summaryrefslogtreecommitdiffstats
path: root/meta/lib
diff options
context:
space:
mode:
authorJoshua Watt <JPEWhacker@gmail.com>2024-07-12 09:58:20 -0600
committerRichard Purdie <richard.purdie@linuxfoundation.org>2024-07-16 14:55:53 +0100
commit87c60b9a5ae539f161bb427e5d28366f2c037f5e (patch)
tree4f5661db5d898695578b25b52701f856e7276ba7 /meta/lib
parent9850df1b6051cefdef4f6f9acd93cc93ab2b8b75 (diff)
downloadpoky-87c60b9a5ae539f161bb427e5d28366f2c037f5e.tar.gz
classes/create-spdx-3.0: Move tasks to library
Move the bulk of the python code in the SPDX 3.0 classes into a library file (From OE-Core rev: aed6f8c1c2e291bde4d7172742790fa535b2fc7d) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/lib')
-rw-r--r--meta/lib/oe/spdx30_tasks.py1229
1 files changed, 1229 insertions, 0 deletions
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
new file mode 100644
index 0000000000..59fd875074
--- /dev/null
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -0,0 +1,1229 @@
1#
2# Copyright OpenEmbedded Contributors
3#
4# SPDX-License-Identifier: GPL-2.0-only
5#
6
7import json
8import oe.cve_check
9import oe.packagedata
10import oe.patch
11import oe.sbom30
12import oe.spdx30
13import oe.spdx_common
14import oe.sdk
15import os
16
17from contextlib import contextmanager
18from datetime import datetime, timezone
19from pathlib import Path
20
21
22def set_timestamp_now(d, o, prop):
23 if d.getVar("SPDX_INCLUDE_TIMESTAMPS") == "1":
24 setattr(o, prop, datetime.now(timezone.utc))
25 else:
26 # Doing this helps to validated that the property actually exists, and
27 # also that it is not mandatory
28 delattr(o, prop)
29
30
31def add_license_expression(d, objset, license_expression):
32 license_data = d.getVar("SPDX_LICENSE_DATA")
33 simple_license_text = {}
34 license_text_map = {}
35 license_ref_idx = 0
36
37 def add_license_text(name):
38 nonlocal objset
39 nonlocal simple_license_text
40
41 if name in simple_license_text:
42 return simple_license_text[name]
43
44 lic = objset.find_filter(
45 oe.spdx30.simplelicensing_SimpleLicensingText,
46 name=name,
47 )
48
49 if lic is not None:
50 simple_license_text[name] = lic
51 return lic
52
53 lic = objset.add(
54 oe.spdx30.simplelicensing_SimpleLicensingText(
55 _id=objset.new_spdxid("license-text", name),
56 creationInfo=objset.doc.creationInfo,
57 name=name,
58 )
59 )
60 simple_license_text[name] = lic
61
62 if name == "PD":
63 lic.simplelicensing_licenseText = "Software released to the public domain"
64 return lic
65
66 # Seach for the license in COMMON_LICENSE_DIR and LICENSE_PATH
67 for directory in [d.getVar("COMMON_LICENSE_DIR")] + (
68 d.getVar("LICENSE_PATH") or ""
69 ).split():
70 try:
71 with (Path(directory) / name).open(errors="replace") as f:
72 lic.simplelicensing_licenseText = f.read()
73 return lic
74
75 except FileNotFoundError:
76 pass
77
78 # If it's not SPDX or PD, then NO_GENERIC_LICENSE must be set
79 filename = d.getVarFlag("NO_GENERIC_LICENSE", name)
80 if filename:
81 filename = d.expand("${S}/" + filename)
82 with open(filename, errors="replace") as f:
83 lic.simplelicensing_licenseText = f.read()
84 return lic
85 else:
86 bb.fatal("Cannot find any text for license %s" % name)
87
88 def convert(l):
89 nonlocal license_text_map
90 nonlocal license_ref_idx
91
92 if l == "(" or l == ")":
93 return l
94
95 if l == "&":
96 return "AND"
97
98 if l == "|":
99 return "OR"
100
101 if l == "CLOSED":
102 return "NONE"
103
104 spdx_license = d.getVarFlag("SPDXLICENSEMAP", l) or l
105 if spdx_license in license_data["licenses"]:
106 return spdx_license
107
108 spdx_license = "LicenseRef-" + l
109 if spdx_license not in license_text_map:
110 license_text_map[spdx_license] = add_license_text(l)._id
111
112 return spdx_license
113
114 lic_split = (
115 license_expression.replace("(", " ( ")
116 .replace(")", " ) ")
117 .replace("|", " | ")
118 .replace("&", " & ")
119 .split()
120 )
121 spdx_license_expression = " ".join(convert(l) for l in lic_split)
122
123 return objset.new_license_expression(spdx_license_expression, license_text_map)
124
125
126def add_package_files(
127 d,
128 objset,
129 topdir,
130 get_spdxid,
131 get_purposes,
132 *,
133 archive=None,
134 ignore_dirs=[],
135 ignore_top_level_dirs=[],
136):
137 source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
138 if source_date_epoch:
