scripts/contrib: Add oe-image-files-spdx script

Adds a template for a python project that processes the SPDX 3.0.1
output from a build and lists all the files on the root file system with
their checksums

This is intended to be an example to show how to deal with the SPDX data
to do common tasks.

(From OE-Core rev: 3d9c5588ce6181b519810e3378b55826ffcaee49)

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

1 files changed, 86 insertions, 0 deletions

diff --git a/scripts/contrib/oe-image-files-spdx/src/oe_image_files/main.py b/scripts/contrib/oe-image-files-spdx/src/oe_image_files/main.py
new file mode 100644
index 0000000000..8476bf6369
--- /dev/null
+++ b/scripts/contrib/oe-image-files-spdx/src/oe_image_files/main.py
@@ -0,0 +1,86 @@
+# SPDX-License-Identifier: MIT
+
+import argparse
+from pathlib import Path
+
+
+from spdx_python_model import v3_0_1 as spdx_3_0_1
+from .version import VERSION
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Show the packaged files and checksums in an OE image from the SPDX SBoM"
+    )
+    parser.add_argument("file", help="SPDX 3 input file", type=Path)
+    parser.add_argument("--version", "-V", action="version", version=VERSION)
+
+    args = parser.parse_args()
+
+    # Load SPDX data from file into a new object set
+    objset = spdx_3_0_1.SHACLObjectSet()
+    with args.file.open("r") as f:
+        d = spdx_3_0_1.JSONLDDeserializer()
+        d.read(f, objset)
+
+    # Find the top level SPDX Document object
+    for o in objset.foreach_type(spdx_3_0_1.SpdxDocument):
+        doc = o
+        break
+    else:
+        print("ERROR: No SPDX Document found!")
+        return 1
+
+    # Find the root SBoM in the document
+    for o in doc.rootElement:
+        if isinstance(o, spdx_3_0_1.software_Sbom):
+            sbom = o
+            break
+    else:
+        print("ERROR: SBoM not found in document")
+        return 1
+
+    # Find the root file system package in the SBoM
+    for o in sbom.rootElement:
+        if (
+            isinstance(o, spdx_3_0_1.software_Package)
+            and o.software_primaryPurpose == spdx_3_0_1.software_SoftwarePurpose.archive
+        ):
+            root_package = o
+            break
+    else:
+        print("ERROR: Package not found in document")
+        return 1
+
+    # Find all relationships of type "contains" that go FROM the root file
+    # system
+    files = []
+    for rel in objset.foreach_type(spdx_3_0_1.Relationship):
+        if not rel.relationshipType == spdx_3_0_1.RelationshipType.contains:
+            continue
+
+        if not rel.from_ is root_package:
+            continue
+
+        # Iterate over all files in the TO of the relationship
+        for o in rel.to:
+            if not isinstance(o, spdx_3_0_1.software_File):
+                continue
+
+            # Find the SHA 256 hash of the file (if any)
+            for h in o.verifiedUsing:
+                if (
+                    isinstance(h, spdx_3_0_1.Hash)
+                    and h.algorithm == spdx_3_0_1.HashAlgorithm.sha256
+                ):
+                    files.append((o.name, h.hashValue))
+                    break
+            else:
+                files.append((o.name, ""))
+
+    # Print files
+    files.sort(key=lambda x: x[0])
+    for name, hash_val in files:
+        print(f"{name} - {hash_val}")
+
+    return 0