diff options
Diffstat (limited to 'meta/classes/create-spdx-2.2.bbclass')
-rw-r--r-- | meta/classes/create-spdx-2.2.bbclass | 269 |
1 files changed, 19 insertions, 250 deletions
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index 486efadba9..3ebf92b5e1 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass | |||
@@ -4,65 +4,15 @@ | |||
4 | # SPDX-License-Identifier: GPL-2.0-only | 4 | # SPDX-License-Identifier: GPL-2.0-only |
5 | # | 5 | # |
6 | 6 | ||
7 | DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx" | 7 | inherit spdx-common |
8 | 8 | ||
9 | # The product name that the CVE database uses. Defaults to BPN, but may need to | 9 | SPDX_VERSION = "2.2" |
10 | # be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff). | 10 | |
11 | CVE_PRODUCT ??= "${BPN}" | 11 | def get_namespace(d, name): |
12 | CVE_VERSION ??= "${PV}" | ||
13 | |||
14 | SPDXDIR ??= "${WORKDIR}/spdx" | ||
15 | SPDXDEPLOY = "${SPDXDIR}/deploy" | ||
16 | SPDXWORK = "${SPDXDIR}/work" | ||
17 | SPDXIMAGEWORK = "${SPDXDIR}/image-work" | ||
18 | SPDXSDKWORK = "${SPDXDIR}/sdk-work" | ||
19 | SPDXDEPS = "${SPDXDIR}/deps.json" | ||
20 | |||
21 | SPDX_TOOL_NAME ??= "oe-spdx-creator" | ||
22 | SPDX_TOOL_VERSION ??= "1.0" | ||
23 | |||
24 | SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy" | ||
25 | |||
26 | SPDX_INCLUDE_SOURCES ??= "0" | ||
27 | SPDX_ARCHIVE_SOURCES ??= "0" | ||
28 | SPDX_ARCHIVE_PACKAGED ??= "0" | ||
29 | |||
30 | SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org" | ||
31 | SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdoc" | ||
32 | SPDX_PRETTY ??= "0" | ||
33 | |||
34 | SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json" | ||
35 | |||
36 | SPDX_CUSTOM_ANNOTATION_VARS ??= "" | ||
37 | |||
38 | SPDX_ORG ??= "OpenEmbedded ()" | ||
39 | SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}" | ||
40 | SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \ | ||
41 | this recipe. For SPDX documents create using this class during the build, this \ | ||
42 | is the contact information for the person or organization who is doing the \ | ||
43 | build." | ||
44 | |||
45 | def extract_licenses(filename): | ||
46 | import re | ||
47 | |||
48 | lic_regex = re.compile(rb'^\W*SPDX-License-Identifier:\s*([ \w\d.()+-]+?)(?:\s+\W*)?$', re.MULTILINE) | ||
49 | |||
50 | try: | ||
51 | with open(filename, 'rb') as f: | ||
52 | size = min(15000, os.stat(filename).st_size) | ||
53 | txt = f.read(size) | ||
54 | licenses = re.findall(lic_regex, txt) | ||
55 | if licenses: | ||
56 | ascii_licenses = [lic.decode('ascii') for lic in licenses] | ||
57 | return ascii_licenses | ||
58 | except Exception as e: | ||
59 | bb.warn(f"Exception reading {filename}: {e}") | ||
60 | return None | ||
61 | |||
62 | def get_doc_namespace(d, doc): | ||
63 | import uuid | 12 | import uuid |
64 | namespace_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, d.getVar("SPDX_UUID_NAMESPACE")) | 13 | namespace_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, d.getVar("SPDX_UUID_NAMESPACE")) |
65 | return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), doc.name, str(uuid.uuid5(namespace_uuid, doc.name))) | 14 | return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), name, str(uuid.uuid5(namespace_uuid, name))) |
15 | |||
66 | 16 | ||
67 | def create_annotation(d, comment): | 17 | def create_annotation(d, comment): |
68 | from datetime import datetime, timezone | 18 | from datetime import datetime, timezone |
