spdx: add option to include only compiled sources

When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the source code files that are used during compilation. It uses debugsource information generated during do_package. This enables an external tool to use the SPDX information to disregard vulnerabilities that are not compiled. As example, when used with the default config with linux-yocto, the spdx size is reduced from 156MB to 61MB. (From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968) Adapted to existing files for SPDX3.0 Tested with: - bitbake world on oe-core - oe-selftest --run-tests spdx.SPDX30Check Regarding SPDX2.2, the respective backport was already performed in OE-Core rev: a2866934e58fb377a73e87576c8594988a63ad1b (From OE-Core rev: 1c7dfab26d69a87bb026e05b3bbf6a266858c0d1) Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-05-07 16:59:22 +00:00 · 2026-03-23 10:22:56 +01:00
parent 7421603502
commit 8cde17408f
2 changed files with 15 additions and 0 deletions
@@ -26,6 +26,7 @@ SPDX_TOOL_VERSION ??= "1.0"
 SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"

 SPDX_INCLUDE_SOURCES ??= "0"
+SPDX_INCLUDE_COMPILED_SOURCES ??= "0"

 SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
 SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs"
@@ -40,6 +41,8 @@ SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
 python () {
    from oe.cve_check import extend_cve_status
    extend_cve_status(d)
+    if d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1":
+        d.setVar("SPDX_INCLUDE_SOURCES", "1")
 }

 def create_spdx_source_deps(d):
@@ -145,6 +145,8 @@ def add_package_files(
    ignore_dirs=[],
    ignore_top_level_dirs=[],
 ):
+    import oe.spdx
+
    source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
    if source_date_epoch:
        source_date_epoch = int(source_date_epoch)
@@ -156,6 +158,11 @@ def add_package_files(
        bb.note(f"Skip {topdir}")
        return spdx_files

+    check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1"
+    if check_compiled_sources:
+        compiled_sources, types = oe.spdx.get_compiled_sources(d)
+        bb.debug(1, f"Total compiled files: {len(compiled_sources)}")
+
    for subdir, dirs, files in os.walk(topdir, onerror=walk_error):
        dirs[:] = [d for d in dirs if d not in ignore_dirs]
        if subdir == str(topdir):
@@ -171,6 +178,11 @@ def add_package_files(
            filename = str(filepath.relative_to(topdir))
            file_purposes = get_purposes(filepath)

+            # Check if file is compiled
+            if check_compiled_sources:
+                if not oe.spdx.is_compiled_source(filename, compiled_sources, types):
+                    continue
+
            spdx_file = objset.new_file(
                get_spdxid(file_counter),
                filename,