scripts/contrib: Add oe-image-files-spdx script

Adds a template for a python project that processes the SPDX 3.0.1 output from a build and lists all the files on the root file system with their checksums This is intended to be an example to show how to deal with the SPDX data to do common tasks. (From OE-Core rev: 3d9c5588ce6181b519810e3378b55826ffcaee49) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Joshua Watt <jpewhacker@gmail.com> 2025-02-11 08:03:25 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-02-18 11:56:03 +0000
commit: 36be59464ca56c209a4a67bd99f9a5cb6f29558d (patch)
tree: 1a1a6fb731b1b5330e0d97737c9e9198fbd00cbc /scripts
parent: 837d41f078907dab61096940e127ec231e2a1237 (diff)
download: poky-36be59464ca56c209a4a67bd99f9a5cb6f29558d.tar.gz
6 files changed, 143 insertions, 0 deletions
diff --git a/scripts/contrib/oe-image-files-spdx/.gitignore b/scripts/contrib/oe-image-files-spdx/.gitignore
new file mode 100644
index 0000000000..285851c984
--- /dev/null
+++ b/scripts/contrib/oe-image-files-spdx/.gitignore
@@ -0,0 +1,8 @@
+*.spdx.json
+*.pyc
+*.bak
+*.swp
+*.swo
+*.swn
+venv/*
+.venv/*
diff --git a/scripts/contrib/oe-image-files-spdx/README.md b/scripts/contrib/oe-image-files-spdx/README.md
new file mode 100644
index 0000000000..44f76eacd8
--- /dev/null
+++ b/scripts/contrib/oe-image-files-spdx/README.md
@@ -0,0 +1,24 @@
+# OE Image Files from SBoM
+This is an example python script that will list the packaged files with their
+checksums based on the SPDX 3.0.1 SBoM.
+It can be used as a template for other programs to investigate output based on
+OE SPDX SBoMs
+## Installation
+This project can be installed using an virtual environment:
+```
+python3 -m venv .venv
+.venv/bin/activate
+python3 -m pip install -e '.[dev]'
+```
+## Usage
+After installing, the `oe-image-files` program can be used to show the files, e.g.:
+```
+oe-image-files core-image-minimal-qemux86-64.rootfs.spdx.json
+```
diff --git a/scripts/contrib/oe-image-files-spdx/pyproject.toml b/scripts/contrib/oe-image-files-spdx/pyproject.toml
new file mode 100644
index 0000000000..3fab5dd605
--- /dev/null
+++ b/scripts/contrib/oe-image-files-spdx/pyproject.toml
@@ -0,0 +1,23 @@
+[project]
+name = "oe-image-files"
+description = "Displays all packaged files on the root file system"
+dynamic = ["version"]
+requires-python = ">= 3.8"
+readme = "README.md"
+dependencies = [
+    "spdx_python_model @ git+https://github.com/spdx/spdx-python-model.git@aa40861f11d1b5d20edba7101835341a70d91179",
+]
+[project.scripts]
+oe-image-files = "oe_image_files:main"
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+[tool.hatch.version]
+path = "src/oe_image_files/version.py"
+[tool.hatch.metadata]
+allow-direct-references = true
diff --git a/scripts/contrib/oe-image-files-spdx/src/oe_image_files/__init__.py b/scripts/contrib/oe-image-files-spdx/src/oe_image_files/__init__.py
new file mode 100644
index 0000000000..c28a133f2d
--- /dev/null
+++ b/scripts/contrib/oe-image-files-spdx/src/oe_image_files/__init__.py
@@ -0,0 +1 @@
+from .main import main
diff --git a/scripts/contrib/oe-image-files-spdx/src/oe_image_files/main.py b/scripts/contrib/oe-image-files-spdx/src/oe_image_files/main.py
new file mode 100644
index 0000000000..8476bf6369
--- /dev/null
+++ b/scripts/contrib/oe-image-files-spdx/src/oe_image_files/main.py
@@ -0,0 +1,86 @@
+# SPDX-License-Identifier: MIT
+import argparse
+from pathlib import Path
+from spdx_python_model import v3_0_1 as spdx_3_0_1
+from .version import VERSION
+def main():
+    parser = argparse.ArgumentParser(
+        description="Show the packaged files and checksums in an OE image from the SPDX SBoM"
+    )
+    parser.add_argument("file", help="SPDX 3 input file", type=Path)
+    parser.add_argument("--version", "-V", action="version", version=VERSION)
+    args = parser.parse_args()
+    # Load SPDX data from file into a new object set
+    objset = spdx_3_0_1.SHACLObjectSet()
+    with args.file.open("r") as f:
+        d = spdx_3_0_1.JSONLDDeserializer()
+        d.read(f, objset)
+    # Find the top level SPDX Document object
+    for o in objset.foreach_type(spdx_3_0_1.SpdxDocument):
+        doc = o
+        break
+    else:
+        print("ERROR: No SPDX Document found!")
+        return 1
+    # Find the root SBoM in the document
+    for o in doc.rootElement:
+        if isinstance(o, spdx_3_0_1.software_Sbom):
+            sbom = o
+            break
+    else:
+        print("ERROR: SBoM not found in document")
+        return 1
+    # Find the root file system package in the SBoM
+    for o in sbom.rootElement:
+        if (
+            isinstance(o, spdx_3_0_1.software_Package)
+            and o.software_primaryPurpose == spdx_3_0_1.software_SoftwarePurpose.archive
+        ):
+            root_package = o
+            break
+    else:
+        print("ERROR: Package not found in document")
+        return 1
+    # Find all relationships of type "contains" that go FROM the root file
+    # system
+    files = []
+    for rel in objset.foreach_type(spdx_3_0_1.Relationship):
+        if not rel.relationshipType == spdx_3_0_1.RelationshipType.contains:
+            continue
+        if not rel.from_ is root_package:
+            continue
+        # Iterate over all files in the TO of the relationship
+        for o in rel.to:
+            if not isinstance(o, spdx_3_0_1.software_File):
+                continue
+            # Find the SHA 256 hash of the file (if any)
+            for h in o.verifiedUsing:
+                if (
+                    isinstance(h, spdx_3_0_1.Hash)
+                    and h.algorithm == spdx_3_0_1.HashAlgorithm.sha256
+                ):
+                    files.append((o.name, h.hashValue))
+                    break
+            else:
+                files.append((o.name, ""))
+    # Print files
+    files.sort(key=lambda x: x[0])
+    for name, hash_val in files:
+        print(f"{name} - {hash_val}")
+    return 0
diff --git a/scripts/contrib/oe-image-files-spdx/src/oe_image_files/version.py b/scripts/contrib/oe-image-files-spdx/src/oe_image_files/version.py
new file mode 100644
index 0000000000..901e5110b2
--- /dev/null
+++ b/scripts/contrib/oe-image-files-spdx/src/oe_image_files/version.py
@@ -0,0 +1 @@
+VERSION = "0.0.1"
author	Joshua Watt <jpewhacker@gmail.com>	2025-02-11 08:03:25 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-02-18 11:56:03 +0000
commit	36be59464ca56c209a4a67bd99f9a5cb6f29558d (patch)
tree	1a1a6fb731b1b5330e0d97737c9e9198fbd00cbc /scripts
parent	837d41f078907dab61096940e127ec231e2a1237 (diff)
download	poky-36be59464ca56c209a4a67bd99f9a5cb6f29558d.tar.gz

