mirror of
https://git.yoctoproject.org/poky
synced 2026-06-02 13:29:49 +00:00
create-spdx: add support for SDKs
Currently, SPDX SBOMs are only created for images. Add support for SDKs. (From OE-Core rev: c3acbb936a339636153903daf127eec9f36de79b) Signed-off-by: Andres Beltran <abeltran@linux.microsoft.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Andres Beltran
committed by
Richard Purdie
Richard Purdie
parent
5083a80245
commit
e43a9d15ea
@@ -589,7 +589,7 @@ python do_create_spdx() {
|
|||||||
oe.sbom.write_doc(d, package_doc, "packages")
|
oe.sbom.write_doc(d, package_doc, "packages")
|
||||||
}
|
}
|
||||||
# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
|
# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
|
||||||
addtask do_create_spdx after do_package do_packagedata do_unpack before do_build do_rm_work
|
addtask do_create_spdx after do_package do_packagedata do_unpack before do_populate_sdk do_build do_rm_work
|
||||||
|
|
||||||
SSTATETASKS += "do_create_spdx"
|
SSTATETASKS += "do_create_spdx"
|
||||||
do_create_spdx[sstate-inputdirs] = "${SPDXDEPLOY}"
|
do_create_spdx[sstate-inputdirs] = "${SPDXDEPLOY}"
|
||||||
@@ -821,28 +821,77 @@ def spdx_get_src(d):
|
|||||||
do_rootfs[recrdeptask] += "do_create_spdx do_create_runtime_spdx"
|
do_rootfs[recrdeptask] += "do_create_spdx do_create_runtime_spdx"
|
||||||
|
|
||||||
ROOTFS_POSTUNINSTALL_COMMAND =+ "image_combine_spdx ; "
|
ROOTFS_POSTUNINSTALL_COMMAND =+ "image_combine_spdx ; "
|
||||||
|
|
||||||
|
do_populate_sdk[recrdeptask] += "do_create_spdx do_create_runtime_spdx"
|
||||||
|
POPULATE_SDK_POST_HOST_COMMAND:append:task-populate-sdk = " sdk_host_combine_spdx; "
|
||||||
|
POPULATE_SDK_POST_TARGET_COMMAND:append:task-populate-sdk = " sdk_target_combine_spdx; "
|
||||||
|
|
||||||
python image_combine_spdx() {
|
python image_combine_spdx() {
|
||||||
|
import os
|
||||||
|
import oe.sbom
|
||||||
|
from pathlib import Path
|
||||||
|
from oe.rootfs import image_list_installed_packages
|
||||||
|
|
||||||
|
image_name = d.getVar("IMAGE_NAME")
|
||||||
|
image_link_name = d.getVar("IMAGE_LINK_NAME")
|
||||||
|
imgdeploydir = Path(d.getVar("IMGDEPLOYDIR"))
|
||||||
|
img_spdxid = oe.sbom.get_image_spdxid(image_name)
|
||||||
|
packages = image_list_installed_packages(d)
|
||||||
|
|
||||||
|
combine_spdx(d, image_name, imgdeploydir, img_spdxid, packages)
|
||||||
|
|
||||||
|
if image_link_name:
|
||||||
|
image_spdx_path = imgdeploydir / (image_name + ".spdx.json")
|
||||||
|
image_spdx_link = imgdeploydir / (image_link_name + ".spdx.json")
|
||||||
|
image_spdx_link.symlink_to(os.path.relpath(image_spdx_path, image_spdx_link.parent))
|
||||||
|
|
||||||
|
def make_image_link(target_path, suffix):
|
||||||
|
if image_link_name:
|
||||||
