py b/meta/lib/oe/spdx.py
> > > > > > index 9814fbfd66..452148f339 100644
> > > > > > --- a/meta/lib/oe/spdx.py
> > > > > > +++ b/meta/lib/oe/spdx.py
> > > > > > @@ -164,6 +164,7 @@ class SPDXPackage(SPDXObject):
> > > > > > packageVerificationCode =
> _Object(SPDXPackageVerificationCode)
> > > > > > hasFiles = _StringList()
> > > > > > packageFileName = _String()
> > > > > > +is_native = _String()
> > > > >
> > > > > It's probably not well documented in this file, but this has to
> > > > > match to the SPDX standard; we can't add arbitrary fields here.
> When
> > > > > I was referring to an "annotation" I was specifcially referring to
> > > > > an SPDX annotation:
> > > > >
> > > > I should have figured that!
> > > >
> > > > > https://spdx.github.io/spdx-spec/8-annotations/
> > > > >
> > > > > We'd need to decide on some schema for encoding the data in the
> > > > > annotation
> > > > >
> > > > So we need to create an SPDXAnnotation type on spdx.py and define
> > > > what we want in the AnnotationComment field?
> > >
> > > Exactly. We can use the tool field to indicate that this is data we
> > > care about for a specific annotation, then put JSON or something in
> > > the annotation itself.
> >
> >
> > Also, I forgot to mention but I found it really hard to convert the
> > normal SPDX spec document into the structure we need for JSON encoding
> > in spdx.py. I found it *much* easier to decipher the actual SPDX JSON
> > schema document:
> >
> >
>
Re: [OE-core] [PATCH v2] create-spdx: Don't collect natives sources
On Thu, 2021-09-23 at 17:14 -0500, Joshua Watt wrote:
> On 9/23/21 5:07 PM, Joshua Watt wrote:
> >
> > On 9/23/21 4:29 PM, Saul Wold wrote:
> > >
> > >
> > > On 9/23/21 2:05 PM, Joshua Watt wrote:
> > > >
> > > > On 9/23/21 3:53 PM, Saul Wold wrote:
> > > > > Extend the SPDXPackage to include is_native so it can be used later in
> > > > > the processing.
> > > > >
> > > > > When the collect_dep_sources() runs, it collects sources from both
> > > > > native
> > > > > and non-native recipes. Later when the GENERATED_FROM matching
> > > > > occurs it
> > > > > may find the file (via checksum) from the native recipe since it's the
> > > > > same checksum as the target file. The that are generated DocumentRefs
> > > > > point to the native recipe rather than the target recipe DocumentRef.
> > > > >
> > > > > Signed-off-by: Saul Wold
> > > > > ---
> > > > > meta/classes/create-spdx.bbclass | 11 +--
> > > > > meta/lib/oe/spdx.py | 1 +
> > > > > 2 files changed, 10 insertions(+), 2 deletions(-)
> > > > >
> > > > > diff --git a/meta/classes/create-spdx.bbclass
> > > > > b/meta/classes/create-spdx.bbclass
> > > > > index 3c73c21c04..e565f0bf6c 100644
> > > > > --- a/meta/classes/create-spdx.bbclass
> > > > > +++ b/meta/classes/create-spdx.bbclass
> > > > > @@ -336,6 +336,10 @@ def collect_dep_sources(d, dep_recipes):
> > > > > sources = {}
> > > > > for dep in dep_recipes:
> > > > > + # Don't collect sources from native recipes as they
> > > > > + # match non-native sources also.
