mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-01-29 21:08:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

create-spdx-2.2: support to override the version of a package in SPDX 2

Browse Source 
By default, still use ${PV} as the the version of a package in SPDX 2

$ echo 'INHERIT:remove = "create-spdx"' >> conf/local.conf
$ echo 'INHERIT += "create-spdx-2.2"' >> conf/local.conf
$ bitbake acl
$ jq . tmp/deploy/spdx/2.2/core2-64/recipes/recipe-acl.spdx.json
...
      "name": "acl",
      "summary": "Utilities for managing POSIX Access Control Lists",
      "supplier": "Organization: OpenEmbedded ()",
      "versionInfo": "2.3.2"
    },
...

Support to override it by setting SPDX_PACKAGE_VERSION, such as
set SPDX_PACKAGE_VERSION = "${EXTENDPKGV}" in local.conf to append
PR to versionInfo in SBOM 2
$ echo 'SPDX_PACKAGE_VERSION = "${EXTENDPKGV}"' >> conf/local.conf
$ bitbake acl
$ jq . tmp/deploy/spdx/2.2/core2-64/recipes/recipe-acl.spdx.json
...
      "name": "acl",
      "summary": "Utilities for managing POSIX Access Control Lists",
      "supplier": "Organization: OpenEmbedded ()",
      "versionInfo": "2.3.2-r0"
    },
...

(From OE-Core rev: 0bd069f526ee0d535477b75a4aa825b4cb589423)

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Hongxu Jia
2025-06-25 17:20:39 +08:00
committed by Richard Purdie
parent e065efc71d
commit 5a6f74d4fc
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
meta/classes/create-spdx-2.2.bbclass
View File

@@ -23,6 +23,8 @@ def get_namespace(d, name):
namespace_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, d.getVar("SPDX_UUID_NAMESPACE"))
return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), name, str(uuid.uuid5(namespace_uuid, name)))
SPDX_PACKAGE_VERSION ??= "${PV}"
SPDX_PACKAGE_VERSION[doc] = "The version of a package, versionInfo in recipe, package and image"
def create_annotation(d, comment):
from datetime import datetime, timezone
@@ -447,7 +449,7 @@ python do_create_spdx() {
recipe = oe.spdx.SPDXPackage()
recipe.name = d.getVar("PN")
recipe.versionInfo = d.getVar("PV")
recipe.versionInfo = d.getVar("SPDX_PACKAGE_VERSION")
recipe.SPDXID = oe.sbom.get_recipe_spdxid(d)
recipe.supplier = d.getVar("SPDX_SUPPLIER")
if bb.data.inherits_class("native", d) or bb.data.inherits_class("cross", d):
@@ -556,7 +558,7 @@ python do_create_spdx() {
spdx_package.SPDXID = oe.sbom.get_package_spdxid(pkg_name)
spdx_package.name = pkg_name
spdx_package.versionInfo = d.getVar("PV")
spdx_package.versionInfo = d.getVar("SPDX_PACKAGE_VERSION")
spdx_package.licenseDeclared = convert_license_to_spdx(package_license, license_data, package_doc, d, found_licenses)
spdx_package.supplier = d.getVar("SPDX_SUPPLIER")
@@ -832,7 +834,7 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages, spdx
image = oe.spdx.SPDXPackage()
image.name = d.getVar("PN")
image.versionInfo = d.getVar("PV")
image.versionInfo = d.getVar("SPDX_PACKAGE_VERSION")
image.SPDXID = rootfs_spdxid
image.supplier = d.getVar("SPDX_SUPPLIER")