139 source_date_epoch = int(source_date_epoch)
140
141 spdx_files = set()
142
143 file_counter = 1
144 for subdir, dirs, files in os.walk(topdir):
145 dirs[:] = [d for d in dirs if d not in ignore_dirs]
146 if subdir == str(topdir):
147 dirs[:] = [d for d in dirs if d not in ignore_top_level_dirs]
148
149 for file in files:
150 filepath = Path(subdir) / file
151 if filepath.is_symlink() or not filepath.is_file():
152 continue
153
154 bb.debug(1, "Adding file %s to %s" % (filepath, objset.doc._id))
155
156 filename = str(filepath.relative_to(topdir))
157 file_purposes = get_purposes(filepath)
158
159 spdx_file = objset.new_file(
160 get_spdxid(file_counter),
161 filename,
162 filepath,
163 purposes=file_purposes,
164 )
165 spdx_files.add(spdx_file)
166
167 if oe.spdx30.software_SoftwarePurpose.source in file_purposes:
168 objset.scan_declared_licenses(spdx_file, filepath)
169
170 if archive is not None:
171 with filepath.open("rb") as f:
172 info = archive.gettarinfo(fileobj=f)
173 info.name = filename
174 info.uid = 0
175 info.gid = 0
176 info.uname = "root"
177 info.gname = "root"
178
179 if source_date_epoch is not None and info.mtime > source_date_epoch:
180 info.mtime = source_date_epoch
181
182 archive.addfile(info, f)
183
184 file_counter += 1
185
186 return spdx_files
187
188
189def get_package_sources_from_debug(
190 d, package, package_files, sources, source_hash_cache
191):
192 def file_path_match(file_path, pkg_file):
193 if file_path.lstrip("/") == pkg_file.name.lstrip("/"):
194 return True
195
196 for e in pkg_file.extension:
197 if isinstance(e, oe.sbom30.OEFileNameAliasExtension):
198 for a in e.aliases:
199 if file_path.lstrip("/") == a.lstrip("/"):
200 return True
201
202 return False
203
204 debug_search_paths = [
205 Path(d.getVar("PKGD")),
206 Path(d.getVar("STAGING_DIR_TARGET")),
207 Path(d.getVar("STAGING_DIR_NATIVE")),
208 Path(d.getVar("STAGING_KERNEL_DIR")),
209 ]
210
211 pkg_data = oe.packagedata.read_subpkgdata_extended(package, d)
212
213 if pkg_data is None:
214 return
215
216 dep_source_files = set()
217
218 for file_path, file_data in pkg_data["files_info"].items():
219 if not "debugsrc" in file_data:
220 continue
221
222 if not any(file_path_match(file_path, pkg_file) for pkg_file in package_files):
223 bb.fatal(
224 "No package file found for %s in %s; SPDX found: %s"
225 % (str(file_path), package, " ".join(p.name for p in package_files))
226 )
227 continue
228
229 for debugsrc in file_data["debugsrc"]:
230 for search in debug_search_paths:
231 if debugsrc.startswith("/usr/src/kernel"):
232 debugsrc_path = search / debugsrc.replace("/usr/src/kernel/", "")
233 else:
234 debugsrc_path = search / debugsrc.lstrip("/")
235
236 if debugsrc_path in source_hash_cache:
237 file_sha256 = source_hash_cache[debugsrc_path]
238 if file_sha256 is None:
239 continue
240 else:
241 if not debugsrc_path.exists():
242 source_hash_cache[debugsrc_path] = None
243 continue
244
245 file_sha256 = bb.utils.sha256_file(debugsrc_path)
246 source_hash_cache[debugsrc_path] = file_sha256
247
248 if file_sha256 in sources:
249 source_file = sources[file_sha256]
250 dep_source_files.add(source_file)
251 else:
252 bb.debug(
253 1,
254 "Debug source %s with SHA256 %s not found in any dependency"
255 % (str(debugsrc_path), file_sha256),
256 )
257 break
258 else:
259 bb.debug(1, "Debug source %s not found" % debugsrc)
260
261 return dep_source_files
262
263
264def collect_dep_objsets(d, build):
265 deps = oe.spdx_common.get_spdx_deps(d)
266
267 dep_objsets = []
268 dep_builds = set()
269
270 dep_build_spdxids = set()
271 for dep in deps:
272 bb.debug(1, "Fetching SPDX for dependency %s" % (dep.pn))
273 dep_build, dep_objset = oe.sbom30.find_root_obj_in_jsonld(
274 d, "recipes", dep.pn, oe.spdx30.build_Build
275 )
276 # If the dependency is part of the taskhash, return it to be linked
277 # against. Otherwise, it cannot be linked against because this recipe
278 # will not rebuilt if dependency changes
279 if dep.in_taskhash:
280 dep_objsets.append(dep_objset)
281
282 # The build _can_ be linked against (by alias)
283 dep_builds.add(dep_build)
284
285 return dep_objsets, dep_builds
286
287
288def collect_dep_sources(dep_objsets):
289 sources = {}
290 for objset in dep_objsets:
291 # Don't collect sources from native recipes as they
292 # match non-native sources also.
