diff options
| author | Saul Wold <Saul.Wold@windriver.com> | 2023-02-13 11:54:13 -0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-02-15 10:21:35 +0000 |
| commit | 4f1a0855afbfc886dc59cfaa79a11d0fed8eaa3e (patch) | |
| tree | 931736774277d992b0d9ef1b39273e7f15f6970d /meta/classes | |
| parent | af5e8ae3a23cdc5c6ea65a820530171ca5157b73 (diff) | |
| download | poky-4f1a0855afbfc886dc59cfaa79a11d0fed8eaa3e.tar.gz | |
create-spdx-2.2: Add support for custom Annotations
This change adds a new variable to track which recipe variables
are added as SPDX Annotations.
Usage: add SPDX_CUSTOM_ANNOTATION_VARS = <some recipe variable>
The recipe spdx json will contain an annotation stanza that looks
something like this:
"annotations": [
{
"annotationDate": "2023-02-13T19:44:20Z",
"annotationType": "OTHER",
"annotator": "Tool: oe-spdx-creator - 1.0",
"comment": "CUSTOM_VARIABLE=some value or string"
},
(From OE-Core rev: 33ced8338f0facb412b5f24cf9df4a84226a2a94)
Signed-off-by: Saul Wold <saul.wold@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes')
| -rw-r--r-- | meta/classes/create-spdx-2.2.bbclass | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index 9aede86870..28a42e009f 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass | |||
| @@ -32,6 +32,8 @@ SPDX_PRETTY ??= "0" | |||
| 32 | 32 | ||
| 33 | SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json" | 33 | SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json" |
| 34 | 34 | ||
| 35 | SPDX_CUSTOM_ANNOTATION_VARS ??= "" | ||
| 36 | |||
| 35 | SPDX_ORG ??= "OpenEmbedded ()" | 37 | SPDX_ORG ??= "OpenEmbedded ()" |
| 36 | SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}" | 38 | SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}" |
| 37 | SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \ | 39 | SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \ |
| @@ -404,7 +406,6 @@ def collect_dep_sources(d, dep_recipes): | |||
| 404 | 406 | ||
| 405 | return sources | 407 | return sources |
| 406 | 408 | ||
| 407 | |||
| 408 | python do_create_spdx() { | 409 | python do_create_spdx() { |
| 409 | from datetime import datetime, timezone | 410 | from datetime import datetime, timezone |
| 410 | import oe.sbom | 411 | import oe.sbom |
| @@ -481,6 +482,10 @@ python do_create_spdx() { | |||
| 481 | if description: | 482 | if description: |
| 482 | recipe.description = description | 483 | recipe.description = description |
| 483 | 484 | ||
| 485 | if d.getVar("SPDX_CUSTOM_ANNOTATION_VARS"): | ||
| 486 | for var in d.getVar('SPDX_CUSTOM_ANNOTATION_VARS').split(): | ||
| 487 | recipe.annotations.append(create_annotation(d, var + "=" + d.getVar(var))) | ||
| 488 | |||
| 484 | # Some CVEs may be patched during the build process without incrementing the version number, | 489 | # Some CVEs may be patched during the build process without incrementing the version number, |
| 485 | # so querying for CVEs based on the CPE id can lead to false positives. To account for this, | 490 | # so querying for CVEs based on the CPE id can lead to false positives. To account for this, |
| 486 | # save the CVEs fixed by patches to source information field in the SPDX. | 491 | # save the CVEs fixed by patches to source information field in the SPDX. |