create-spdx-3.0: Upgrade to SPDX 3.0.1

Upgrades the SPDX 3.0 implementation from 3.0.0 -> 3.0.1. This version
introduced some breaking changes. Effectively, 3.0.0 was a pre-release
version that we do not need to support any longer.

(From OE-Core rev: 7e6509a19f6146f0dad0be7037ff4b3268d0128c)

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/classes/create-spdx-3.0.bbclass

@@ -6,7 +6,7 @@
 
 inherit spdx-common
 
-SPDX_VERSION = "3.0.0"
+SPDX_VERSION = "3.0.1"
 
 # The list of SPDX profiles generated documents will conform to
 SPDX_PROFILES ?= "core build software simpleLicensing security"

meta/lib/oe/sbom30.py

@@ -359,7 +359,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
         if not spdxid:
             bb.fatal(f"{key} is not a valid SPDX_IMPORTS key")
 
-        for i in self.docs.imports:
+        for i in self.docs.import_:
             if i.externalSpdxId == spdxid:
                 # Already imported
                 return spdxid
@@ -380,7 +380,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
                     )
                 )
 
-        self.doc.imports.append(m)
+        self.doc.import_.append(m)
         return spdxid
 
     def new_agent(self, varname, *, creation_info=None, add=True):
@@ -521,8 +521,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
             return []
 
         if not to:
-            # TODO: Switch to the code constant once SPDX 3.0.1 is released
-            to = ["https://spdx.org/rdf/3.0.0/terms/Core/NoneElement"]
+            to = [oe.spdx30.Element.NoneElement]
 
         ret = []
 
@@ -726,7 +725,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
         bb_objset = load_jsonld(
             self.d, deploy_dir_spdx / "bitbake.spdx.json", required=True
         )
-        self.doc.imports.extend(bb_objset.doc.imports)
+        self.doc.import_.extend(bb_objset.doc.import_)
         self.update(bb_objset.objects)
 
         return bb_objset
@@ -827,12 +826,12 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
         Returns the set of ids that could not be found to link into the document
         """
         missing_spdxids = set()
-        imports = {e.externalSpdxId: e for e in self.doc.imports}
+        imports = {e.externalSpdxId: e for e in self.doc.import_}
 
         def merge_doc(other):
             nonlocal imports
 
-            for e in other.doc.imports:
+            for e in other.doc.import_:
                 if not e.externalSpdxId in imports:
                     imports[e.externalSpdxId] = e
 
@@ -876,7 +875,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
                 f"Linked document doesn't match missing SPDX ID list. Got: {missing}\nExpected: {missing_spdxids}"
             )
 
-        self.doc.imports = sorted(imports.values(), key=lambda e: e.externalSpdxId)
+        self.doc.import_ = sorted(imports.values(), key=lambda e: e.externalSpdxId)
 
         return missing_spdxids
 

meta/lib/oe/spdx30_tasks.py

@@ -323,7 +323,7 @@ def collect_dep_sources(dep_objsets, dest):
             if dep_build is not e.from_:
                 continue
 
-            if e.relationshipType != oe.spdx30.RelationshipType.hasInputs:
+            if e.relationshipType != oe.spdx30.RelationshipType.hasInput:
                 continue
 
             index_sources_by_hash(e.to, dest)
@@ -485,18 +485,22 @@ def create_spdx(d):
 
             # If this CVE is fixed upstream, skip it unless all CVEs are
             # specified.
-            if include_vex != "all" and 'detail' in decoded_status and \
-                decoded_status['detail'] in (
-                "fixed-version",
-                "cpe-stable-backport",
+            if (
+                include_vex != "all"
+                and "detail" in decoded_status
+                and decoded_status["detail"]
+                in (
+                    "fixed-version",
+                    "cpe-stable-backport",
+                )
             ):
                 bb.debug(1, "Skipping %s since it is already fixed upstream" % cve)
                 continue
 