293 if objset.is_native():
294 continue
295
296 bb.debug(1, "Fetching Sources for dependency %s" % (objset.doc.name))
297
298 dep_build = objset.find_root(oe.spdx30.build_Build)
299 if not dep_build:
300 bb.fatal("Unable to find a build")
301
302 for e in objset.foreach_type(oe.spdx30.Relationship):
303 if dep_build is not e.from_:
304 continue
305
306 if e.relationshipType != oe.spdx30.RelationshipType.hasInputs:
307 continue
308
309 for to in e.to:
310 if not isinstance(to, oe.spdx30.software_File):
311 continue
312
313 if (
314 to.software_primaryPurpose
315 != oe.spdx30.software_SoftwarePurpose.source
316 ):
317 continue
318
319 for v in to.verifiedUsing:
320 if v.algorithm == oe.spdx30.HashAlgorithm.sha256:
321 sources[v.hashValue] = to
322 break
323 else:
324 bb.fatal(
325 "No SHA256 found for %s in %s" % (to.name, objset.doc.name)
326 )
327
328 return sources
329
330
331def add_download_files(d, objset):
332 inputs = set()
333
334 urls = d.getVar("SRC_URI").split()
335 fetch = bb.fetch2.Fetch(urls, d)
336
337 for download_idx, src_uri in enumerate(urls):
338 fd = fetch.ud[src_uri]
339
340 for name in fd.names:
341 file_name = os.path.basename(fetch.localpath(src_uri))
342 if oe.patch.patch_path(src_uri, fetch, "", expand=False):
343 primary_purpose = oe.spdx30.software_SoftwarePurpose.patch
344 else:
345 primary_purpose = oe.spdx30.software_SoftwarePurpose.source
346
347 if fd.type == "file":
348 if os.path.isdir(fd.localpath):
349 walk_idx = 1
350 for root, dirs, files in os.walk(fd.localpath):
351 for f in files:
352 f_path = os.path.join(root, f)
353 if os.path.islink(f_path):
354 # TODO: SPDX doesn't support symlinks yet
355 continue
356
357 file = objset.new_file(
358 objset.new_spdxid(
359 "source", str(download_idx + 1), str(walk_idx)
360 ),
361 os.path.join(
362 file_name, os.path.relpath(f_path, fd.localpath)
363 ),
364 f_path,
365 purposes=[primary_purpose],
366 )
367
368 inputs.add(file)
369 walk_idx += 1
370
371 else:
372 file = objset.new_file(
373 objset.new_spdxid("source", str(download_idx + 1)),
374 file_name,
375 fd.localpath,
376 purposes=[primary_purpose],
377 )
378 inputs.add(file)
379
380 else:
381 uri = fd.type
382 proto = getattr(fd, "proto", None)
383 if proto is not None:
384 uri = uri + "+" + proto
385 uri = uri + "://" + fd.host + fd.path
386
387 if fd.method.supports_srcrev():
388 uri = uri + "@" + fd.revisions[name]
389
390 dl = objset.add(
391 oe.spdx30.software_Package(
392 _id=objset.new_spdxid("source", str(download_idx + 1)),
393 creationInfo=objset.doc.creationInfo,
394 name=file_name,
395 software_primaryPurpose=primary_purpose,
396 software_downloadLocation=uri,
397 )
398 )
399
400 if fd.method.supports_checksum(fd):
401 # TODO Need something better than hard coding this
402 for checksum_id in ["sha256", "sha1"]:
403 expected_checksum = getattr(
404 fd, "%s_expected" % checksum_id, None
405 )
406 if expected_checksum is None:
407 continue
408
409 dl.verifiedUsing.append(
410 oe.spdx30.Hash(
411 algorithm=getattr(oe.spdx30.HashAlgorithm, checksum_id),
412 hashValue=expected_checksum,
413 )
414 )
415
416 inputs.add(dl)
417
418 return inputs
419
420
421def set_purposes(d, element, *var_names, force_purposes=[]):
422 purposes = force_purposes[:]
423
424 for var_name in var_names:
425 val = d.getVar(var_name)
426 if val:
427 purposes.extend(val.split())
428 break
429
430 if not purposes:
431 bb.warn("No SPDX purposes found in %s" % " ".join(var_names))
432 return
433
434 element.software_primaryPurpose = getattr(
435 oe.spdx30.software_SoftwarePurpose, purposes[0]
436 )
437 element.software_additionalPurpose = [
438 getattr(oe.spdx30.software_SoftwarePurpose, p) for p in purposes[1:]
439 ]
440
441
442def create_spdx(d):
443 def set_var_field(var, obj, name, package=None):
444 val = None
445 if package:
446 val = d.getVar("%s:%s" % (var, package))
447
448 if not val:
449 val = d.getVar(var)
450
451 if val:
452 setattr(obj, name, val)
453
454 deploydir = Path(d.getVar("SPDXDEPLOY"))
455 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
456 spdx_workdir = Path(d.getVar("SPDXWORK"))
457 include_sources = d.getVar("SPDX_INCLUDE_SOURCES") == "1"
458 pkg_arch = d.getVar("SSTATE_PKGARCH")
459 is_native = bb.data.inherits_class("native", d) or bb.data.inherits_class(
460 "cross", d
461 )
462 include_vex = d.getVar("SPDX_INCLUDE_VEX")
463 if not include_vex in ("none", "current", "all"):
464 bb.fatal("SPDX_INCLUDE_VEX must be one of 'none', 'current', 'all'")
465
466 build_objset = oe.sbom30.ObjectSet.new_objset(d, d.getVar("PN"))
467
468 build = build_objset.new_task_build("recipe", "recipe")
469 build_objset.doc.rootElement.append(build)
470
471 build_objset.set_is_native(is_native)
472
473 for var in (d.getVar("SPDX_CUSTOM_ANNOTATION_VARS") or "").split():
474 new_annotation(
475 d,
476 build_objset,
477 build,
478 "%s=%s" % (var, d.getVar(var)),
479 oe.spdx30.AnnotationType.other,
480 )
481
482 build_inputs = set()
483
484 # Add CVEs
485 cve_by_status = {}
486 if include_vex != "none":
487 for cve in d.getVarFlags("CVE_STATUS") or {}:
488 status, detail, description = oe.cve_check.decode_cve_status(d, cve)
489
490 # If this CVE is fixed upstream, skip it unless all CVEs are
491 # specified.