|
link = imgdeploydir / (image_link_name + suffix)
|
||||||
|
link.symlink_to(os.path.relpath(target_path, link.parent))
|
||||||
|
|
||||||
|
spdx_tar_path = imgdeploydir / (image_name + ".spdx.tar.zst")
|
||||||
|
make_image_link(spdx_tar_path, ".spdx.tar.zst")
|
||||||
|
spdx_index_path = imgdeploydir / (image_name + ".spdx.index.json")
|
||||||
|
make_image_link(spdx_index_path, ".spdx.index.json")
|
||||||
|
}
|
||||||
|
|
||||||
|
python sdk_host_combine_spdx() {
|
||||||
|
sdk_combine_spdx(d, "host")
|
||||||
|
}
|
||||||
|
|
||||||
|
python sdk_target_combine_spdx() {
|
||||||
|
sdk_combine_spdx(d, "target")
|
||||||
|
}
|
||||||
|
|
||||||
|
def sdk_combine_spdx(d, sdk_type):
|
||||||
|
import oe.sbom
|
||||||
|
from pathlib import Path
|
||||||
|
from oe.sdk import sdk_list_installed_packages
|
||||||
|
|
||||||
|
sdk_name = d.getVar("SDK_NAME") + "-" + sdk_type
|
||||||
|
sdk_deploydir = Path(d.getVar("SDKDEPLOYDIR"))
|
||||||
|
sdk_spdxid = oe.sbom.get_sdk_spdxid(sdk_name)
|
||||||
|
sdk_packages = sdk_list_installed_packages(d, sdk_type == "target")
|
||||||
|
combine_spdx(d, sdk_name, sdk_deploydir, sdk_spdxid, sdk_packages)
|
||||||
|
|
||||||
|
def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages):
|
||||||
import os
|
import os
|
||||||
import oe.spdx
|
import oe.spdx
|
||||||
import oe.sbom
|
import oe.sbom
|
||||||
import io
|
import io
|
||||||
import json
|
import json
|
||||||
from oe.rootfs import image_list_installed_packages
|
|
||||||
from datetime import timezone, datetime
|
from datetime import timezone, datetime
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
import tarfile
|
import tarfile
|
||||||
import bb.compress.zstd
|
import bb.compress.zstd
|
||||||
|
|
||||||
creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
|
creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
|
||||||
image_name = d.getVar("IMAGE_NAME")
|
|
||||||
image_link_name = d.getVar("IMAGE_LINK_NAME")
|
|
||||||
|
|
||||||
deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
|
deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
|
||||||
imgdeploydir = Path(d.getVar("IMGDEPLOYDIR"))
|
|
||||||
source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
|
source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
|
||||||
|
|
||||||
doc = oe.spdx.SPDXDocument()
|
doc = oe.spdx.SPDXDocument()
|
||||||
doc.name = image_name
|
doc.name = rootfs_name
|
||||||
doc.documentNamespace = get_doc_namespace(d, doc)
|
doc.documentNamespace = get_doc_namespace(d, doc)
|
||||||
doc.creationInfo.created = creation_time
|
doc.creationInfo.created = creation_time
|
||||||
doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build."
|
doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build."
