summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/classes/create-spdx.bbclass88
-rw-r--r--meta/lib/oe/sbom.py4
2 files changed, 64 insertions, 28 deletions
diff --git a/meta/classes/create-spdx.bbclass b/meta/classes/create-spdx.bbclass
index 64aada8593..5375ef3e34 100644
--- a/meta/classes/create-spdx.bbclass
+++ b/meta/classes/create-spdx.bbclass
@@ -589,7 +589,7 @@ python do_create_spdx() {
589 oe.sbom.write_doc(d, package_doc, "packages") 589 oe.sbom.write_doc(d, package_doc, "packages")
590} 590}
591# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source 591# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
592addtask do_create_spdx after do_package do_packagedata do_unpack before do_build do_rm_work 592addtask do_create_spdx after do_package do_packagedata do_unpack before do_populate_sdk do_build do_rm_work
593 593
594SSTATETASKS += "do_create_spdx" 594SSTATETASKS += "do_create_spdx"
595do_create_spdx[sstate-inputdirs] = "${SPDXDEPLOY}" 595do_create_spdx[sstate-inputdirs] = "${SPDXDEPLOY}"
@@ -821,28 +821,77 @@ def spdx_get_src(d):
821do_rootfs[recrdeptask] += "do_create_spdx do_create_runtime_spdx" 821do_rootfs[recrdeptask] += "do_create_spdx do_create_runtime_spdx"
822 822
823ROOTFS_POSTUNINSTALL_COMMAND =+ "image_combine_spdx ; " 823ROOTFS_POSTUNINSTALL_COMMAND =+ "image_combine_spdx ; "
824
825do_populate_sdk[recrdeptask] += "do_create_spdx do_create_runtime_spdx"
826POPULATE_SDK_POST_HOST_COMMAND:append:task-populate-sdk = " sdk_host_combine_spdx; "
827POPULATE_SDK_POST_TARGET_COMMAND:append:task-populate-sdk = " sdk_target_combine_spdx; "
828
824python image_combine_spdx() { 829python image_combine_spdx() {
825 import os 830 import os
831 import oe.sbom
832 from pathlib import Path
833 from oe.rootfs import image_list_installed_packages
834
835 image_name = d.getVar("IMAGE_NAME")
836 image_link_name = d.getVar("IMAGE_LINK_NAME")
837 imgdeploydir = Path(d.getVar("IMGDEPLOYDIR"))
838 img_spdxid = oe.sbom.get_image_spdxid(image_name)
839 packages = image_list_installed_packages(d)
840
841 combine_spdx(d, image_name, imgdeploydir, img_spdxid, packages)
842
843 if image_link_name:
844 image_spdx_path = imgdeploydir / (image_name + ".spdx.json")
845 image_spdx_link = imgdeploydir / (image_link_name + ".spdx.json")
846 image_spdx_link.symlink_to(os.path.relpath(image_spdx_path, image_spdx_link.parent))
847
848 def make_image_link(target_path, suffix):
849 if image_link_name:
850 link = imgdeploydir / (image_link_name + suffix)
851 link.symlink_to(os.path.relpath(target_path, link.parent))
852
853 spdx_tar_path = imgdeploydir / (image_name + ".spdx.tar.zst")
854 make_image_link(spdx_tar_path, ".spdx.tar.zst")
855 spdx_index_path = imgdeploydir / (image_name + ".spdx.index.json")
856 make_image_link(spdx_index_path, ".spdx.index.json")
857}
858
859python sdk_host_combine_spdx() {
860 sdk_combine_spdx(d, "host")
861}
862
863python sdk_target_combine_spdx() {
864 sdk_combine_spdx(d, "target")
865}
866
867def sdk_combine_spdx(d, sdk_type):
868 import oe.sbom
869 from pathlib import Path
870 from oe.sdk import sdk_list_installed_packages
871
872 sdk_name = d.getVar("SDK_NAME") + "-" + sdk_type
873 sdk_deploydir = Path(d.getVar("SDKDEPLOYDIR"))
874 sdk_spdxid = oe.sbom.get_sdk_spdxid(sdk_name)
875 sdk_packages = sdk_list_installed_packages(d, sdk_type == "target")
876 combine_spdx(d, sdk_name, sdk_deploydir, sdk_spdxid, sdk_packages)
877
878def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages):
879 import os
826 import oe.spdx 880 import oe.spdx
827 import oe.sbom 881 import oe.sbom
828 import io 882 import io
829 import json 883 import json
830 from oe.rootfs import image_list_installed_packages
831 from datetime import timezone, datetime 884 from datetime import timezone, datetime
832 from pathlib import Path 885 from pathlib import Path
833 import tarfile 886 import tarfile
834 import bb.compress.zstd 887 import bb.compress.zstd
835 888
836 creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ") 889 creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
837 image_name = d.getVar("IMAGE_NAME")
838 image_link_name = d.getVar("IMAGE_LINK_NAME")
839
840 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX")) 890 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
841 imgdeploydir = Path(d.getVar("IMGDEPLOYDIR"))
842 source_date_epoch = d.getVar("SOURCE_DATE_EPOCH") 891 source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
843 892
844 doc = oe.spdx.SPDXDocument() 893 doc = oe.spdx.SPDXDocument()
845 doc.name = image_name 894 doc.name = rootfs_name
846 doc.documentNamespace = get_doc_namespace(d, doc) 895 doc.documentNamespace = get_doc_namespace(d, doc)
847 doc.creationInfo.created = creation_time 896 doc.creationInfo.created = creation_time
848 doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build." 897 doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build."