492 if include_vex != "all" and detail in (
493 "fixed-version",
494 "cpe-stable-backport",
495 ):
496 bb.debug(1, "Skipping %s since it is already fixed upstream" % cve)
497 continue
498
499 cve_by_status.setdefault(status, {})[cve] = (
500 build_objset.new_cve_vuln(cve),
501 detail,
502 description,
503 )
504
505 cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION"))
506
507 source_files = add_download_files(d, build_objset)
508 build_inputs |= source_files
509
510 recipe_spdx_license = add_license_expression(d, build_objset, d.getVar("LICENSE"))
511 build_objset.new_relationship(
512 source_files,
513 oe.spdx30.RelationshipType.hasConcludedLicense,
514 [recipe_spdx_license],
515 )
516
517 if oe.spdx_common.process_sources(d) and include_sources:
518 bb.debug(1, "Adding source files to SPDX")
519 oe.spdx_common.get_patched_src(d)
520
521 build_inputs |= add_package_files(
522 d,
523 build_objset,
524 spdx_workdir,
525 lambda file_counter: build_objset.new_spdxid(
526 "sourcefile", str(file_counter)
527 ),
528 lambda filepath: [oe.spdx30.software_SoftwarePurpose.source],
529 ignore_dirs=[".git"],
530 ignore_top_level_dirs=["temp"],
531 archive=None,
532 )
533
534 dep_objsets, dep_builds = collect_dep_objsets(d, build)
535 if dep_builds:
536 build_objset.new_scoped_relationship(
537 [build],
538 oe.spdx30.RelationshipType.dependsOn,
539 oe.spdx30.LifecycleScopeType.build,
540 sorted(oe.sbom30.get_element_link_id(b) for b in dep_builds),
541 )
542
543 debug_source_ids = set()
544 source_hash_cache = {}
545
546 # Write out the package SPDX data now. It is not complete as we cannot
547 # write the runtime data, so write it to a staging area and a later task
548 # will write out the final collection
549
550 # TODO: Handle native recipe output
551 if not is_native:
552 bb.debug(1, "Collecting Dependency sources files")
553 sources = collect_dep_sources(dep_objsets)
554
555 bb.build.exec_func("read_subpackage_metadata", d)
556
557 pkgdest = Path(d.getVar("PKGDEST"))
558 for package in d.getVar("PACKAGES").split():
559 if not oe.packagedata.packaged(package, d):
560 continue
561
562 pkg_name = d.getVar("PKG:%s" % package) or package
563
564 bb.debug(1, "Creating SPDX for package %s" % pkg_name)
565
566 pkg_objset = oe.sbom30.ObjectSet.new_objset(d, pkg_name)
567
568 spdx_package = pkg_objset.add_root(
569 oe.spdx30.software_Package(
570 _id=pkg_objset.new_spdxid("package", pkg_name),
571 creationInfo=pkg_objset.doc.creationInfo,
572 name=pkg_name,
573 software_packageVersion=d.getVar("PV"),
574 )
575 )
576 set_timestamp_now(d, spdx_package, "builtTime")
577
578 set_purposes(
579 d,
580 spdx_package,
581 "SPDX_PACKAGE_ADDITIONAL_PURPOSE:%s" % package,
582 "SPDX_PACKAGE_ADDITIONAL_PURPOSE",
583 force_purposes=["install"],
584 )
585
586 supplier = build_objset.new_agent("SPDX_PACKAGE_SUPPLIER")
587 if supplier is not None:
588 spdx_package.supplier = (
589 supplier if isinstance(supplier, str) else supplier._id
590 )
591
592 set_var_field(
593 "HOMEPAGE", spdx_package, "software_homePage", package=package
594 )
595 set_var_field("SUMMARY", spdx_package, "summary", package=package)
596 set_var_field("DESCRIPTION", spdx_package, "description", package=package)
597
598 pkg_objset.new_scoped_relationship(
599 [build._id],
600 oe.spdx30.RelationshipType.hasOutputs,
601 oe.spdx30.LifecycleScopeType.build,
602 [spdx_package],
603 )
604
605 for cpe_id in cpe_ids:
606 spdx_package.externalIdentifier.append(
607 oe.spdx30.ExternalIdentifier(
608 externalIdentifierType=oe.spdx30.ExternalIdentifierType.cpe23,
609 identifier=cpe_id,
610 )
611 )
612
613 # TODO: Generate a file for each actual IPK/DEB/RPM/TGZ file
614 # generated and link it to the package
615 # spdx_package_file = pkg_objset.add(oe.spdx30.software_File(
616 # _id=pkg_objset.new_spdxid("distribution", pkg_name),
617 # creationInfo=pkg_objset.doc.creationInfo,
618 # name=pkg_name,
619 # software_primaryPurpose=spdx_package.software_primaryPurpose,
620 # software_additionalPurpose=spdx_package.software_additionalPurpose,
621 # ))
622 # set_timestamp_now(d, spdx_package_file, "builtTime")
623
624 ## TODO add hashes
625 # pkg_objset.new_relationship(
626 # [spdx_package],
627 # oe.spdx30.RelationshipType.hasDistributionArtifact,
628 # [spdx_package_file],
629 # )
630
631 # NOTE: licenses live in the recipe collection and are referenced
632 # by ID in the package collection(s). This helps reduce duplication
633 # (since a lot of packages will have the same license), and also
634 # prevents duplicate license SPDX IDs in the packages
635 package_license = d.getVar("LICENSE:%s" % package)
