@@ -29,6 +29,11 @@ SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdoc"
SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
SPDX_ORG ??= "OpenEmbedded ()"
+SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
+SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \
+ this recipe. For SPDX documents create using this class during the build, this \
+ is the contact information for the person or organization who is doing the \
+ build."
do_image_complete[depends] = "virtual/kernel:do_create_spdx"
@@ -425,6 +430,7 @@ python do_create_spdx() {
recipe.name = d.getVar("PN")
recipe.versionInfo = d.getVar("PV")
recipe.SPDXID = oe.sbom.get_recipe_spdxid(d)
+ recipe.packageSupplier = d.getVar("SPDX_SUPPLIER")
if bb.data.inherits_class("native", d) or bb.data.inherits_class("cross", d):
recipe.annotations.append(create_annotation(d, "isNative"))
@@ -534,6 +540,7 @@ python do_create_spdx() {
spdx_package.name = pkg_name
spdx_package.versionInfo = d.getVar("PV")
spdx_package.licenseDeclared = convert_license_to_spdx(package_license, package_doc, d, found_licenses)
+ spdx_package.packageSupplier = d.getVar("SPDX_SUPPLIER")
package_doc.packages.append(spdx_package)
@@ -826,6 +833,7 @@ python image_combine_spdx() {
image.name = d.getVar("PN")
image.versionInfo = d.getVar("PV")
image.SPDXID = oe.sbom.get_image_spdxid(image_name)
+ image.packageSupplier = d.getVar("SPDX_SUPPLIER")
doc.packages.append(image)
Per NIST SBoM recommendations, include the Package Supplier field for all SPDX packages that are created. This field should generally be set to the person or organization that is performing the build, since they would be considered the "supplier" of the SPDX packages. Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> --- meta/classes/create-spdx.bbclass | 8 ++++++++ 1 file changed, 8 insertions(+)