[ptxdist] [PATCH] pcre2: Version bump. 10.42 -> 10.43

Looks like various smaller enhancements and fixes. https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.43 https://github.com/PCRE2Project/pcre2/blob/pcre2-10.43/NEWS https://github.com/PCRE2Project/pcre2/blob/pcre2-10.43/ChangeLog * License hash update. Copyright year changes.

[ptxdist] [PATCH] libffi: Version bump. 3.4.5 -> 3.4.6

Back to back bump. Apparently some regression. Doesn't look very important to me. Oh well. https://github.com/libffi/libffi/releases/tag/v3.4.6 * Forward patches, no changes. Signed-off-by: Christian Melki --- ...libffi-Fix-location-of-libraries-for-multilib-toolch.patch | 0

[ptxdist] [PATCH 3/3] RFC: sbom_report: Add support

This provides support for building SBOMs in CycloneDX format. A target is added alongside the other reports, that (based on the fast-bsp-report) extracts name, version, cpe and license of each target package, and puts these into a final sbom-report in CycloneDX/JSON format. This requires a

[ptxdist] [PATCH 2/3] RFC: Add CPE for a few packages

Just to see how this could look for a handful of packages. Note that all of these have a different way of specifying the vendor ID (one is $PACKAGE_project, one is just $PACKAGE, one is something completely different). --- rules/acl.make| 1 + rules/busybox.make| 2 ++

[ptxdist] [PATCH 1/3] RFC: ptxd_make_world: Extract CPE for packages

If a package specifies a CPE or CPE_VENDOR and CPE_PRODUCT, this is extracted into the fast report for that package. If no CPE is specified, or not both of CPE_VENDOR and CPE_PRODUCT, then no value is added. By default, the existing VERSION is used, but can be overridden with CPE_VERSION.

Re: [ptxdist] SBOM support

Hi, > I'd be happy to get a bit of initial feedback on the approach. I'll have a > look at putting up some initial patches in the coming days too. > > Thanks in advance and best regards, Sorry for the silence around this, but I've been busy with other things in the last months. Finally managed