Message ID | 20230213195413.3535358-1-saul.wold@windriver.com |
---|---|
State | Accepted, archived |
Commit | 33ced8338f0facb412b5f24cf9df4a84226a2a94 |
Headers | show |
Series | create-spdx-2.2: Add support for custom Annotations | expand |
On Mon, Feb 13, 2023 at 1:54 PM Saul Wold <saul.wold@windriver.com> wrote: > > This change adds a new variable to track which recipe variables > are added as SPDX Annotations. > > Usage: add SPDX_CUSTOME_ANNOTATION_VARS = <some recipe variable> nit: CUSTOM > > The recipe spdx json will contain an annotation stanza that looks > something like this: > > "annotations": [ > { > "annotationDate": "2023-02-13T19:44:20Z", > "annotationType": "OTHER", > "annotator": "Tool: oe-spdx-creator - 1.0", > "comment": "CUSTOM_VARIABLE=some value or string" > }, > > Signed-off-by: Saul Wold <saul.wold@windriver.com> > --- > meta/classes/create-spdx-2.2.bbclass | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass > index f0513af083b..e1bbf646ff9 100644 > --- a/meta/classes/create-spdx-2.2.bbclass > +++ b/meta/classes/create-spdx-2.2.bbclass > @@ -30,6 +30,8 @@ SPDX_PRETTY ??= "0" > > SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json" > > +SPDX_CUSTOM_ANNOTATION_VARS ??= "" > + > SPDX_ORG ??= "OpenEmbedded ()" > SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}" > SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \ > @@ -402,7 +404,6 @@ def collect_dep_sources(d, dep_recipes): > > return sources > > - > python do_create_spdx() { > from datetime import datetime, timezone > import oe.sbom > @@ -479,6 +480,10 @@ python do_create_spdx() { > if description: > recipe.description = description > > + if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"): > + for var in d.getVar('SPDX_CUSTOM_ANNOTATION_VARS').split(): > + recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var))) > + Seems reasonable. If we need more configuration options, I think we can add it later with flags, e.g. MY_VAR = "foo" MY_VAR[spdx-annotator] = "Me!" SPDX_CUSTOM_ANNOTATION_VARS = "MY_VAR" Aslo, in the future if users want package annotations, we can probably do: SPDX_CUSTOM_ANNOTATION_VARS:${PN} > # Some CVEs may be patched during the build process without incrementing the version number, > # so querying for CVEs based on the CPE id can lead to false positives. To account for this, > # save the CVEs fixed by patches to source information field in the SPDX. > -- > 2.25.1 >
On 2/13/23 12:03, Joshua Watt wrote: > On Mon, Feb 13, 2023 at 1:54 PM Saul Wold <saul.wold@windriver.com> wrote: >> >> This change adds a new variable to track which recipe variables >> are added as SPDX Annotations. >> >> Usage: add SPDX_CUSTOME_ANNOTATION_VARS = <some recipe variable> > > nit: CUSTOM > v2 will come shortly (I will try to address the flags) >> >> The recipe spdx json will contain an annotation stanza that looks >> something like this: >> >> "annotations": [ >> { >> "annotationDate": "2023-02-13T19:44:20Z", >> "annotationType": "OTHER", >> "annotator": "Tool: oe-spdx-creator - 1.0", >> "comment": "CUSTOM_VARIABLE=some value or string" >> }, >> >> Signed-off-by: Saul Wold <saul.wold@windriver.com> >> --- >> meta/classes/create-spdx-2.2.bbclass | 7 ++++++- >> 1 file changed, 6 insertions(+), 1 deletion(-) >> >> diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass >> index f0513af083b..e1bbf646ff9 100644 >> --- a/meta/classes/create-spdx-2.2.bbclass >> +++ b/meta/classes/create-spdx-2.2.bbclass >> @@ -30,6 +30,8 @@ SPDX_PRETTY ??= "0" >> >> SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json" >> >> +SPDX_CUSTOM_ANNOTATION_VARS ??= "" >> + >> SPDX_ORG ??= "OpenEmbedded ()" >> SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}" >> SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \ >> @@ -402,7 +404,6 @@ def collect_dep_sources(d, dep_recipes): >> >> return sources >> >> - >> python do_create_spdx() { >> from datetime import datetime, timezone >> import oe.sbom >> @@ -479,6 +480,10 @@ python do_create_spdx() { >> if description: >> recipe.description = description >> >> + if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"): >> + for var in d.getVar('SPDX_CUSTOM_ANNOTATION_VARS').split(): >> + recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var))) >> + > > Seems reasonable. If we need more configuration options, I think we > can add it later with flags, e.g. > > MY_VAR = "foo" > MY_VAR[spdx-annotator] = "Me!" > SPDX_CUSTOM_ANNOTATION_VARS = "MY_VAR" > What did you think the output should be here? ie what does the comment line contain? Today the annotation would contain: "comment": "MY_VAR=foo" What should the comment line contain if a flag or multiple flags exists? Or the CUSTOM_ANNOTATION code only looks for one flag [spdx-annotator]? "comment": "Me!=foo" Thoughts? > Aslo, in the future if users want package annotations, we can probably do: > > SPDX_CUSTOM_ANNOTATION_VARS:${PN} > Do you really mean SPDX_CUSTOM_ANNOTATIONS_VARS:pn-${PN} I tested this and it appears to work, along with the :append:pn-${PN} style. Sau! > >> # Some CVEs may be patched during the build process without incrementing the version number, >> # so querying for CVEs based on the CPE id can lead to false positives. To account for this, >> # save the CVEs fixed by patches to source information field in the SPDX. >> -- >> 2.25.1 >>