> > > > > + if dep.recipe.is_native == "True":
> > > > > + continue
> > > > > recipe_files = set(dep.recipe.hasFiles)
> > > > > for spdx_file in dep.doc.files:
> > > > > @@ -382,7 +386,6 @@ python do_create_spdx() {
> > > > > include_sources = d.getVar("SPDX_INCLUDE_SOURCES") == "1"
> > > > > archive_sources = d.getVar("SPDX_ARCHIVE_SOURCES") == "1"
> > > > > archive_packaged = d.getVar("SPDX_ARCHIVE_PACKAGED") == "1"
> > > > > - is_native = bb.data.inherits_class("native", d)
> > > > > creation_time =
> > > > > datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
> > > > > @@ -401,6 +404,10 @@ python do_create_spdx() {
> > > > > recipe.name = d.getVar("PN")
> > > > > recipe.versionInfo = d.getVar("PV")
> > > > > recipe.SPDXID = oe.sbom.get_recipe_spdxid(d)
> > > > > + if bb.data.inherits_class("native", d):
> > > > > + recipe.is_native = "True"
> > > > > + else:
> > > > > + recipe.is_native = "False"
> > > > > for s in d.getVar('SRC_URI').split():
> > > > > if not s.startswith("file://"):
> > > > > @@ -480,7 +487,7 @@ python do_create_spdx() {
> > > > > sources = collect_dep_sources(d, dep_recipes)
> > > > > found_licenses = {license.name:recipe_ref.externalDocumentId
> > > > > + ":" + license.licenseId for license in
> > > > > doc.hasExtractedLicensingInfos}
> > > > > - if not is_native:
> > > > > + if recipe.is_native is "False":
> > > > > bb.build.exec_func("read_subpackage_metadata", d)
> > > > > pkgdest = Path(d.getVar("PKGDEST"))
> > > > > diff --git a/meta/lib/oe/spdx.py b/meta/lib/oe/spdx.py
> > > > > index 9814fbfd66..452148f339 100644
> > > > > --- a/meta/lib/oe/spdx.py
> > > > > +++ b/meta/lib/oe/spdx.py
> > > > > @@ -164,6 +164,7 @@ class SPDXPackage(SPDXObject):
> > > > > packageVerificationCode = _Object(SPDXPackageVerificationCode)
> > > > > hasFiles = _StringList()
> > > > > packageFileName = _String()
> > > > > + is_native = _String()
> > > >
> > > > It's probably not well documented in this file, but this has to
> > > > match to the SPDX standard; we can't add arbitrary fields here. When
> > > > I was referring to an "annotation" I was specifcially referring to
> > > > an SPDX annotation:
> > > >
> > > I should have figured that!
> > >
> > > > https://spdx.github.io/spdx-spec/8-annotations/
> > > >
> > > > We'd need to decide on some schema for encoding the data in the
> > > > annotation
> > > >
> > > So we need to create an SPDXAnnotation type on spdx.py and define
> > > what we want in the AnnotationComment field?
> >
> > Exactly. We can use the tool field to indicate that this is data we
> > care about for a specific annotation, then put JSON or something in
> > the annotation itself.
>
>
> Also, I forgot to mention but I found it really hard to convert the
> normal SPDX spec document into the structure we need for JSON encoding
> in spdx.py. I found it *much* easier to decipher the actual SPDX JSON
> schema document:
>
> https://github.com/spdx/spdx-spec/blob/development/v2.2.1/schemas/spdx-schema.json
>
>
Could someone put a few comments into the code just so that we don't forget some
of these constraints in future please?
Cheers,
Richard
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#156289):
Re: [OE-core] [PATCH v2] create-spdx: Don't collect natives sources
On 9/23/21 5:07 PM, Joshua Watt wrote:
On 9/23/21 4:29 PM, Saul Wold wrote:
On 9/23/21 2:05 PM, Joshua Watt wrote:
On 9/23/21 3:53 PM, Saul Wold wrote:
Extend the SPDXPackage to include is_native so it can be used later in
the processing.
When the collect_dep_sources() runs, it collects sources from both
native
and non-native recipes. Later when the GENERATED_FROM matching
occurs it
may find the file (via checksum) from the native recipe since it's the
same checksum as the target file. The that are generated DocumentRefs
point to the native recipe rather than the target recipe DocumentRef.
Signed-off-by: Saul Wold
---
meta/classes/create-spdx.bbclass | 11 +--
meta/lib/oe/spdx.py | 1 +
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/meta/classes/create-spdx.bbclass
b/meta/classes/create-spdx.bbclass
index 3c73c21c04..e565f0bf6c 100644
--- a/meta/classes/create-spdx.bbclass
+++ b/meta/classes/create-spdx.bbclass
@@ -336,6 +336,10 @@ def collect_dep_sources(d, dep_recipes):
sources = {}
for dep in dep_recipes:
+ # Don't collect sources from native recipes as they
+ # match non-native sources also.
