create-spdx: add support for SDKs

Currently, SPDX SBOMs are only created for images. Add support for SDKs. (From OE-Core rev: c3acbb936a339636153903daf127eec9f36de79b) Signed-off-by: Andres Beltran <abeltran@linux.microsoft.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Andres Beltran <abeltran@linux.microsoft.com> 2022-01-26 18:16:48 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-02-25 12:41:23 +0000
commit: e43a9d15ea8ea04afe5a49a39cc3dd1f93783acd (patch)
tree: cf444eb22a07ce3444b1afa0b0291340b6e71c8a /meta
parent: 5083a802458b294619ef1e4c31de36e2b239b6f2 (diff)
download: poky-e43a9d15ea8ea04afe5a49a39cc3dd1f93783acd.tar.gz
2 files changed, 64 insertions, 28 deletions
diff --git a/meta/classes/create-spdx.bbclass b/meta/classes/create-spdx.bbclass
index 64aada8593..5375ef3e34 100644
--- a/meta/classes/create-spdx.bbclass
+++ b/meta/classes/create-spdx.bbclass
@@ -589,7 +589,7 @@ python do_create_spdx() {
            oe.sbom.write_doc(d, package_doc, "packages")
 }
 # NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
-addtask do_create_spdx after do_package do_packagedata do_unpack before do_build do_rm_work
+addtask do_create_spdx after do_package do_packagedata do_unpack before do_populate_sdk do_build do_rm_work
 SSTATETASKS += "do_create_spdx"
 do_create_spdx[sstate-inputdirs] = "${SPDXDEPLOY}"
@@ -821,28 +821,77 @@ def spdx_get_src(d):
 do_rootfs[recrdeptask] += "do_create_spdx do_create_runtime_spdx"
 ROOTFS_POSTUNINSTALL_COMMAND =+ "image_combine_spdx ; "
+do_populate_sdk[recrdeptask] += "do_create_spdx do_create_runtime_spdx"
+POPULATE_SDK_POST_HOST_COMMAND:append:task-populate-sdk = " sdk_host_combine_spdx; "
+POPULATE_SDK_POST_TARGET_COMMAND:append:task-populate-sdk = " sdk_target_combine_spdx; "
 python image_combine_spdx() {
    import os
+    import oe.sbom
+    from pathlib import Path
+    from oe.rootfs import image_list_installed_packages
+    image_name = d.getVar("IMAGE_NAME")
+    image_link_name = d.getVar("IMAGE_LINK_NAME")
+    imgdeploydir = Path(d.getVar("IMGDEPLOYDIR"))
+    img_spdxid = oe.sbom.get_image_spdxid(image_name)
+    packages = image_list_installed_packages(d)
+    combine_spdx(d, image_name, imgdeploydir, img_spdxid, packages)
+    if image_link_name:
+        image_spdx_path = imgdeploydir / (image_name + ".spdx.json")
+        image_spdx_link = imgdeploydir / (image_link_name + ".spdx.json")
+        image_spdx_link.symlink_to(os.path.relpath(image_spdx_path, image_spdx_link.parent))
+    def make_image_link(target_path, suffix):
+        if image_link_name:
+            link = imgdeploydir / (image_link_name + suffix)
+            link.symlink_to(os.path.relpath(target_path, link.parent))
+    spdx_tar_path = imgdeploydir / (image_name + ".spdx.tar.zst")
+    make_image_link(spdx_tar_path, ".spdx.tar.zst")
+    spdx_index_path = imgdeploydir / (image_name + ".spdx.index.json")
+    make_image_link(spdx_index_path, ".spdx.index.json")
+}
+python sdk_host_combine_spdx() {
+    sdk_combine_spdx(d, "host")
+}
+python sdk_target_combine_spdx() {
+    sdk_combine_spdx(d, "target")
+}
+def sdk_combine_spdx(d, sdk_type):
+    import oe.sbom
+    from pathlib import Path
+    from oe.sdk import sdk_list_installed_packages
+    sdk_name = d.getVar("SDK_NAME") + "-" + sdk_type
+    sdk_deploydir = Path(d.getVar("SDKDEPLOYDIR"))
+    sdk_spdxid = oe.sbom.get_sdk_spdxid(sdk_name)
+    sdk_packages = sdk_list_installed_packages(d, sdk_type == "target")
+    combine_spdx(d, sdk_name, sdk_deploydir, sdk_spdxid, sdk_packages)
+def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages):
+    import os
    import oe.spdx
    import oe.sbom
    import io
    import json
-    from oe.rootfs import image_list_installed_packages
    from datetime import timezone, datetime
    from pathlib import Path
    import tarfile
    import bb.compress.zstd
    creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
-    image_name = d.getVar("IMAGE_NAME")
-    image_link_name = d.getVar("IMAGE_LINK_NAME")
    deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
-    imgdeploydir = Path(d.getVar("IMGDEPLOYDIR"))
    source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
    doc = oe.spdx.SPDXDocument()
-    doc.name = image_name
+    doc.name = rootfs_name
    doc.documentNamespace = get_doc_namespace(d, doc)
    doc.creationInfo.created = creation_time
    doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build."