On 2/14/23 10:52, Saul Wold (local) wrote: > > > On 2/13/23 12:03, Joshua Watt wrote: >> On Mon, Feb 13, 2023 at 1:54 PM Saul Wold <saul.wold@windriver.com> >> wrote: >>> >>> This change adds a new variable to track which recipe variables >>> are added as SPDX Annotations. >>> >>> Usage: add SPDX_CUSTOME_ANNOTATION_VARS = <some recipe variable> >> >> nit: CUSTOM >> > v2 will come shortly (I will try to address the flags) Sorry, I wasn't trying to say we needed to do that today; that was for posterity. I'm fine with omitting the flags and adding them in later if necessary; I don't have crystal ball to tell whats needed today, so it might be best to wait until we know. >>> >>> The recipe spdx json will contain an annotation stanza that looks >>> something like this: >>> >>> "annotations": [ >>> { >>> "annotationDate": "2023-02-13T19:44:20Z", >>> "annotationType": "OTHER", >>> "annotator": "Tool: oe-spdx-creator - 1.0", >>> "comment": "CUSTOM_VARIABLE=some value or string" >>> }, >>> >>> Signed-off-by: Saul Wold <saul.wold@windriver.com> >>> --- >>> meta/classes/create-spdx-2.2.bbclass | 7 ++++++- >>> 1 file changed, 6 insertions(+), 1 deletion(-) >>> >>> diff --git a/meta/classes/create-spdx-2.2.bbclass >>> b/meta/classes/create-spdx-2.2.bbclass >>> index f0513af083b..e1bbf646ff9 100644 >>> --- a/meta/classes/create-spdx-2.2.bbclass >>> +++ b/meta/classes/create-spdx-2.2.bbclass >>> @@ -30,6 +30,8 @@ SPDX_PRETTY ??= "0" >>> >>> SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json" >>> >>> +SPDX_CUSTOM_ANNOTATION_VARS ??= "" >>> + >>> SPDX_ORG ??= "OpenEmbedded ()" >>> SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}" >>> SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX >>> packages created from \ >>> @@ -402,7 +404,6 @@ def collect_dep_sources(d, dep_recipes): >>> >>> return sources >>> >>> - >>> python do_create_spdx() { >>> from datetime import datetime, timezone >>> import oe.sbom >>> @@ -479,6 +480,10 @@ python do_create_spdx() { >>> if description: >>> recipe.description = description >>> >>> + if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"): >>> + for var in d.getVar('SPDX_CUSTOM_ANNOTATION_VARS').split(): >>> + recipe.annotations.append(create_annotation(d, var + >>> "=" + d.getVar(var))) >>> + >> >> Seems reasonable. If we need more configuration options, I think we >> can add it later with flags, e.g. >> >> MY_VAR = "foo" >> MY_VAR[spdx-annotator] = "Me!" >> SPDX_CUSTOM_ANNOTATION_VARS = "MY_VAR" >> > What did you think the output should be here? ie what does the comment > line contain? > Today the annotation would contain: > > "comment": "MY_VAR=foo" > > What should the comment line contain if a flag or multiple flags > exists? Or the CUSTOM_ANNOTATION code only looks for one flag > [spdx-annotator]? > > "comment": "Me!=foo" > > Thoughts? > >> Aslo, in the future if users want package annotations, we can >> probably do: >> >> SPDX_CUSTOM_ANNOTATION_VARS:${PN} >> > Do you really mean SPDX_CUSTOM_ANNOTATIONS_VARS:pn-${PN} > > I tested this and it appears to work, along with the :append:pn-${PN} > style. > > Sau! >> >>> # Some CVEs may be patched during the build process without >>> incrementing the version number, >>> # so querying for CVEs based on the CPE id can lead to false >>> positives. To account for this, >>> # save the CVEs fixed by patches to source information field >>> in the SPDX. >>> -- >>> 2.25.1 >>>
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index f0513af083b..e1bbf646ff9 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass @@ -30,6 +30,8 @@ SPDX_PRETTY ??= "0" SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json" +SPDX_CUSTOM_ANNOTATION_VARS ??= "" + SPDX_ORG ??= "OpenEmbedded ()" SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}" SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \ @@ -402,7 +404,6 @@ def collect_dep_sources(d, dep_recipes): return sources - python do_create_spdx() { from datetime import datetime, timezone import oe.sbom @@ -479,6 +480,10 @@ python do_create_spdx() { if description: recipe.description = description + if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"): + for var in d.getVar('SPDX_CUSTOM_ANNOTATION_VARS').split(): + recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var))) + # Some CVEs may be patched during the build process without incrementing the version number, # so querying for CVEs based on the CPE id can lead to false positives. To account for this, # save the CVEs fixed by patches to source information field in the SPDX.
This change adds a new variable to track which recipe variables are added as SPDX Annotations. Usage: add SPDX_CUSTOME_ANNOTATION_VARS = <some recipe variable> The recipe spdx json will contain an annotation stanza that looks something like this: "annotations": [ { "annotationDate": "2023-02-13T19:44:20Z", "annotationType": "OTHER", "annotator": "Tool: oe-spdx-creator - 1.0", "comment": "CUSTOM_VARIABLE=some value or string" }, Signed-off-by: Saul Wold <saul.wold@windriver.com> --- meta/classes/create-spdx-2.2.bbclass | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)