+ if dep.recipe.is_native == "True":
+ continue
recipe_files = set(dep.recipe.hasFiles)
for spdx_file in dep.doc.files:
@@ -382,7 +386,6 @@ python do_create_spdx() {
include_sources = d.getVar("SPDX_INCLUDE_SOURCES") == "1"
archive_sources = d.getVar("SPDX_ARCHIVE_SOURCES") == "1"
archive_packaged = d.getVar("SPDX_ARCHIVE_PACKAGED") == "1"
- is_native = bb.data.inherits_class("native", d)
creation_time =
datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
@@ -401,6 +404,10 @@ python do_create_spdx() {
recipe.name = d.getVar("PN")
recipe.versionInfo = d.getVar("PV")
recipe.SPDXID = oe.sbom.get_recipe_spdxid(d)
+ if bb.data.inherits_class("native", d):
+ recipe.is_native = "True"
+ else:
+ recipe.is_native = "False"
for s in d.getVar('SRC_URI').split():
if not s.startswith("file://"):
@@ -480,7 +487,7 @@ python do_create_spdx() {
sources = collect_dep_sources(d, dep_recipes)
found_licenses = {license.name:recipe_ref.externalDocumentId
+ ":" + license.licenseId for license in
doc.hasExtractedLicensingInfos}
- if not is_native:
+ if recipe.is_native is "False":
bb.build.exec_func("read_subpackage_metadata", d)
pkgdest = Path(d.getVar("PKGDEST"))
diff --git a/meta/lib/oe/spdx.py b/meta/lib/oe/spdx.py
index 9814fbfd66..452148f339 100644
--- a/meta/lib/oe/spdx.py
+++ b/meta/lib/oe/spdx.py
@@ -164,6 +164,7 @@ class SPDXPackage(SPDXObject):
packageVerificationCode = _Object(SPDXPackageVerificationCode)
hasFiles = _StringList()
packageFileName = _String()
+ is_native = _String()
It's probably not well documented in this file, but this has to
match to the SPDX standard; we can't add arbitrary fields here. When
I was referring to an "annotation" I was specifcially referring to
an SPDX annotation:
I should have figured that!
https://spdx.github.io/spdx-spec/8-annotations/
We'd need to decide on some schema for encoding the data in the
annotation
So we need to create an SPDXAnnotation type on spdx.py and define
what we want in the AnnotationComment field?
Exactly. We can use the tool field to indicate that this is data we
care about for a specific annotation, then put JSON or something in
the annotation itself.
Also, I forgot to mention but I found it really hard to convert the
normal SPDX spec document into the structure we need for JSON encoding
in spdx.py. I found it *much* easier to decipher the actual SPDX JSON
schema document:
https://github.com/spdx/spdx-spec/blob/development/v2.2.1/schemas/spdx-schema.json
Sua!
class SPDXFile(SPDXObject):
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#156281):
https://lists.openembedded.org/g/openembedded-core/message/156281
Mute This Topic: https://lists.openembedded.org/mt/85824376/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH v2] create-spdx: Don't collect natives sources
On 9/23/21 4:29 PM, Saul Wold wrote:
On 9/23/21 2:05 PM, Joshua Watt wrote:
On 9/23/21 3:53 PM, Saul Wold wrote:
Extend the SPDXPackage to include is_native so it can be used later in
the processing.
When the collect_dep_sources() runs, it collects sources from both
native
and non-native recipes. Later when the GENERATED_FROM matching
occurs it
may find the file (via checksum) from the native recipe since it's the
same checksum as the target file. The that are generated DocumentRefs
point to the native recipe rather than the target recipe DocumentRef.
Signed-off-by: Saul Wold
---
meta/classes/create-spdx.bbclass | 11 +--
meta/lib/oe/spdx.py | 1 +
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/meta/classes/create-spdx.bbclass
b/meta/classes/create-spdx.bbclass
index 3c73c21c04..e565f0bf6c 100644
--- a/meta/classes/create-spdx.bbclass
+++ b/meta/classes/create-spdx.bbclass
@@ -336,6 +336,10 @@ def collect_dep_sources(d, dep_recipes):
sources = {}
for dep in dep_recipes:
+ # Don't collect sources from native recipes as they
+ # match non-native sources also.