|
||||||
@@ -854,13 +903,11 @@ python image_combine_spdx() {
|
|||||||
image = oe.spdx.SPDXPackage()
|
image = oe.spdx.SPDXPackage()
|
||||||
image.name = d.getVar("PN")
|
image.name = d.getVar("PN")
|
||||||
image.versionInfo = d.getVar("PV")
|
image.versionInfo = d.getVar("PV")
|
||||||
image.SPDXID = oe.sbom.get_image_spdxid(image_name)
|
image.SPDXID = rootfs_spdxid
|
||||||
image.packageSupplier = d.getVar("SPDX_SUPPLIER")
|
image.packageSupplier = d.getVar("SPDX_SUPPLIER")
|
||||||
|
|
||||||
doc.packages.append(image)
|
doc.packages.append(image)
|
||||||
|
|
||||||
packages = image_list_installed_packages(d)
|
|
||||||
|
|
||||||
for name in sorted(packages.keys()):
|
for name in sorted(packages.keys()):
|
||||||
pkg_spdx_path = deploy_dir_spdx / "packages" / (name + ".spdx.json")
|
pkg_spdx_path = deploy_dir_spdx / "packages" / (name + ".spdx.json")
|
||||||
pkg_doc, pkg_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path)
|
pkg_doc, pkg_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path)
|
||||||
@@ -897,22 +944,18 @@ python image_combine_spdx() {
|
|||||||
comment="Runtime dependencies for %s" % name
|
comment="Runtime dependencies for %s" % name
|
||||||
)
|
)
|
||||||
|
|
||||||
image_spdx_path = imgdeploydir / (image_name + ".spdx.json")
|
image_spdx_path = rootfs_deploydir / (rootfs_name + ".spdx.json")
|
||||||
|
|
||||||
with image_spdx_path.open("wb") as f:
|
with image_spdx_path.open("wb") as f:
|
||||||
doc.to_json(f, sort_keys=True)
|
doc.to_json(f, sort_keys=True)
|
||||||
|
|
||||||
if image_link_name:
|
|
||||||
image_spdx_link = imgdeploydir / (image_link_name + ".spdx.json")
|
|
||||||
image_spdx_link.symlink_to(os.path.relpath(image_spdx_path, image_spdx_link.parent))
|
|
||||||
|
|
||||||
num_threads = int(d.getVar("BB_NUMBER_THREADS"))
|
num_threads = int(d.getVar("BB_NUMBER_THREADS"))
|
||||||
|
|
||||||
visited_docs = set()
|
visited_docs = set()
|
||||||
|
|
||||||
index = {"documents": []}
|
index = {"documents": []}
|
||||||
|
|
||||||
spdx_tar_path = imgdeploydir / (image_name + ".spdx.tar.zst")
|
spdx_tar_path = rootfs_deploydir / (rootfs_name + ".spdx.tar.zst")
|
||||||
with bb.compress.zstd.open(spdx_tar_path, "w", num_threads=num_threads) as f:
|
with bb.compress.zstd.open(spdx_tar_path, "w", num_threads=num_threads) as f:
|
||||||
with tarfile.open(fileobj=f, mode="w|") as tar:
|
with tarfile.open(fileobj=f, mode="w|") as tar:
|
||||||
def collect_spdx_document(path):
|
def collect_spdx_document(path):
|
||||||
@@ -974,17 +1017,6 @@ python image_combine_spdx() {
|
|||||||
|
|
||||||
tar.addfile(info, fileobj=index_str)
|
tar.addfile(info, fileobj=index_str)
|
||||||
|
|
||||||
def make_image_link(target_path, suffix):
|
spdx_index_path = rootfs_deploydir / (rootfs_name + ".spdx.index.json")
|
||||||
if image_link_name:
|
|
||||||
link = imgdeploydir / (image_link_name + suffix)
|
|
||||||
link.symlink_to(os.path.relpath(target_path, link.parent))
|
|
||||||
|
|
||||||
make_image_link(spdx_tar_path, ".spdx.tar.zst")
|
|
||||||
|
|
||||||
spdx_index_path = imgdeploydir / (image_name + ".spdx.index.json")
|
|
||||||
with spdx_index_path.open("w") as f:
|
with spdx_index_path.open("w") as f:
|
||||||
json.dump(index, f, sort_keys=True)
|
json.dump(index, f, sort_keys=True)
|
||||||
|
|
||||||
make_image_link(spdx_index_path, ".spdx.index.json")
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|||||||
@@ -28,6 +28,10 @@ def get_image_spdxid(img):
|
|||||||
return "SPDXRef-Image-%s" % img
|
return "SPDXRef-Image-%s" % img
|
||||||
|
|
||||||
|
|
||||||
|
def get_sdk_spdxid(sdk):
|
||||||
|
return "SPDXRef-SDK-%s" % sdk
|
||||||
|
|
||||||
|
|
||||||
def write_doc(d, spdx_doc, subdir, spdx_deploy=None):
|
def write_doc(d, spdx_doc, subdir, spdx_deploy=None):
|
||||||
from pathlib import Path
|
from pathlib import Path
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user