diff --git a/scripts/contrib/oe-image-files-spdx/.gitignore b/scripts/contrib/oe-image-files-spdx/.gitignore new file mode 100644 index 0000000000..285851c984 --- /dev/null +++ b/scripts/contrib/oe-image-files-spdx/.gitignore
@@ -0,0 +1,8 @@
	1	*.spdx.json
	2	*.pyc
	3	*.bak
	4	*.swp
	5	*.swo
	6	*.swn
	7	venv/*
	8	.venv/*


diff --git a/scripts/contrib/oe-image-files-spdx/README.md b/scripts/contrib/oe-image-files-spdx/README.md new file mode 100644 index 0000000000..44f76eacd8 --- /dev/null +++ b/scripts/contrib/oe-image-files-spdx/README.md
@@ -0,0 +1,24 @@
	1	# OE Image Files from SBoM
	2
	3	This is an example python script that will list the packaged files with their
	4	checksums based on the SPDX 3.0.1 SBoM.
	5
	6	It can be used as a template for other programs to investigate output based on
	7	OE SPDX SBoMs
	8
	9	## Installation
	10
	11	This project can be installed using an virtual environment:
	12	```
	13	python3 -m venv .venv
	14	.venv/bin/activate
	15	python3 -m pip install -e '.[dev]'
	16	```
	17
	18	## Usage
	19
	20	After installing, the `oe-image-files` program can be used to show the files, e.g.:
	21
	22	```
	23	oe-image-files core-image-minimal-qemux86-64.rootfs.spdx.json
	24	```