+ if dep.recipe.is_native == "True":
+ continue
recipe_files = set(dep.recipe.hasFiles)
for spdx_file in dep.doc.files:
@@ -382,7 +386,6 @@ python do_create_spdx() {
include_sources = d.getVar("SPDX_INCLUDE_SOURCES") == "1"
archive_sources = d.getVar("SPDX_ARCHIVE_SOURCES") == "1"
archive_packaged = d.getVar("SPDX_ARCHIVE_PACKAGED") == "1"
- is_native = bb.data.inherits_class("native", d)
creation_time =
datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
@@ -401,6 +404,10 @@ python do_create_spdx() {
recipe.name = d.getVar("PN")
recipe.versionInfo = d.getVar("PV")
recipe.SPDXID = oe.sbom.get_recipe_spdxid(d)
+ if bb.data.inherits_class("native", d):
+ recipe.is_native = "True"
+ else:
+ recipe.is_native = "False"
for s in d.getVar('SRC_URI').split():
if not s.startswith("file://"):
@@ -480,7 +487,7 @@ python do_create_spdx() {
sources = collect_dep_sources(d, dep_recipes)
found_licenses = {license.name:recipe_ref.externalDocumentId +
":" + license.licenseId for license in doc.hasExtractedLicensingInfos}
- if not is_native:
+ if recipe.is_native is "False":
bb.build.exec_func("read_subpackage_metadata", d)
pkgdest = Path(d.getVar("PKGDEST"))
diff --git a/meta/lib/oe/spdx.py b/meta/lib/oe/spdx.py
index 9814fbfd66..452148f339 100644
--- a/meta/lib/oe/spdx.py
+++ b/meta/lib/oe/spdx.py
@@ -164,6 +164,7 @@ class SPDXPackage(SPDXObject):
packageVerificationCode = _Object(SPDXPackageVerificationCode)
hasFiles = _StringList()
packageFileName = _String()
+ is_native = _String()
It's probably not well documented in this file, but this has to match
to the SPDX standard; we can't add arbitrary fields here. When I was
referring to an "annotation" I was specifcially referring to an SPDX
annotation:
I should have figured that!
https://spdx.github.io/spdx-spec/8-annotations/
We'd need to decide on some schema for encoding the data in the
annotation
So we need to create an SPDXAnnotation type on spdx.py and define what
we want in the AnnotationComment field?
Exactly. We can use the tool field to indicate that this is data we care
about for a specific annotation, then put JSON or something in the
annotation itself.
Sua!
class SPDXFile(SPDXObject):
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#156280):
https://lists.openembedded.org/g/openembedded-core/message/156280
Mute This Topic: https://lists.openembedded.org/mt/85824376/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH v2] create-spdx: Don't collect natives sources
On 9/23/21 2:05 PM, Joshua Watt wrote:
On 9/23/21 3:53 PM, Saul Wold wrote:
Extend the SPDXPackage to include is_native so it can be used later in
the processing.
When the collect_dep_sources() runs, it collects sources from both native
and non-native recipes. Later when the GENERATED_FROM matching occurs it
may find the file (via checksum) from the native recipe since it's the
same checksum as the target file. The that are generated DocumentRefs
point to the native recipe rather than the target recipe DocumentRef.
Signed-off-by: Saul Wold
---
meta/classes/create-spdx.bbclass | 11 +--
meta/lib/oe/spdx.py | 1 +
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/meta/classes/create-spdx.bbclass
b/meta/classes/create-spdx.bbclass
index 3c73c21c04..e565f0bf6c 100644
--- a/meta/classes/create-spdx.bbclass
+++ b/meta/classes/create-spdx.bbclass
@@ -336,6 +336,10 @@ def collect_dep_sources(d, dep_recipes):
sources = {}
for dep in dep_recipes:
+ # Don't collect sources from native recipes as they
+ # match non-native sources also.
