Currently when generating an SBOM, all packages have the 'doc' feature
indicated as disabled. This is in fact *not* a feature that was
declared in the recipe, but instead the documentation of the
PACKAGECONFIG variable.
But to be safe, if somehow a feature is named 'doc' and enabled, do
not exclude it when exporting PACKAGECONFIG features to SPDX.
(From OE-Core rev: 87de87206b71bb165b946d5f4f6e9e5395292179)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 933394adcb0d2db66ef7e0656a464241e58ec2e7)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Introduce the SPDX_INCLUDE_PACKAGECONFIG variable, which when enabled causes
PACKAGECONFIG features to be recorded in the SPDX document as build parameters.
Each feature is recorded as a DictionaryEntry with key PACKAGECONFIG:<feature>
and value enabled or disabled, depending on whether the feature is active in
the current build.
This makes the build-time configuration more transparent in SPDX output and
improves reproducibility tracking.
This makes the build-time configuration more transparent in SPDX output and
improves reproducibility tracking. In particular, it allows consumers of the
SBOM to identify enabled/disabled features that may affect security posture
or feature set.
Reviewed-by: Joshua Watt <JPEWhacker@gmail.com>
(From OE-Core rev: 5cfd0690f819379d9f97c86d2078c3e529efe385)
Signed-off-by: Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7ec61ac40345a5c0ef1ce20513a4596989c91ef4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In scarthgap, the `oe.cve_check.get_patched_cves()` method only returns
CVEs with a "Patched" status. We want to retrieve all annotations,
including those with an "Ignored" status. Therefore, to avoid modifying
the current API, we integrate the logic for retrieving all CVE_STATUS
values directly into `spdx30_task`.
(From OE-Core rev: 9a204670b1c0daedf1ed8ff944f8e5443b39c8f7)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This reverts part of commit 4859cdf97fd9a260036e148e25f0b78eb393df1e.
Modification of meta/classes/create-spdx-2.2.bbclass is not backported,
so no need to consider it.
In the commit, it updates spdx according to bitbake change. But the
bitbake commit
* 2515fbd10 fetch: Drop multiple branch/revision support for single git urls
doesn't backport for scarthgap.
So revert the other parts of the commit 4859cdf97fd9a260036e148e25f0b.
(From OE-Core rev: f3bfb98d1cf928678d9931308c116e9e6ec64ba5)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit fixes commit 08595b39b46ef2bf3a928d4528292ee31a990c98
which adapts vex creation between function create_spdx where all changes
were backported and funtion get_patched_cves where changes were not
backported.
CVE patches were previously ignored as they cannot be decoded from
CVE_STATUS variables and each caused a warning like:
WARNING: ncurses-native-6.4-r0 do_create_spdx: Skipping CVE-2023-50495 — missing or unknown CVE status
Master branch uses fix-file-included for CVE patches however since
cve-check-map.conf was not part of spdx-3.0 backport, closest one
available (backported-patch) was implemented.
(From OE-Core rev: 8d14b2bb02861612130f02c445392f34090ba5d9)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Changes to cve-check (see poky commit fb3f440b7d,
"cve-check: annotate CVEs during analysis") modified the
get_patched_cves() API to return a set of CVE IDs instead of a
dictionary of CVE metadata.
The SPDX 3 backport still expected a dictionary and attempted to call
.items(), leading to:
AttributeError: 'set' object has no attribute 'items'
This patch updates the SPDX3 code to iterate directly over the CVE IDs
and use `oe.cve_check.decode_cve_status()` to retrieve the mapping,
detail, and description for each CVE. This restores compatibility with
the updated CVE API and matches the behavior of SPDX3 handling on
Walnascar.
A warning is logged if a CVE has missing or unknown status.
(From OE-Core rev: 55fdeea44ffbecb705f7900bfa85ab88e1191878)
Signed-off-by: Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The add_download_files() function incorrectly accessed fd.name, which
does not exist on FetchData objects.
Change to use fd.names[0] to correctly retrieve the first filename.
This fixes AttributeError during SPDX document generation.
(From OE-Core rev: 17031d71cf4bc4fc19dd8a41c49b94e1f6a1edee)
Signed-off-by: Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backports the SPDX 3.0 support and fixes from upstream walnascar
commit 49f47169953b807d430461ca33f3a2b076119712 into upstream
scarthgap.
(From OE-Core rev: 9c9b9545049a2f6e5c99edcb079275d29a4d1ac6)
Signed-off-by: Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