@@ -80,26 +30,6 @@ def recipe_spdx_is_native(d, recipe): | |||
80 | a.annotator == "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), d.getVar("SPDX_TOOL_VERSION")) and | 30 | a.annotator == "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), d.getVar("SPDX_TOOL_VERSION")) and |
81 | a.comment == "isNative" for a in recipe.annotations) | 31 | a.comment == "isNative" for a in recipe.annotations) |
82 | 32 | ||
83 | def is_work_shared_spdx(d): | ||
84 | return bb.data.inherits_class('kernel', d) or ('work-shared' in d.getVar('WORKDIR')) | ||
85 | |||
86 | def get_json_indent(d): | ||
87 | if d.getVar("SPDX_PRETTY") == "1": | ||
88 | return 2 | ||
89 | return None | ||
90 | |||
91 | python() { | ||
92 | import json | ||
93 | if d.getVar("SPDX_LICENSE_DATA"): | ||
94 | return | ||
95 | |||
96 | with open(d.getVar("SPDX_LICENSES"), "r") as f: | ||
97 | data = json.load(f) | ||
98 | # Transform the license array to a dictionary | ||
99 | data["licenses"] = {l["licenseId"]: l for l in data["licenses"]} | ||
100 | d.setVar("SPDX_LICENSE_DATA", data) | ||
101 | } | ||
102 | |||
103 | def convert_license_to_spdx(lic, document, d, existing={}): | 33 | def convert_license_to_spdx(lic, document, d, existing={}): |
104 | from pathlib import Path | 34 | from pathlib import Path |
105 | import oe.spdx | 35 | import oe.spdx |
@@ -172,34 +102,6 @@ def convert_license_to_spdx(lic, document, d, existing={}): | |||
172 | 102 | ||
173 | return ' '.join(convert(l) for l in lic_split) | 103 | return ' '.join(convert(l) for l in lic_split) |
174 | 104 | ||
175 | def process_sources(d): | ||
176 | pn = d.getVar('PN') | ||
177 | assume_provided = (d.getVar("ASSUME_PROVIDED") or "").split() | ||
178 | if pn in assume_provided: | ||
179 | for p in d.getVar("PROVIDES").split(): | ||
180 | if p != pn: | ||
181 | pn = p | ||
182 | break | ||
183 | |||
184 | # glibc-locale: do_fetch, do_unpack and do_patch tasks have been deleted, | ||
185 | # so avoid archiving source here. | ||
186 | if pn.startswith('glibc-locale'): | ||
187 | return False | ||
188 | if d.getVar('PN') == "libtool-cross": | ||
189 | return False | ||
190 | if d.getVar('PN') == "libgcc-initial": | ||
191 | return False | ||
192 | if d.getVar('PN') == "shadow-sysroot": | ||
193 | return False | ||
194 | |||
195 | # We just archive gcc-source for all the gcc related recipes | ||
196 | if d.getVar('BPN') in ['gcc', 'libgcc']: | ||
197 | bb.debug(1, 'spdx: There is bug in scan of %s is, do nothing' % pn) | ||
198 | return False | ||
199 | |||
200 | return True | ||
201 | |||
202 | |||
203 | def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archive=None, ignore_dirs=[], ignore_top_level_dirs=[]): | 105 | def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archive=None, ignore_dirs=[], ignore_top_level_dirs=[]): |
204 | from pathlib import Path | 106 | from pathlib import Path |
205 | import oe.spdx | 107 | import oe.spdx |
@@ -348,16 +250,20 @@ def collect_dep_recipes(d, doc, spdx_recipe): | |||
348 | import oe.spdx | 250 | import oe.spdx |
349 | 251 | ||
350 | deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX")) | 252 | deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX")) |
351 | spdx_deps_file = Path(d.getVar("SPDXDEPS")) | ||
352 | package_archs = d.getVar("SSTATE_ARCHS").split() | 253 | package_archs = d.getVar("SSTATE_ARCHS").split() |
353 | package_archs.reverse() | 254 | package_archs.reverse() |
354 | 255 | ||