diff --git a/scripts/contrib/oe-image-files-spdx/pyproject.toml b/scripts/contrib/oe-image-files-spdx/pyproject.toml new file mode 100644 index 0000000000..3fab5dd605 --- /dev/null +++ b/scripts/contrib/oe-image-files-spdx/pyproject.toml
@@ -0,0 +1,23 @@
	1	[project]
	2	name = "oe-image-files"
	3	description = "Displays all packaged files on the root file system"
	4	dynamic = ["version"]
	5	requires-python = ">= 3.8"
	6	readme = "README.md"
	7
	8	dependencies = [
	9	"spdx_python_model @ git+https://github.com/spdx/spdx-python-model.git@aa40861f11d1b5d20edba7101835341a70d91179",
	10	]
	11
	12	[project.scripts]
	13	oe-image-files = "oe_image_files:main"
	14
	15	[build-system]
	16	requires = ["hatchling"]
	17	build-backend = "hatchling.build"
	18
	19	[tool.hatch.version]
	20	path = "src/oe_image_files/version.py"
	21
	22	[tool.hatch.metadata]
	23	allow-direct-references = true


diff --git a/scripts/contrib/oe-image-files-spdx/src/oe_image_files/__init__.py b/scripts/contrib/oe-image-files-spdx/src/oe_image_files/__init__.py new file mode 100644 index 0000000000..c28a133f2d --- /dev/null +++ b/scripts/contrib/oe-image-files-spdx/src/oe_image_files/__init__.py
@@ -0,0 +1 @@
		from .main import main


diff --git a/scripts/contrib/oe-image-files-spdx/src/oe_image_files/main.py b/scripts/contrib/oe-image-files-spdx/src/oe_image_files/main.py new file mode 100644 index 0000000000..8476bf6369 --- /dev/null +++ b/scripts/contrib/oe-image-files-spdx/src/oe_image_files/main.py
@@ -0,0 +1,86 @@
	1	# SPDX-License-Identifier: MIT
	2
	3	import argparse
	4	from pathlib import Path
	5
	6
	7	from spdx_python_model import v3_0_1 as spdx_3_0_1
	8	from .version import VERSION
	9
	10
	11	def main():
	12	parser = argparse.ArgumentParser(
	13	description="Show the packaged files and checksums in an OE image from the SPDX SBoM"
	14	)
	15	parser.add_argument("file", help="SPDX 3 input file", type=Path)
	16	parser.add_argument("--version", "-V", action="version", version=VERSION)
	17
	18	args = parser.parse_args()
	19
	20	# Load SPDX data from file into a new object set
	21	objset = spdx_3_0_1.SHACLObjectSet()
	22	with args.file.open("r") as f:
	23	d = spdx_3_0_1.JSONLDDeserializer()
	24	d.read(f, objset)
	25
	26	# Find the top level SPDX Document object
	27	for o in objset.foreach_type(spdx_3_0_1.SpdxDocument):
	28	doc = o
	29	break
	30	else:
	31	print("ERROR: No SPDX Document found!")
	32	return 1
	33
	34	# Find the root SBoM in the document
	35	for o in doc.rootElement:
	36	if isinstance(o, spdx_3_0_1.software_Sbom):
	37	sbom = o
	38	break
	39	else:
	40	print("ERROR: SBoM not found in document")
	41	return 1
	42
	43	# Find the root file system package in the SBoM
	44	for o in sbom.rootElement:
	45	if (
	46	isinstance(o, spdx_3_0_1.software_Package)
	47	and o.software_primaryPurpose == spdx_3_0_1.software_SoftwarePurpose.archive
	48	):
	49	root_package = o
	50	break
	51	else:
	52	print("ERROR: Package not found in document")
	53	return 1
	54
	55	# Find all relationships of type "contains" that go FROM the root file
	56	# system
	57	files = []
	58	for rel in objset.foreach_type(spdx_3_0_1.Relationship):
	59	if not rel.relationshipType == spdx_3_0_1.RelationshipType.contains:
	60	continue
	61
	62	if not rel.from_ is root_package:
	63	continue
	64
	65	# Iterate over all files in the TO of the relationship
	66	for o in rel.to:
	67	if not isinstance(o, spdx_3_0_1.software_File):
	68	continue
	69
	70	# Find the SHA 256 hash of the file (if any)
	71	for h in o.verifiedUsing:
	72	if (
	73	isinstance(h, spdx_3_0_1.Hash)
	74	and h.algorithm == spdx_3_0_1.HashAlgorithm.sha256
	75	):
	76	files.append((o.name, h.hashValue))
	77	break
	78	else:
	79	files.append((o.name, ""))
	80
	81	# Print files
	82	files.sort(key=lambda x: x[0])
	83	for name, hash_val in files:
	84	print(f"{name} - {hash_val}")
	85
	86	return 0


diff --git a/scripts/contrib/oe-image-files-spdx/src/oe_image_files/version.py b/scripts/contrib/oe-image-files-spdx/src/oe_image_files/version.py new file mode 100644 index 0000000000..901e5110b2 --- /dev/null +++ b/scripts/contrib/oe-image-files-spdx/src/oe_image_files/version.py
@@ -0,0 +1 @@
		VERSION = "0.0.1"