636 if package_license and package_license != d.getVar("LICENSE"):
637 package_spdx_license = add_license_expression(
638 d, build_objset, package_license
639 )
640 else:
641 package_spdx_license = recipe_spdx_license
642
643 pkg_objset.new_relationship(
644 [spdx_package],
645 oe.spdx30.RelationshipType.hasConcludedLicense,
646 [package_spdx_license._id],
647 )
648
649 # NOTE: CVE Elements live in the recipe collection
650 all_cves = set()
651 for status, cves in cve_by_status.items():
652 for cve, items in cves.items():
653 spdx_cve, detail, description = items
654
655 all_cves.add(spdx_cve._id)
656
657 if status == "Patched":
658 pkg_objset.new_vex_patched_relationship(
659 [spdx_cve._id], [spdx_package]
660 )
661 elif status == "Unpatched":
662 pkg_objset.new_vex_unpatched_relationship(
663 [spdx_cve._id], [spdx_package]
664 )
665 elif status == "Ignored":
666 spdx_vex = pkg_objset.new_vex_ignored_relationship(
667 [spdx_cve._id],
668 [spdx_package],
669 impact_statement=description,
670 )
671
672 if detail in (
673 "ignored",
674 "cpe-incorrect",
675 "disputed",
676 "upstream-wontfix",
677 ):
678 # VEX doesn't have justifications for this
679 pass
680 elif detail in (
681 "not-applicable-config",
682 "not-applicable-platform",
683 ):
684 for v in spdx_vex:
685 v.security_justificationType = (
686 oe.spdx30.security_VexJustificationType.vulnerableCodeNotPresent
687 )
688 else:
689 bb.fatal(f"Unknown detail '{detail}' for ignored {cve}")
690 else:
691 bb.fatal(f"Unknown CVE status {status}")
692
693 if all_cves:
694 pkg_objset.new_relationship(
695 [spdx_package],
696 oe.spdx30.RelationshipType.hasAssociatedVulnerability,
697 sorted(list(all_cves)),
698 )
699
700 bb.debug(1, "Adding package files to SPDX for package %s" % pkg_name)
701 package_files = add_package_files(
702 d,
703 pkg_objset,
704 pkgdest / package,
705 lambda file_counter: pkg_objset.new_spdxid(
706 "package", pkg_name, "file", str(file_counter)
707 ),
708 # TODO: Can we know the purpose here?
709 lambda filepath: [],
710 ignore_top_level_dirs=["CONTROL", "DEBIAN"],
711 archive=None,
712 )
713
714 if package_files:
715 pkg_objset.new_relationship(
716 [spdx_package],
717 oe.spdx30.RelationshipType.contains,
718 sorted(list(package_files)),
719 )
720
721 if include_sources:
722 debug_sources = get_package_sources_from_debug(
723 d, package, package_files, sources, source_hash_cache
724 )
725 debug_source_ids |= set(
726 oe.sbom30.get_element_link_id(d) for d in debug_sources
727 )
728
729 oe.sbom30.write_recipe_jsonld_doc(
730 d, pkg_objset, "packages-staging", deploydir, create_spdx_id_links=False
731 )
732
733 if include_sources:
734 bb.debug(1, "Adding sysroot files to SPDX")
735 sysroot_files = add_package_files(
736 d,
737 build_objset,
738 d.expand("${COMPONENTS_DIR}/${PACKAGE_ARCH}/${PN}"),
739 lambda file_counter: build_objset.new_spdxid("sysroot", str(file_counter)),
740 lambda filepath: [],
741 archive=None,
742 )
743
744 if sysroot_files:
745 build_objset.new_scoped_relationship(
746 [build],
747 oe.spdx30.RelationshipType.hasOutputs,
748 oe.spdx30.LifecycleScopeType.build,
749 sorted(list(sysroot_files)),
750 )
751
752 if build_inputs or debug_source_ids:
753 build_objset.new_scoped_relationship(
754 [build],
755 oe.spdx30.RelationshipType.hasInputs,
756 oe.spdx30.LifecycleScopeType.build,
757 sorted(list(build_inputs)) + sorted(list(debug_source_ids)),
758 )
759
760 oe.sbom30.write_recipe_jsonld_doc(d, build_objset, "recipes", deploydir)
761
762
763def create_package_spdx(d):
764 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
765 deploydir = Path(d.getVar("SPDXRUNTIMEDEPLOY"))
766 is_native = bb.data.inherits_class("native", d) or bb.data.inherits_class(
767 "cross", d
768 )
769
770 providers = oe.spdx_common.collect_package_providers(d)
771 pkg_arch = d.getVar("SSTATE_PKGARCH")
772
773 if is_native:
774 return
775
776 bb.build.exec_func("read_subpackage_metadata", d)
777
778 dep_package_cache = {}
779
780 # Any element common to all packages that need to be referenced by ID
781 # should be written into this objset set
782 common_objset = oe.sbom30.ObjectSet.new_objset(
783 d, "%s-package-common" % d.getVar("PN")
784 )
785
786 pkgdest = Path(d.getVar("PKGDEST"))
787 for package in d.getVar("PACKAGES").split():
788 localdata = bb.data.createCopy(d)
789 pkg_name = d.getVar("PKG:%s" % package) or package
790 localdata.setVar("PKG", pkg_name)
791 localdata.setVar("OVERRIDES", d.getVar("OVERRIDES", False) + ":" + package)
792
793 if not oe.packagedata.packaged(package, localdata):
794 continue
795
