classes/create-spdx-2.2: Handle empty packages

When combining an SPDX document, the package list might be empty (e.g. a baremetal image). Handle this case instead of erroring out (From OE-Core rev: baf4e360f6e65a5e9aff2def69d2a720f38f92b2) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-05-31 00:39:46 +00:00 · 2024-07-12 09:58:21 -06:00
parent 666c1f1048
commit 2c2e1becd6
1 changed files with 38 additions and 37 deletions
@@ -811,52 +811,53 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages, spdx
    doc.packages.append(image)
-    for name in sorted(packages.keys()):
+    if packages:
-        if name not in providers:
+        for name in sorted(packages.keys()):
-            bb.fatal("Unable to find SPDX provider for '%s'" % name)
+            if name not in providers:
                bb.fatal("Unable to find SPDX provider for '%s'" % name)
-        pkg_name, pkg_hashfn = providers[name]
+            pkg_name, pkg_hashfn = providers[name]
-        pkg_spdx_path = oe.sbom.doc_find_by_hashfn(deploy_dir_spdx, package_archs, pkg_name, pkg_hashfn)
+            pkg_spdx_path = oe.sbom.doc_find_by_hashfn(deploy_dir_spdx, package_archs, pkg_name, pkg_hashfn)
-        if not pkg_spdx_path:
+            if not pkg_spdx_path:
-            bb.fatal("No SPDX file found for package %s, %s" % (pkg_name, pkg_hashfn))
+                bb.fatal("No SPDX file found for package %s, %s" % (pkg_name, pkg_hashfn))
-        pkg_doc, pkg_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path)
+            pkg_doc, pkg_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path)
-        for p in pkg_doc.packages:
+            for p in pkg_doc.packages:
-            if p.name == name:
+                if p.name == name:
-                pkg_ref = oe.spdx.SPDXExternalDocumentRef()
+                    pkg_ref = oe.spdx.SPDXExternalDocumentRef()
-                pkg_ref.externalDocumentId = "DocumentRef-%s" % pkg_doc.name
+                    pkg_ref.externalDocumentId = "DocumentRef-%s" % pkg_doc.name
-                pkg_ref.spdxDocument = pkg_doc.documentNamespace
+                    pkg_ref.spdxDocument = pkg_doc.documentNamespace
-                pkg_ref.checksum.algorithm = "SHA1"
+                    pkg_ref.checksum.algorithm = "SHA1"
-                pkg_ref.checksum.checksumValue = pkg_doc_sha1
+                    pkg_ref.checksum.checksumValue = pkg_doc_sha1
-                doc.externalDocumentRefs.append(pkg_ref)
+                    doc.externalDocumentRefs.append(pkg_ref)
-                doc.add_relationship(image, "CONTAINS", "%s:%s" % (pkg_ref.externalDocumentId, p.SPDXID))
+                    doc.add_relationship(image, "CONTAINS", "%s:%s" % (pkg_ref.externalDocumentId, p.SPDXID))
-                break
+                    break
-        else:
+            else:
-            bb.fatal("Unable to find package with name '%s' in SPDX file %s" % (name, pkg_spdx_path))
+                bb.fatal("Unable to find package with name '%s' in SPDX file %s" % (name, pkg_spdx_path))
-        runtime_spdx_path = oe.sbom.doc_find_by_hashfn(deploy_dir_spdx, package_archs, "runtime-" + name, pkg_hashfn)
+            runtime_spdx_path = oe.sbom.doc_find_by_hashfn(deploy_dir_spdx, package_archs, "runtime-" + name, pkg_hashfn)
-        if not runtime_spdx_path:
+            if not runtime_spdx_path:
-            bb.fatal("No runtime SPDX document found for %s, %s" % (name, pkg_hashfn))
+                bb.fatal("No runtime SPDX document found for %s, %s" % (name, pkg_hashfn))
-        runtime_doc, runtime_doc_sha1 = oe.sbom.read_doc(runtime_spdx_path)
+            runtime_doc, runtime_doc_sha1 = oe.sbom.read_doc(runtime_spdx_path)
-        runtime_ref = oe.spdx.SPDXExternalDocumentRef()
+            runtime_ref = oe.spdx.SPDXExternalDocumentRef()
-        runtime_ref.externalDocumentId = "DocumentRef-%s" % runtime_doc.name
+            runtime_ref.externalDocumentId = "DocumentRef-%s" % runtime_doc.name
-        runtime_ref.spdxDocument = runtime_doc.documentNamespace
+            runtime_ref.spdxDocument = runtime_doc.documentNamespace
-        runtime_ref.checksum.algorithm = "SHA1"
+            runtime_ref.checksum.algorithm = "SHA1"
-        runtime_ref.checksum.checksumValue = runtime_doc_sha1
+            runtime_ref.checksum.checksumValue = runtime_doc_sha1
-        # "OTHER" isn't ideal here, but I can't find a relationship that makes sense
+            # "OTHER" isn't ideal here, but I can't find a relationship that makes sense
-        doc.externalDocumentRefs.append(runtime_ref)
+            doc.externalDocumentRefs.append(runtime_ref)
-        doc.add_relationship(
+            doc.add_relationship(
-            image,
+                image,
-            "OTHER",
+                "OTHER",
-            "%s:%s" % (runtime_ref.externalDocumentId, runtime_doc.SPDXID),
+                "%s:%s" % (runtime_ref.externalDocumentId, runtime_doc.SPDXID),
-            comment="Runtime dependencies for %s" % name
+                comment="Runtime dependencies for %s" % name
-        )
+            )
    bb.utils.mkdirhier(spdx_workdir)
    image_spdx_path = spdx_workdir / (rootfs_name + ".spdx.json")