| Message ID | 20230214172156.3799436-2-saul.wold@windriver.com |
|---|---|
| State | Accepted, archived |
| Commit | 33ced8338f0facb412b5f24cf9df4a84226a2a94 |
| Headers | show |
| Series | Add support for custom annotations in SPDX | expand |
V1 got merged, can you rebase ? :) On 14/02/2023 09:21:56-0800, Saul Wold wrote: > This change adds a new variable to track which recipe variables > are added as SPDX Annotations. > > Usage: add SPDX_CUSTOM_ANNOTATION_VARS = <some recipe variable> > > The recipe spdx json will contain an annotation stanza that looks > something like this: > > "annotations": [ > { > "annotationDate": "2023-02-13T19:44:20Z", > "annotationType": "OTHER", > "annotator": "Tool: oe-spdx-creator - 1.0", > "comment": "CUSTOM_VARIABLE=some value or string" > }, > > Signed-off-by: Saul Wold <saul.wold@windriver.com> > --- > meta/classes/create-spdx-2.2.bbclass | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass > index f0513af083b..bdc2e2c91e7 100644 > --- a/meta/classes/create-spdx-2.2.bbclass > +++ b/meta/classes/create-spdx-2.2.bbclass > @@ -30,6 +30,8 @@ SPDX_PRETTY ??= "0" > > SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json" > > +SPDX_CUSTOM_ANNOTATION_VARS ??= "" > + > SPDX_ORG ??= "OpenEmbedded ()" > SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}" > SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \ > @@ -402,7 +404,6 @@ def collect_dep_sources(d, dep_recipes): > > return sources > > - > python do_create_spdx() { > from datetime import datetime, timezone > import oe.sbom > @@ -479,6 +480,11 @@ python do_create_spdx() { > if description: > recipe.description = description > > + if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"): > + for var in d.getVar("SPDX_CUSTOM_ANNOTATION_VARS").split(): > + if d.getVar(var): > + recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var))) > + > # Some CVEs may be patched during the build process without incrementing the version number, > # so querying for CVEs based on the CPE id can lead to false positives. To account for this, > # save the CVEs fixed by patches to source information field in the SPDX. > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#177167): https://lists.openembedded.org/g/openembedded-core/message/177167 > Mute This Topic: https://lists.openembedded.org/mt/96964900/3617179 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index f0513af083b..bdc2e2c91e7 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass @@ -30,6 +30,8 @@ SPDX_PRETTY ??= "0" SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json" +SPDX_CUSTOM_ANNOTATION_VARS ??= "" + SPDX_ORG ??= "OpenEmbedded ()" SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}" SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \ @@ -402,7 +404,6 @@ def collect_dep_sources(d, dep_recipes): return sources - python do_create_spdx() { from datetime import datetime, timezone import oe.sbom @@ -479,6 +480,11 @@ python do_create_spdx() { if description: recipe.description = description + if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"): + for var in d.getVar("SPDX_CUSTOM_ANNOTATION_VARS").split(): + if d.getVar(var): + recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var))) + # Some CVEs may be patched during the build process without incrementing the version number, # so querying for CVEs based on the CPE id can lead to false positives. To account for this, # save the CVEs fixed by patches to source information field in the SPDX.
This change adds a new variable to track which recipe variables are added as SPDX Annotations. Usage: add SPDX_CUSTOM_ANNOTATION_VARS = <some recipe variable> The recipe spdx json will contain an annotation stanza that looks something like this: "annotations": [ { "annotationDate": "2023-02-13T19:44:20Z", "annotationType": "OTHER", "annotator": "Tool: oe-spdx-creator - 1.0", "comment": "CUSTOM_VARIABLE=some value or string" }, Signed-off-by: Saul Wold <saul.wold@windriver.com> --- meta/classes/create-spdx-2.2.bbclass | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)