796 spdx_package, pkg_objset = oe.sbom30.load_obj_in_jsonld(
797 d,
798 pkg_arch,
799 "packages-staging",
800 pkg_name,
801 oe.spdx30.software_Package,
802 software_primaryPurpose=oe.spdx30.software_SoftwarePurpose.install,
803 )
804
805 # We will write out a new collection, so link it to the new
806 # creation info in the common package data. The old creation info
807 # should still exist and be referenced by all the existing elements
808 # in the package
809 pkg_objset.creationInfo = pkg_objset.copy_creation_info(
810 common_objset.doc.creationInfo
811 )
812
813 runtime_spdx_deps = set()
814
815 deps = bb.utils.explode_dep_versions2(localdata.getVar("RDEPENDS") or "")
816 seen_deps = set()
817 for dep, _ in deps.items():
818 if dep in seen_deps:
819 continue
820
821 if dep not in providers:
822 continue
823
824 (dep, _) = providers[dep]
825
826 if not oe.packagedata.packaged(dep, localdata):
827 continue
828
829 dep_pkg_data = oe.packagedata.read_subpkgdata_dict(dep, d)
830 dep_pkg = dep_pkg_data["PKG"]
831
832 if dep in dep_package_cache:
833 dep_spdx_package = dep_package_cache[dep]
834 else:
835 bb.debug(1, "Searching for %s" % dep_pkg)
836 dep_spdx_package, _ = oe.sbom30.find_root_obj_in_jsonld(
837 d,
838 "packages-staging",
839 dep_pkg,
840 oe.spdx30.software_Package,
841 software_primaryPurpose=oe.spdx30.software_SoftwarePurpose.install,
842 )
843 dep_package_cache[dep] = dep_spdx_package
844
845 runtime_spdx_deps.add(dep_spdx_package)
846 seen_deps.add(dep)
847
848 if runtime_spdx_deps:
849 pkg_objset.new_scoped_relationship(
850 [spdx_package],
851 oe.spdx30.RelationshipType.dependsOn,
852 oe.spdx30.LifecycleScopeType.runtime,
853 [oe.sbom30.get_element_link_id(dep) for dep in runtime_spdx_deps],
854 )
855
856 oe.sbom30.write_recipe_jsonld_doc(d, pkg_objset, "packages", deploydir)
857
858 oe.sbom30.write_recipe_jsonld_doc(d, common_objset, "common-package", deploydir)
859
860
861def write_bitbake_spdx(d):
862 # Set PN to "bitbake" so that SPDX IDs can be generated
863 d.setVar("PN", "bitbake")
864 d.setVar("BB_TASKHASH", "bitbake")
865 oe.spdx_common.load_spdx_license_data(d)
866
867 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
868
869 objset = oe.sbom30.ObjectSet.new_objset(d, "bitbake", False)
870
871 host_import_key = d.getVar("SPDX_BUILD_HOST")
872 invoked_by = objset.new_agent("SPDX_INVOKED_BY", add=False)
873 on_behalf_of = objset.new_agent("SPDX_ON_BEHALF_OF", add=False)
874
875 if d.getVar("SPDX_INCLUDE_BITBAKE_PARENT_BUILD") == "1":
876 # Since the Build objects are unique, we may as well set the creation
877 # time to the current time instead of the fallback SDE
878 objset.doc.creationInfo.created = datetime.now(timezone.utc)
879
880 # Each invocation of bitbake should have a unique ID since it is a
881 # unique build
882 nonce = os.urandom(16).hex()
883
884 build = objset.add_root(
885 oe.spdx30.build_Build(
886 _id=objset.new_spdxid(nonce, include_unihash=False),
887 creationInfo=objset.doc.creationInfo,
888 build_buildType=oe.sbom30.SPDX_BUILD_TYPE,
889 )
890 )
891 set_timestamp_now(d, build, "build_buildStartTime")
892
893 if host_import_key:
894 objset.new_scoped_relationship(
895 [build],
896 oe.spdx30.RelationshipType.hasHost,
897 oe.spdx30.LifecycleScopeType.build,
898 [objset.new_import("SPDX_BUILD_HOST")],
899 )
900
901 if invoked_by:
902 objset.add(invoked_by)
903 invoked_by_spdx = objset.new_scoped_relationship(
904 [build],
905 oe.spdx30.RelationshipType.invokedBy,
906 oe.spdx30.LifecycleScopeType.build,
907 [invoked_by],
908 )
909
910 if on_behalf_of:
911 objset.add(on_behalf_of)
912 objset.new_scoped_relationship(
913 [on_behalf_of],
914 oe.spdx30.RelationshipType.delegatedTo,
915 oe.spdx30.LifecycleScopeType.build,
916 invoked_by_spdx,
917 )
918
919 elif on_behalf_of:
920 bb.warn("SPDX_ON_BEHALF_OF has no effect if SPDX_INVOKED_BY is not set")
921
922 else:
923 if host_import_key:
924 bb.warn(
925 "SPDX_BUILD_HOST has no effect if SPDX_INCLUDE_BITBAKE_PARENT_BUILD is not set"
926 )
927
928 if invoked_by:
929 bb.warn(
930 "SPDX_INVOKED_BY has no effect if SPDX_INCLUDE_BITBAKE_PARENT_BUILD is not set"
931 )
932
933 if on_behalf_of:
934 bb.warn(
935 "SPDX_ON_BEHALF_OF has no effect if SPDX_INCLUDE_BITBAKE_PARENT_BUILD is not set"
936 )
937
938 for obj in objset.foreach_type(oe.spdx30.Element):
939 obj.extension.append(oe.sbom30.OELinkExtension(link_spdx_id=False))
940 obj.extension.append(oe.sbom30.OEIdAliasExtension())
941
942 oe.sbom30.write_jsonld_doc(d, objset, deploy_dir_spdx / "bitbake.spdx.json")
943
944
945def collect_build_package_inputs(d, objset, build, packages):