+ if dep.recipe.is_native == "True":
+ continue
recipe_files = set(dep.recipe.hasFiles)
for spdx_file in dep.doc.files:
@@ -382,7 +386,6 @@ python do_create_spdx() {
include_sources = d.getVar("SPDX_INCLUDE_SOURCES") == "1"
archive_sources = d.getVar("SPDX_ARCHIVE_SOURCES") == "1"
archive_packaged = d.getVar("SPDX_ARCHIVE_PACKAGED") == "1"
- is_native = bb.data.inherits_class("native", d)
creation_time =
datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
@@ -401,6 +404,10 @@ python do_create_spdx() {
recipe.name = d.getVar("PN")
recipe.versionInfo = d.getVar("PV")
recipe.SPDXID = oe.sbom.get_recipe_spdxid(d)
+ if bb.data.inherits_class("native", d):
+ recipe.is_native = "True"
+ else:
+ recipe.is_native = "False"
for s in d.getVar('SRC_URI').split():
if not s.startswith("file://"):
@@ -480,7 +487,7 @@ python do_create_spdx() {
sources = collect_dep_sources(d, dep_recipes)
found_licenses = {license.name:recipe_ref.externalDocumentId +
":" + license.licenseId for license in doc.hasExtractedLicensingInfos}
- if not is_native:
+ if recipe.is_native is "False":
bb.build.exec_func("read_subpackage_metadata", d)
pkgdest = Path(d.getVar("PKGDEST"))
diff --git a/meta/lib/oe/spdx.py b/meta/lib/oe/spdx.py
index 9814fbfd66..452148f339 100644
--- a/meta/lib/oe/spdx.py
+++ b/meta/lib/oe/spdx.py
@@ -164,6 +164,7 @@ class SPDXPackage(SPDXObject):
packageVerificationCode = _Object(SPDXPackageVerificationCode)
hasFiles = _StringList()
packageFileName = _String()
+ is_native = _String()
It's probably not well documented in this file, but this has to match to
the SPDX standard; we can't add arbitrary fields here. When I was
referring to an "annotation" I was specifcially referring to an SPDX
annotation:
I should have figured that!
https://spdx.github.io/spdx-spec/8-annotations/
We'd need to decide on some schema for encoding the data in the annotation
So we need to create an SPDXAnnotation type on spdx.py and define what
we want in the AnnotationComment field?
Sua!
class SPDXFile(SPDXObject):
--
Sau!
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#156277):
https://lists.openembedded.org/g/openembedded-core/message/156277
Mute This Topic: https://lists.openembedded.org/mt/85824376/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH v2] create-spdx: Don't collect natives sources
On 9/23/21 3:53 PM, Saul Wold wrote:
Extend the SPDXPackage to include is_native so it can be used later in
the processing.
When the collect_dep_sources() runs, it collects sources from both native
and non-native recipes. Later when the GENERATED_FROM matching occurs it
may find the file (via checksum) from the native recipe since it's the
same checksum as the target file. The that are generated DocumentRefs
point to the native recipe rather than the target recipe DocumentRef.
Signed-off-by: Saul Wold
---
meta/classes/create-spdx.bbclass | 11 +--
meta/lib/oe/spdx.py | 1 +
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/meta/classes/create-spdx.bbclass b/meta/classes/create-spdx.bbclass
index 3c73c21c04..e565f0bf6c 100644
--- a/meta/classes/create-spdx.bbclass
+++ b/meta/classes/create-spdx.bbclass
@@ -336,6 +336,10 @@ def collect_dep_sources(d, dep_recipes):
sources = {}
for dep in dep_recipes:
+# Don't collect sources from native recipes as they
+# match non-native sources also.
