summaryrefslogtreecommitdiffstats
path: root/meta/classes/create-spdx.bbclass
diff options
context:
space:
mode:
authorJoshua Watt <JPEWhacker@gmail.com>2022-01-27 16:48:52 -0600
committerRichard Purdie <richard.purdie@linuxfoundation.org>2022-02-07 10:08:59 +0000
commit1f8137196de0691a9cedd921637e1566b3e8cf59 (patch)
tree67cc5c24a56ab4b8e4786e44daa4f17283bcfda7 /meta/classes/create-spdx.bbclass
parenta97ef3f1d3cbbdc4ef46b02c12605ea4194ac594 (diff)
downloadpoky-1f8137196de0691a9cedd921637e1566b3e8cf59.tar.gz
classes/create-spdx: Add packageSupplier field
Per NIST SBoM recommendations, include the Package Supplier field for all SPDX packages that are created. This field should generally be set to the person or organization that is performing the build, since they would be considered the "supplier" of the SPDX packages. (From OE-Core rev: ca48349501e0ec93dc2448d064e1567fca390bf5) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes/create-spdx.bbclass')
-rw-r--r--meta/classes/create-spdx.bbclass8
1 files changed, 8 insertions, 0 deletions
diff --git a/meta/classes/create-spdx.bbclass b/meta/classes/create-spdx.bbclass
index eb9535069a..eaf92c1773 100644
--- a/meta/classes/create-spdx.bbclass
+++ b/meta/classes/create-spdx.bbclass
@@ -29,6 +29,11 @@ SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdoc"
29SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json" 29SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
30 30
31SPDX_ORG ??= "OpenEmbedded ()" 31SPDX_ORG ??= "OpenEmbedded ()"
32SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
33SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \
34 this recipe. For SPDX documents create using this class during the build, this \
35 is the contact information for the person or organization who is doing the \
36 build."
32 37
33do_image_complete[depends] = "virtual/kernel:do_create_spdx" 38do_image_complete[depends] = "virtual/kernel:do_create_spdx"
34 39
@@ -425,6 +430,7 @@ python do_create_spdx() {
425 recipe.name = d.getVar("PN") 430 recipe.name = d.getVar("PN")
426 recipe.versionInfo = d.getVar("PV") 431 recipe.versionInfo = d.getVar("PV")
427 recipe.SPDXID = oe.sbom.get_recipe_spdxid(d) 432 recipe.SPDXID = oe.sbom.get_recipe_spdxid(d)
433 recipe.packageSupplier = d.getVar("SPDX_SUPPLIER")
428 if bb.data.inherits_class("native", d) or bb.data.inherits_class("cross", d): 434 if bb.data.inherits_class("native", d) or bb.data.inherits_class("cross", d):
429 recipe.annotations.append(create_annotation(d, "isNative")) 435 recipe.annotations.append(create_annotation(d, "isNative"))
430 436
@@ -534,6 +540,7 @@ python do_create_spdx() {
534 spdx_package.name = pkg_name 540 spdx_package.name = pkg_name
535 spdx_package.versionInfo = d.getVar("PV") 541 spdx_package.versionInfo = d.getVar("PV")
536 spdx_package.licenseDeclared = convert_license_to_spdx(package_license, package_doc, d, found_licenses) 542 spdx_package.licenseDeclared = convert_license_to_spdx(package_license, package_doc, d, found_licenses)
543 spdx_package.packageSupplier = d.getVar("SPDX_SUPPLIER")
537 544
538 package_doc.packages.append(spdx_package) 545 package_doc.packages.append(spdx_package)
539 546
@@ -826,6 +833,7 @@ python image_combine_spdx() {
826 image.name = d.getVar("PN") 833 image.name = d.getVar("PN")
827 image.versionInfo = d.getVar("PV") 834 image.versionInfo = d.getVar("PV")
828 image.SPDXID = oe.sbom.get_image_spdxid(image_name) 835 image.SPDXID = oe.sbom.get_image_spdxid(image_name)
836 image.packageSupplier = d.getVar("SPDX_SUPPLIER")
829 837
830 doc.packages.append(image) 838 doc.packages.append(image)
831 839
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-06-19 22:23:56 +0000