946 providers = oe.spdx_common.collect_package_providers(d)
947
948 build_deps = set()
949
950 for name in sorted(packages.keys()):
951 if name not in providers:
952 bb.fatal("Unable to find SPDX provider for '%s'" % name)
953
954 pkg_name, pkg_hashfn = providers[name]
955
956 # Copy all of the package SPDX files into the Sbom elements
957 pkg_spdx, _ = oe.sbom30.find_root_obj_in_jsonld(
958 d,
959 "packages",
960 pkg_name,
961 oe.spdx30.software_Package,
962 software_primaryPurpose=oe.spdx30.software_SoftwarePurpose.install,
963 )
964 build_deps.add(pkg_spdx._id)
965
966 if build_deps:
967 objset.new_scoped_relationship(
968 [build],
969 oe.spdx30.RelationshipType.hasInputs,
970 oe.spdx30.LifecycleScopeType.build,
971 sorted(list(build_deps)),
972 )
973
974
975def create_rootfs_spdx(d):
976 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
977 deploydir = Path(d.getVar("SPDXROOTFSDEPLOY"))
978 root_packages_file = Path(d.getVar("SPDX_ROOTFS_PACKAGES"))
979 image_basename = d.getVar("IMAGE_BASENAME")
980 machine = d.getVar("MACHINE")
981
982 with root_packages_file.open("r") as f:
983 packages = json.load(f)
984
985 objset = oe.sbom30.ObjectSet.new_objset(d, "%s-%s" % (image_basename, machine))
986
987 rootfs = objset.add_root(
988 oe.spdx30.software_Package(
989 _id=objset.new_spdxid("rootfs", image_basename),
990 creationInfo=objset.doc.creationInfo,
991 name=image_basename,
992 software_primaryPurpose=oe.spdx30.software_SoftwarePurpose.archive,
993 )
994 )
995 set_timestamp_now(d, rootfs, "builtTime")
996
997 rootfs_build = objset.add_root(objset.new_task_build("rootfs", "rootfs"))
998 set_timestamp_now(d, rootfs_build, "build_buildEndTime")
999
1000 objset.new_scoped_relationship(
1001 [rootfs_build],
1002 oe.spdx30.RelationshipType.hasOutputs,
1003 oe.spdx30.LifecycleScopeType.build,
1004 [rootfs],
1005 )
1006
1007 collect_build_package_inputs(d, objset, rootfs_build, packages)
1008
1009 oe.sbom30.write_recipe_jsonld_doc(d, objset, "rootfs", deploydir)
1010
1011
1012def create_image_spdx(d):
1013 image_deploy_dir = Path(d.getVar("IMGDEPLOYDIR"))
1014 manifest_path = Path(d.getVar("IMAGE_OUTPUT_MANIFEST"))
1015 spdx_work_dir = Path(d.getVar("SPDXIMAGEWORK"))
1016
1017 image_basename = d.getVar("IMAGE_BASENAME")
1018 machine = d.getVar("MACHINE")
1019
1020 objset = oe.sbom30.ObjectSet.new_objset(d, "%s-%s" % (image_basename, machine))
1021
1022 with manifest_path.open("r") as f:
1023 manifest = json.load(f)
1024
1025 builds = []
1026 for task in manifest:
1027 imagetype = task["imagetype"]
1028 taskname = task["taskname"]
1029
1030 image_build = objset.add_root(
1031 objset.new_task_build(taskname, "image/%s" % imagetype)
1032 )
1033 set_timestamp_now(d, image_build, "build_buildEndTime")
1034 builds.append(image_build)
1035
1036 artifacts = []
1037
1038 for image in task["images"]:
1039 image_filename = image["filename"]
1040 image_path = image_deploy_dir / image_filename
1041 a = objset.add_root(
1042 oe.spdx30.software_File(
1043 _id=objset.new_spdxid("image", image_filename),
1044 creationInfo=objset.doc.creationInfo,
1045 name=image_filename,
1046 verifiedUsing=[
1047 oe.spdx30.Hash(
1048 algorithm=oe.spdx30.HashAlgorithm.sha256,
1049 hashValue=bb.utils.sha256_file(image_path),
1050 )
1051 ],
1052 )
1053 )
1054 set_purposes(
1055 d, a, "SPDX_IMAGE_PURPOSE:%s" % imagetype, "SPDX_IMAGE_PURPOSE"
1056 )
1057 set_timestamp_now(d, a, "builtTime")
1058
1059 artifacts.append(a)
1060
1061 if artifacts:
1062 objset.new_scoped_relationship(
1063 [image_build],
1064 oe.spdx30.RelationshipType.hasOutputs,
1065 oe.spdx30.LifecycleScopeType.build,
1066 artifacts,
1067 )
1068
1069 if builds:
1070 rootfs_image, _ = oe.sbom30.find_root_obj_in_jsonld(
1071 d,
1072 "rootfs",
1073 "%s-%s" % (image_basename, machine),
1074 oe.spdx30.software_Package,
1075 # TODO: Should use a purpose to filter here?
1076 )
1077 objset.new_scoped_relationship(
1078 builds,
1079 oe.spdx30.RelationshipType.hasInputs,
1080 oe.spdx30.LifecycleScopeType.build,
1081 [rootfs_image._id],
1082 )
1083
1084 objset.add_aliases()
1085 objset.link()
1086 oe.sbom30.write_recipe_jsonld_doc(d, objset, "image", spdx_work_dir)
1087
1088
1089def create_image_sbom_spdx(d):
1090 image_name = d.getVar("IMAGE_NAME")
1091 image_basename = d.getVar("IMAGE_BASENAME")
1092 image_link_name = d.getVar("IMAGE_LINK_NAME")
1093 imgdeploydir = Path(d.getVar("SPDXIMAGEDEPLOYDIR"))
1094 machine = d.getVar("MACHINE")
1095
1096 spdx_path = imgdeploydir / (image_name + ".spdx.json")
1097
1098 root_elements = []
1099
1100 # TODO: Do we need to add the rootfs or are the image files sufficient?
