mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-09 05:29:32 +00:00
Code Issues Projects Releases Wiki Activity

classes/create-spdx-2.2: Report downloads as separate packages

Browse Source 
Moves the downloaded items from SRC_URI into separate packages in the
recipe document. This is much better than the previous implementation
because:
 1) It can report multiple download locations in SRC_URI, instead of
    just the first one reported.
 2) It prevents the assumption that the source files listed in the
    recipe are the exact file from the source URL; in particular, files
    that come from file:// SRC_URI entries, and source files that have
    been patched were problematic, since these aren't from the upstream
    source.
 3) It allows the checksums to be specified

(From OE-Core rev: 1dd4369b3638637a2cbba2a3c37c6b6f4df335cd)

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Joshua Watt
2023-02-15 15:13:46 -06:00
committed by Richard Purdie
parent c980c93c5d
commit ceb95cf9c2
3 changed files with 67 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/classes/create-spdx-2.2.bbclass
+50 -8
View File
@@ -406,6 +406,54 @@ def collect_dep_sources(d, dep_recipes):
return sources return sources
def add_download_packages(d, doc, recipe):
import os.path
from bb.fetch2 import decodeurl, CHECKSUM_LIST
import bb.process
import oe.spdx
import oe.sbom
for download_idx, src_uri in enumerate(d.getVar('SRC_URI').split()):
f = bb.fetch2.FetchData(src_uri, d)
for name in f.names:
package = oe.spdx.SPDXPackage()
package.name = "%s-source-%d" % (d.getVar("PN"), download_idx + 1)
package.SPDXID = oe.sbom.get_download_spdxid(d, download_idx + 1)
if f.type == "file":
continue
uri = f.type
proto = getattr(f, "proto", None)
if proto is not None:
uri = uri + "+" + proto
uri = uri + "://" + f.host + f.path
if f.method.supports_srcrev():
uri = uri + "@" + f.revisions[name]
if f.method.supports_checksum(f):
for checksum_id in CHECKSUM_LIST:
if checksum_id.upper() not in oe.spdx.SPDXPackage.ALLOWED_CHECKSUMS:
continue
expected_checksum = getattr(f, "%s_expected" % checksum_id)
if expected_checksum is None:
continue
c = oe.spdx.SPDXChecksum()
c.algorithm = checksum_id.upper()
c.checksumValue = expected_checksum
package.checksums.append(c)
package.downloadLocation = uri
doc.packages.append(package)
doc.add_relationship(doc, "DESCRIBES", package)
# In the future, we might be able to do more fancy dependencies,
# but this should be sufficient for now
doc.add_relationship(package, "BUILD_DEPENDENCY_OF", recipe)
python do_create_spdx() { python do_create_spdx() {
from datetime import datetime, timezone from datetime import datetime, timezone
import oe.sbom import oe.sbom
@@ -458,14 +506,6 @@ python do_create_spdx() {
if bb.data.inherits_class("native", d) or bb.data.inherits_class("cross", d): if bb.data.inherits_class("native", d) or bb.data.inherits_class("cross", d):
recipe.annotations.append(create_annotation(d, "isNative")) recipe.annotations.append(create_annotation(d, "isNative"))
for s in d.getVar('SRC_URI').split():
if not s.startswith("file://"):
s = s.split(';')[0]
recipe.downloadLocation = s
break
else:
recipe.downloadLocation = "NOASSERTION"
homepage = d.getVar("HOMEPAGE") homepage = d.getVar("HOMEPAGE")
if homepage: if homepage:
recipe.homepage = homepage recipe.homepage = homepage
@@ -507,6 +547,8 @@ python do_create_spdx() {
doc.packages.append(recipe) doc.packages.append(recipe)
doc.add_relationship(doc, "DESCRIBES", recipe) doc.add_relationship(doc, "DESCRIBES", recipe)
add_download_packages(d, doc, recipe)
if process_sources(d) and include_sources: if process_sources(d) and include_sources:
recipe_archive = deploy_dir_spdx / "recipes" / (doc.name + ".tar.zst") recipe_archive = deploy_dir_spdx / "recipes" / (doc.name + ".tar.zst")
with optional_tarfile(recipe_archive, archive_sources) as archive: with optional_tarfile(recipe_archive, archive_sources) as archive:
meta/lib/oe/sbom.py
+4
View File
@@ -14,6 +14,10 @@ def get_recipe_spdxid(d):
return "SPDXRef-%s-%s" % ("Recipe", d.getVar("PN")) return "SPDXRef-%s-%s" % ("Recipe", d.getVar("PN"))
def get_download_spdxid(d, idx):
return "SPDXRef-Download-%s-%d" % (d.getVar("PN"), idx)
def get_package_spdxid(pkg): def get_package_spdxid(pkg):
return "SPDXRef-Package-%s" % pkg return "SPDXRef-Package-%s" % pkg
meta/lib/oe/spdx.py
+13
View File
@@ -216,6 +216,18 @@ class SPDXPackageVerificationCode(SPDXObject):
class SPDXPackage(SPDXObject): class SPDXPackage(SPDXObject):
ALLOWED_CHECKSUMS = [
"SHA1",
"SHA224",
"SHA256",
"SHA384",
"SHA512",
"MD2",
"MD4",
"MD5",
"MD6",
]
name = _String() name = _String()
SPDXID = _String() SPDXID = _String()
versionInfo = _String() versionInfo = _String()
@@ -234,6 +246,7 @@ class SPDXPackage(SPDXObject):
hasFiles = _StringList() hasFiles = _StringList()
packageFileName = _String() packageFileName = _String()
annotations = _ObjectList(SPDXAnnotation) annotations = _ObjectList(SPDXAnnotation)
checksums = _ObjectList(SPDXChecksum)
class SPDXFile(SPDXObject): class SPDXFile(SPDXObject):