@@ -854,13 +903,11 @@ python image_combine_spdx() {
854 image = oe.spdx.SPDXPackage() 903 image = oe.spdx.SPDXPackage()
855 image.name = d.getVar("PN") 904 image.name = d.getVar("PN")
856 image.versionInfo = d.getVar("PV") 905 image.versionInfo = d.getVar("PV")
857 image.SPDXID = oe.sbom.get_image_spdxid(image_name) 906 image.SPDXID = rootfs_spdxid
858 image.packageSupplier = d.getVar("SPDX_SUPPLIER") 907 image.packageSupplier = d.getVar("SPDX_SUPPLIER")
859 908
860 doc.packages.append(image) 909 doc.packages.append(image)
861 910
862 packages = image_list_installed_packages(d)
863
864 for name in sorted(packages.keys()): 911 for name in sorted(packages.keys()):
865 pkg_spdx_path = deploy_dir_spdx / "packages" / (name + ".spdx.json") 912 pkg_spdx_path = deploy_dir_spdx / "packages" / (name + ".spdx.json")
866 pkg_doc, pkg_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path) 913 pkg_doc, pkg_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path)
@@ -897,22 +944,18 @@ python image_combine_spdx() {
897 comment="Runtime dependencies for %s" % name 944 comment="Runtime dependencies for %s" % name
898 ) 945 )
899 946
900 image_spdx_path = imgdeploydir / (image_name + ".spdx.json") 947 image_spdx_path = rootfs_deploydir / (rootfs_name + ".spdx.json")
901 948
902 with image_spdx_path.open("wb") as f: 949 with image_spdx_path.open("wb") as f:
903 doc.to_json(f, sort_keys=True) 950 doc.to_json(f, sort_keys=True)
904 951
905 if image_link_name:
906 image_spdx_link = imgdeploydir / (image_link_name + ".spdx.json")
907 image_spdx_link.symlink_to(os.path.relpath(image_spdx_path, image_spdx_link.parent))
908
909 num_threads = int(d.getVar("BB_NUMBER_THREADS")) 952 num_threads = int(d.getVar("BB_NUMBER_THREADS"))
910 953
911 visited_docs = set() 954 visited_docs = set()
912 955
913 index = {"documents": []} 956 index = {"documents": []}
914 957
915 spdx_tar_path = imgdeploydir / (image_name + ".spdx.tar.zst") 958 spdx_tar_path = rootfs_deploydir / (rootfs_name + ".spdx.tar.zst")
916 with bb.compress.zstd.open(spdx_tar_path, "w", num_threads=num_threads) as f: 959 with bb.compress.zstd.open(spdx_tar_path, "w", num_threads=num_threads) as f:
917 with tarfile.open(fileobj=f, mode="w|") as tar: 960 with tarfile.open(fileobj=f, mode="w|") as tar:
918 def collect_spdx_document(path): 961 def collect_spdx_document(path):
@@ -974,17 +1017,6 @@ python image_combine_spdx() {
974 1017
975 tar.addfile(info, fileobj=index_str) 1018 tar.addfile(info, fileobj=index_str)
976 1019
977 def make_image_link(target_path, suffix): 1020 spdx_index_path = rootfs_deploydir / (rootfs_name + ".spdx.index.json")
978 if image_link_name:
979 link = imgdeploydir / (image_link_name + suffix)
980 link.symlink_to(os.path.relpath(target_path, link.parent))
981
982 make_image_link(spdx_tar_path, ".spdx.tar.zst")
983
984 spdx_index_path = imgdeploydir / (image_name + ".spdx.index.json")
985 with spdx_index_path.open("w") as f: 1021 with spdx_index_path.open("w") as f:
986 json.dump(index, f, sort_keys=True) 1022 json.dump(index, f, sort_keys=True)
987
988 make_image_link(spdx_index_path, ".spdx.index.json")
989}
990
diff --git a/meta/lib/oe/sbom.py b/meta/lib/oe/sbom.py
index 848812c0b7..3372f13a9d 100644
--- a/meta/lib/oe/sbom.py
+++ b/meta/lib/oe/sbom.py
@@ -28,6 +28,10 @@ def get_image_spdxid(img):
28 return "SPDXRef-Image-%s" % img 28 return "SPDXRef-Image-%s" % img
29 29
30 30
31def get_sdk_spdxid(sdk):
32 return "SPDXRef-SDK-%s" % sdk
33
34
31def write_doc(d, spdx_doc, subdir, spdx_deploy=None): 35def write_doc(d, spdx_doc, subdir, spdx_deploy=None):
32 from pathlib import Path 36 from pathlib import Path
33 37