-            cve_by_status.setdefault(decoded_status['mapping'], {})[cve] = (
+            cve_by_status.setdefault(decoded_status["mapping"], {})[cve] = (
                 build_objset.new_cve_vuln(cve),
-                decoded_status['detail'],
-                decoded_status['description'],
+                decoded_status["detail"],
+                decoded_status["description"],
             )
 
     cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION"))
@@ -600,7 +604,7 @@ def create_spdx(d):
 
             pkg_objset.new_scoped_relationship(
                 [build._id],
-                oe.spdx30.RelationshipType.hasOutputs,
+                oe.spdx30.RelationshipType.hasOutput,
                 oe.spdx30.LifecycleScopeType.build,
                 [spdx_package],
             )
@@ -749,7 +753,7 @@ def create_spdx(d):
         if sysroot_files:
             build_objset.new_scoped_relationship(
                 [build],
-                oe.spdx30.RelationshipType.hasOutputs,
+                oe.spdx30.RelationshipType.hasOutput,
                 oe.spdx30.LifecycleScopeType.build,
                 sorted(list(sysroot_files)),
             )
@@ -757,7 +761,7 @@ def create_spdx(d):
     if build_inputs or debug_source_ids:
         build_objset.new_scoped_relationship(
             [build],
-            oe.spdx30.RelationshipType.hasInputs,
+            oe.spdx30.RelationshipType.hasInput,
             oe.spdx30.LifecycleScopeType.build,
             sorted(list(build_inputs)) + sorted(list(debug_source_ids)),
         )
@@ -978,7 +982,7 @@ def collect_build_package_inputs(d, objset, build, packages):
     if build_deps:
         objset.new_scoped_relationship(
             [build],
-            oe.spdx30.RelationshipType.hasInputs,
+            oe.spdx30.RelationshipType.hasInput,
             oe.spdx30.LifecycleScopeType.build,
             sorted(list(build_deps)),
         )
@@ -1011,7 +1015,7 @@ def create_rootfs_spdx(d):
 
     objset.new_scoped_relationship(
         [rootfs_build],
-        oe.spdx30.RelationshipType.hasOutputs,
+        oe.spdx30.RelationshipType.hasOutput,
         oe.spdx30.LifecycleScopeType.build,
         [rootfs],
     )
@@ -1073,7 +1077,7 @@ def create_image_spdx(d):
         if artifacts:
             objset.new_scoped_relationship(
                 [image_build],
-                oe.spdx30.RelationshipType.hasOutputs,
+                oe.spdx30.RelationshipType.hasOutput,
                 oe.spdx30.LifecycleScopeType.build,
                 artifacts,
             )
@@ -1088,7 +1092,7 @@ def create_image_spdx(d):
         )
         objset.new_scoped_relationship(
             builds,
-            oe.spdx30.RelationshipType.hasInputs,
+            oe.spdx30.RelationshipType.hasInput,
             oe.spdx30.LifecycleScopeType.build,
             [rootfs_image._id],
         )
@@ -1159,7 +1163,7 @@ def sdk_create_spdx(d, sdk_type, spdx_work_dir, toolchain_outputname):
 
     objset.new_scoped_relationship(
         [sdk_build],
-        oe.spdx30.RelationshipType.hasOutputs,
+        oe.spdx30.RelationshipType.hasOutput,
         oe.spdx30.LifecycleScopeType.build,
         [sdk_rootfs],
     )
@@ -1186,7 +1190,7 @@ def create_sdk_sbom(d, sdk_deploydir, spdx_work_dir, toolchain_outputname):
 
     rootfs_objset.new_scoped_relationship(
         [sdk_build],
-        oe.spdx30.RelationshipType.hasInputs,
+        oe.spdx30.RelationshipType.hasInput,
         oe.spdx30.LifecycleScopeType.build,
         [rootfs],
     )
@@ -1225,7 +1229,7 @@ def create_sdk_sbom(d, sdk_deploydir, spdx_work_dir, toolchain_outputname):
     if files:
         rootfs_objset.new_scoped_relationship(
             [sdk_build],
-            oe.spdx30.RelationshipType.hasOutputs,
+            oe.spdx30.RelationshipType.hasOutput,
             oe.spdx30.LifecycleScopeType.build,
             files,
         )