+if dep.recipe.is_native == "True":
+continue
recipe_files = set(dep.recipe.hasFiles)
for spdx_file in dep.doc.files:
@@ -382,7 +386,6 @@ python do_create_spdx() {
include_sources = d.getVar("SPDX_INCLUDE_SOURCES") == "1"
archive_sources = d.getVar("SPDX_ARCHIVE_SOURCES") == "1"
archive_packaged = d.getVar("SPDX_ARCHIVE_PACKAGED") == "1"
-is_native = bb.data.inherits_class("native", d)
creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
@@ -401,6 +404,10 @@ python do_create_spdx() {
recipe.name = d.getVar("PN")
recipe.versionInfo = d.getVar("PV")
recipe.SPDXID = oe.sbom.get_recipe_spdxid(d)
+if bb.data.inherits_class("native", d):
+recipe.is_native = "True"
+else:
+recipe.is_native = "False"
for s in d.getVar('SRC_URI').split():
if not s.startswith("file://"):
@@ -480,7 +487,7 @@ python do_create_spdx() {
sources = collect_dep_sources(d, dep_recipes)
found_licenses = {license.name:recipe_ref.externalDocumentId + ":" +
license.licenseId for license in doc.hasExtractedLicensingInfos}
-if not is_native:
+if recipe.is_native is "False":
bb.build.exec_func("read_subpackage_metadata", d)
pkgdest = Path(d.getVar("PKGDEST"))
diff --git a/meta/lib/oe/spdx.py b/meta/lib/oe/spdx.py
index 9814fbfd66..452148f339 100644
--- a/meta/lib/oe/spdx.py
+++ b/meta/lib/oe/spdx.py
@@ -164,6 +164,7 @@ class SPDXPackage(SPDXObject):
packageVerificationCode = _Object(SPDXPackageVerificationCode)
hasFiles = _StringList()
packageFileName = _String()
+is_native = _String()
It's probably not well documented in this file, but this has to match to
the SPDX standard; we can't add arbitrary fields here. When I was
referring to an "annotation" I was specifcially referring to an SPDX
annotation:
https://spdx.github.io/spdx-spec/8-annotations/
We'd need to decide on some schema for encoding the data in the annotation
class SPDXFile(SPDXObject):
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#156276):
https://lists.openembedded.org/g/openembedded-core/message/156276
Mute This Topic: https://lists.openembedded.org/mt/85824376/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v2] create-spdx: Don't collect natives sources
Extend the SPDXPackage to include is_native so it can be used later in
the processing.
When the collect_dep_sources() runs, it collects sources from both native
and non-native recipes. Later when the GENERATED_FROM matching occurs it
may find the file (via checksum) from the native recipe since it's the
same checksum as the target file. The that are generated DocumentRefs
point to the native recipe rather than the target recipe DocumentRef.
Signed-off-by: Saul Wold
---
meta/classes/create-spdx.bbclass | 11 +--
meta/lib/oe/spdx.py | 1 +
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/meta/classes/create-spdx.bbclass b/meta/classes/create-spdx.bbclass
index 3c73c21c04..e565f0bf6c 100644
--- a/meta/classes/create-spdx.bbclass
+++ b/meta/classes/create-spdx.bbclass
@@ -336,6 +336,10 @@ def collect_dep_sources(d, dep_recipes):
sources = {}
for dep in dep_recipes:
+# Don't collect sources from native recipes as they
+# match non-native sources also.
+if dep.recipe.is_native == "True":
+continue
recipe_files = set(dep.recipe.hasFiles)
for spdx_file in dep.doc.files:
@@ -382,7 +386,6 @@ python do_create_spdx() {
include_sources = d.getVar("SPDX_INCLUDE_SOURCES") == "1"
archive_sources = d.getVar("SPDX_ARCHIVE_SOURCES") == "1"
archive_packaged = d.getVar("SPDX_ARCHIVE_PACKAGED") == "1"
-is_native = bb.data.inherits_class("native", d)
creation_time =
datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
@@ -401,6 +404,10 @@ python do_create_spdx() {
recipe.name = d.getVar("PN")
recipe.versionInfo = d.getVar("PV")
recipe.SPDXID = oe.sbom.get_recipe_spdxid(d)
+if bb.data.inherits_class("native", d):
+recipe.is_native = "True"
+else:
+recipe.is_native = "False"
for s in d.getVar('SRC_URI').split():
if not s.startswith("file://"):
@@ -480,7 +487,7 @@ python do_create_spdx() {
sources = collect_dep_sources(d, dep_recipes)
found_licenses = {license.name:recipe_ref.externalDocumentId + ":" +
license.licenseId for license in doc.hasExtractedLicensingInfos}
-if not is_native:
+if recipe.is_native is "False":
bb.build.exec_func("read_subpackage_metadata", d)
pkgdest = Path(d.getVar("PKGDEST"))
diff --git a/meta/lib/oe/spdx.py b/meta/lib/oe/spdx.py
index 9814fbfd66..452148f339 100644
--- a/meta/lib/oe/spdx.py
+++ b/meta/lib/oe/spdx.py
@@ -164,6 +164,7 @@ class SPDXPackage(SPDXObject):
packageVerificationCode = _Object(SPDXPackageVerificationCode)
hasFiles = _StringList()
packageFileName = _String()
+is_native = _String()
class SPDXFile(SPDXObject):
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#156275):
https://lists.openembedded.org/g/openembedded-core/message/156275
Mute This Topic: https://lists.openembedded.org/mt/85824376/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