355 | dep_recipes = [] | 256 | dep_recipes = [] |
356 | 257 | ||
357 | with spdx_deps_file.open("r") as f: | 258 | deps = get_spdx_deps(d) |
358 | deps = json.load(f) | 259 | |
260 | for dep_pn, dep_hashfn, in_taskhash in deps: | ||
261 | # If this dependency is not calculated in the taskhash skip it. | ||
262 | # Otherwise, it can result in broken links since this task won't | ||
263 | # rebuild and see the new SPDX ID if the dependency changes | ||
264 | if not in_taskhash: | ||
265 | continue | ||
359 | 266 | ||
360 | for dep_pn, dep_hashfn in deps: | ||
361 | dep_recipe_path = oe.sbom.doc_find_by_hashfn(deploy_dir_spdx, package_archs, "recipe-" + dep_pn, dep_hashfn) | 267 | dep_recipe_path = oe.sbom.doc_find_by_hashfn(deploy_dir_spdx, package_archs, "recipe-" + dep_pn, dep_hashfn) |
362 | if not dep_recipe_path: | 268 | if not dep_recipe_path: |
363 | bb.fatal("Cannot find any SPDX file for recipe %s, %s" % (dep_pn, dep_hashfn)) | 269 | bb.fatal("Cannot find any SPDX file for recipe %s, %s" % (dep_pn, dep_hashfn)) |
@@ -462,51 +368,6 @@ def add_download_packages(d, doc, recipe): | |||
462 | # but this should be sufficient for now | 368 | # but this should be sufficient for now |
463 | doc.add_relationship(package, "BUILD_DEPENDENCY_OF", recipe) | 369 | doc.add_relationship(package, "BUILD_DEPENDENCY_OF", recipe) |
464 | 370 | ||
465 | def collect_direct_deps(d, dep_task): | ||
466 | current_task = "do_" + d.getVar("BB_CURRENTTASK") | ||
467 | pn = d.getVar("PN") | ||
468 | |||
469 | taskdepdata = d.getVar("BB_TASKDEPDATA", False) | ||
470 | |||
471 | for this_dep in taskdepdata.values(): | ||
472 | if this_dep[0] == pn and this_dep[1] == current_task: | ||
473 | break | ||
474 | else: | ||
475 | bb.fatal(f"Unable to find this {pn}:{current_task} in taskdepdata") | ||
476 | |||
477 | deps = set() | ||
478 | for dep_name in this_dep[3]: | ||
479 | dep_data = taskdepdata[dep_name] | ||
480 | if dep_data[1] == dep_task and dep_data[0] != pn: | ||
481 | deps.add((dep_data[0], dep_data[7])) | ||
482 | |||
483 | return sorted(deps) | ||
484 | |||
485 | collect_direct_deps[vardepsexclude] += "BB_TASKDEPDATA" | ||
486 | collect_direct_deps[vardeps] += "DEPENDS" | ||
487 | |||
488 | python do_collect_spdx_deps() { | ||
489 | # This task calculates the build time dependencies of the recipe, and is | ||
490 | # required because while a task can deptask on itself, those dependencies | ||
491 | # do not show up in BB_TASKDEPDATA. To work around that, this task does the | ||
492 | # deptask on do_create_spdx and writes out the dependencies it finds, then | ||
493 | # do_create_spdx reads in the found dependencies when writing the actual | ||
494 | # SPDX document | ||
495 | import json | ||
496 | from pathlib import Path | ||
497 | |||
498 | spdx_deps_file = Path(d.getVar("SPDXDEPS")) | ||
499 | |||
500 | deps = collect_direct_deps(d, "do_create_spdx") | ||
501 | |||
502 | with spdx_deps_file.open("w") as f: | ||
503 | json.dump(deps, f) | ||
504 | } | ||
505 | # NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source | ||
506 | addtask do_collect_spdx_deps after do_unpack | ||
507 | do_collect_spdx_deps[depends] += "${PATCHDEPENDENCY}" | ||
508 | do_collect_spdx_deps[deptask] = "do_create_spdx" | ||
509 | do_collect_spdx_deps[dirs] = "${SPDXDIR}" | ||
510 | 371 | ||
511 | python do_create_spdx() { | 372 | python do_create_spdx() { |
512 | from datetime import datetime, timezone | 373 | from datetime import datetime, timezone |