@@ -854,13 +903,11 @@ python image_combine_spdx() {
    image = oe.spdx.SPDXPackage()
    image.name = d.getVar("PN")
    image.versionInfo = d.getVar("PV")
-    image.SPDXID = oe.sbom.get_image_spdxid(image_name)
+    image.SPDXID = rootfs_spdxid
    image.packageSupplier = d.getVar("SPDX_SUPPLIER")
    doc.packages.append(image)
-    packages = image_list_installed_packages(d)
    for name in sorted(packages.keys()):
        pkg_spdx_path = deploy_dir_spdx / "packages" / (name + ".spdx.json")
        pkg_doc, pkg_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path)
@@ -897,22 +944,18 @@ python image_combine_spdx() {
            comment="Runtime dependencies for %s" % name
        )
-    image_spdx_path = imgdeploydir / (image_name + ".spdx.json")
+    image_spdx_path = rootfs_deploydir / (rootfs_name + ".spdx.json")
    with image_spdx_path.open("wb") as f:
        doc.to_json(f, sort_keys=True)
-    if image_link_name:
-        image_spdx_link = imgdeploydir / (image_link_name + ".spdx.json")
-        image_spdx_link.symlink_to(os.path.relpath(image_spdx_path, image_spdx_link.parent))
    num_threads = int(d.getVar("BB_NUMBER_THREADS"))
    visited_docs = set()
    index = {"documents": []}
-    spdx_tar_path = imgdeploydir / (image_name + ".spdx.tar.zst")
+    spdx_tar_path = rootfs_deploydir / (rootfs_name + ".spdx.tar.zst")
    with bb.compress.zstd.open(spdx_tar_path, "w", num_threads=num_threads) as f:
        with tarfile.open(fileobj=f, mode="w|") as tar:
            def collect_spdx_document(path):
@@ -974,17 +1017,6 @@ python image_combine_spdx() {
            tar.addfile(info, fileobj=index_str)
-    def make_image_link(target_path, suffix):
+    spdx_index_path = rootfs_deploydir / (rootfs_name + ".spdx.index.json")
-        if image_link_name:
-            link = imgdeploydir / (image_link_name + suffix)
-            link.symlink_to(os.path.relpath(target_path, link.parent))
-    make_image_link(spdx_tar_path, ".spdx.tar.zst")
-    spdx_index_path = imgdeploydir / (image_name + ".spdx.index.json")
    with spdx_index_path.open("w") as f:
        json.dump(index, f, sort_keys=True)
-    make_image_link(spdx_index_path, ".spdx.index.json")
-}
diff --git a/meta/lib/oe/sbom.py b/meta/lib/oe/sbom.py
index 848812c0b7..3372f13a9d 100644
--- a/meta/lib/oe/sbom.py
+++ b/meta/lib/oe/sbom.py
@@ -28,6 +28,10 @@ def get_image_spdxid(img):
    return "SPDXRef-Image-%s" % img
+def get_sdk_spdxid(sdk):
+    return "SPDXRef-SDK-%s" % sdk
 def write_doc(d, spdx_doc, subdir, spdx_deploy=None):
    from pathlib import Path
author	Andres Beltran <abeltran@linux.microsoft.com>	2022-01-26 18:16:48 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-02-25 12:41:23 +0000
commit	e43a9d15ea8ea04afe5a49a39cc3dd1f93783acd (patch)
tree	cf444eb22a07ce3444b1afa0b0291340b6e71c8a /meta
parent	5083a802458b294619ef1e4c31de36e2b239b6f2 (diff)
download	poky-e43a9d15ea8ea04afe5a49a39cc3dd1f93783acd.tar.gz