1101 rootfs_image, _ = oe.sbom30.find_root_obj_in_jsonld(
1102 d,
1103 "rootfs",
1104 "%s-%s" % (image_basename, machine),
1105 oe.spdx30.software_Package,
1106 # TODO: Should use a purpose here?
1107 )
1108 root_elements.append(rootfs_image._id)
1109
1110 image_objset, _ = oe.sbom30.find_jsonld(
1111 d, "image", "%s-%s" % (image_basename, machine), required=True
1112 )
1113 for o in image_objset.foreach_root(oe.spdx30.software_File):
1114 root_elements.append(o._id)
1115
1116 objset, sbom = oe.sbom30.create_sbom(d, image_name, root_elements)
1117
1118 oe.sbom30.write_jsonld_doc(d, objset, spdx_path)
1119
1120 def make_image_link(target_path, suffix):
1121 if image_link_name:
1122 link = imgdeploydir / (image_link_name + suffix)
1123 if link != target_path:
1124 link.symlink_to(os.path.relpath(target_path, link.parent))
1125
1126 make_image_link(spdx_path, ".spdx.json")
1127
1128
1129def sdk_create_spdx(d, sdk_type, spdx_work_dir, toolchain_outputname):
1130 sdk_name = toolchain_outputname + "-" + sdk_type
1131 sdk_packages = oe.sdk.sdk_list_installed_packages(d, sdk_type == "target")
1132
1133 objset = oe.sbom30.ObjectSet.new_objset(d, sdk_name)
1134
1135 sdk_rootfs = objset.add_root(
1136 oe.spdx30.software_Package(
1137 _id=objset.new_spdxid("sdk-rootfs", sdk_name),
1138 creationInfo=objset.doc.creationInfo,
1139 name=sdk_name,
1140 software_primaryPurpose=oe.spdx30.software_SoftwarePurpose.archive,
1141 )
1142 )
1143 set_timestamp_now(d, sdk_rootfs, "builtTime")
1144
1145 sdk_build = objset.add_root(objset.new_task_build("sdk-rootfs", "sdk-rootfs"))
1146 set_timestamp_now(d, sdk_build, "build_buildEndTime")
1147
1148 objset.new_scoped_relationship(
1149 [sdk_build],
1150 oe.spdx30.RelationshipType.hasOutputs,
1151 oe.spdx30.LifecycleScopeType.build,
1152 [sdk_rootfs],
1153 )
1154
1155 collect_build_package_inputs(d, objset, sdk_build, sdk_packages)
1156
1157 objset.add_aliases()
1158 oe.sbom30.write_jsonld_doc(d, objset, spdx_work_dir / "sdk-rootfs.spdx.json")
1159
1160
1161def create_sdk_sbom(d, sdk_deploydir, spdx_work_dir, toolchain_outputname):
1162 # Load the document written earlier
1163 rootfs_objset = oe.sbom30.load_jsonld(
1164 d, spdx_work_dir / "sdk-rootfs.spdx.json", required=True
1165 )
1166
1167 # Create a new build for the SDK installer
1168 sdk_build = rootfs_objset.new_task_build("sdk-populate", "sdk-populate")
1169 set_timestamp_now(d, sdk_build, "build_buildEndTime")
1170
1171 rootfs = rootfs_objset.find_root(oe.spdx30.software_Package)
1172 if rootfs is None:
1173 bb.fatal("Unable to find rootfs artifact")
1174
1175 rootfs_objset.new_scoped_relationship(
1176 [sdk_build],
1177 oe.spdx30.RelationshipType.hasInputs,
1178 oe.spdx30.LifecycleScopeType.build,
1179 [rootfs],
1180 )
1181
1182 files = set()
1183 root_files = []
1184
1185 # NOTE: os.walk() doesn't return symlinks
1186 for dirpath, dirnames, filenames in os.walk(sdk_deploydir):
1187 for fn in filenames:
1188 fpath = Path(dirpath) / fn
1189 if not fpath.is_file() or fpath.is_symlink():
1190 continue
1191
1192 relpath = str(fpath.relative_to(sdk_deploydir))
1193
1194 f = rootfs_objset.new_file(
1195 rootfs_objset.new_spdxid("sdk-installer", relpath),
1196 relpath,
1197 fpath,
1198 )
1199 set_timestamp_now(d, f, "builtTime")
1200
1201 if fn.endswith(".manifest"):
1202 f.software_primaryPurpose = oe.spdx30.software_SoftwarePurpose.manifest
1203 elif fn.endswith(".testdata.json"):
1204 f.software_primaryPurpose = (
1205 oe.spdx30.software_SoftwarePurpose.configuration
1206 )
1207 else:
1208 set_purposes(d, f, "SPDX_SDK_PURPOSE")
1209 root_files.append(f)
1210
1211 files.add(f)
1212
1213 if files:
1214 rootfs_objset.new_scoped_relationship(
1215 [sdk_build],
1216 oe.spdx30.RelationshipType.hasOutputs,
1217 oe.spdx30.LifecycleScopeType.build,
1218 files,
1219 )
1220 else:
1221 bb.warn(f"No SDK output files found in {sdk_deploydir}")
1222
1223 objset, sbom = oe.sbom30.create_sbom(
1224 d, toolchain_outputname, sorted(list(files)), [rootfs_objset]
1225 )
1226
1227 oe.sbom30.write_jsonld_doc(
1228 d, objset, sdk_deploydir / (toolchain_outputname + ".spdx.json")
1229 )
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-01-16 03:01:33 +0000