@@ -545,7 +406,7 @@ python do_create_spdx() { | |||
545 | doc = oe.spdx.SPDXDocument() | 406 | doc = oe.spdx.SPDXDocument() |
546 | 407 | ||
547 | doc.name = "recipe-" + d.getVar("PN") | 408 | doc.name = "recipe-" + d.getVar("PN") |
548 | doc.documentNamespace = get_doc_namespace(d, doc) | 409 | doc.documentNamespace = get_namespace(d, doc.name) |
549 | doc.creationInfo.created = creation_time | 410 | doc.creationInfo.created = creation_time |
550 | doc.creationInfo.comment = "This document was created by analyzing recipe files during the build." | 411 | doc.creationInfo.comment = "This document was created by analyzing recipe files during the build." |
551 | doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"] | 412 | doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"] |
@@ -649,7 +510,7 @@ python do_create_spdx() { | |||
649 | package_doc = oe.spdx.SPDXDocument() | 510 | package_doc = oe.spdx.SPDXDocument() |
650 | pkg_name = d.getVar("PKG:%s" % package) or package | 511 | pkg_name = d.getVar("PKG:%s" % package) or package |
651 | package_doc.name = pkg_name | 512 | package_doc.name = pkg_name |
652 | package_doc.documentNamespace = get_doc_namespace(d, package_doc) | 513 | package_doc.documentNamespace = get_namespace(d, package_doc.name) |
653 | package_doc.creationInfo.created = creation_time | 514 | package_doc.creationInfo.created = creation_time |
654 | package_doc.creationInfo.comment = "This document was created by analyzing packages created during the build." | 515 | package_doc.creationInfo.comment = "This document was created by analyzing packages created during the build." |
655 | package_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"] | 516 | package_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"] |
@@ -710,44 +571,6 @@ do_create_spdx[dirs] = "${SPDXWORK}" | |||
710 | do_create_spdx[cleandirs] = "${SPDXDEPLOY} ${SPDXWORK}" | 571 | do_create_spdx[cleandirs] = "${SPDXDEPLOY} ${SPDXWORK}" |
711 | do_create_spdx[depends] += "${PATCHDEPENDENCY}" | 572 | do_create_spdx[depends] += "${PATCHDEPENDENCY}" |
712 | 573 | ||
713 | def collect_package_providers(d): | ||
714 | from pathlib import Path | ||
715 | import oe.sbom | ||
716 | import oe.spdx | ||
717 | import json | ||
718 | |||
719 | deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX")) | ||
720 | |||
721 | providers = {} | ||
722 | |||
723 | deps = collect_direct_deps(d, "do_create_spdx") | ||
724 | deps.append((d.getVar("PN"), d.getVar("BB_HASHFILENAME"))) | ||
725 | |||
726 | for dep_pn, dep_hashfn in deps: | ||
727 | localdata = d | ||
728 | recipe_data = oe.packagedata.read_pkgdata(dep_pn, localdata) | ||
729 | if not recipe_data: | ||
730 | localdata = bb.data.createCopy(d) | ||
731 | localdata.setVar("PKGDATA_DIR", "${PKGDATA_DIR_SDK}") | ||
732 | recipe_data = oe.packagedata.read_pkgdata(dep_pn, localdata) | ||
733 | |||
734 | for pkg in recipe_data.get("PACKAGES", "").split(): | ||
735 | |||
736 | pkg_data = oe.packagedata.read_subpkgdata_dict(pkg, localdata) | ||
737 | rprovides = set(n for n, _ in bb.utils.explode_dep_versions2(pkg_data.get("RPROVIDES", "")).items()) | ||
738 | rprovides.add(pkg) | ||
739 | |||
740 | if "PKG" in pkg_data: | ||
741 | pkg = pkg_data["PKG"] | ||
742 | rprovides.add(pkg) | ||
743 | |||
744 | for r in rprovides: | ||
745 | providers[r] = (pkg, dep_hashfn) | ||
746 | |||
747 | return providers | ||
748 | |||
749 | collect_package_providers[vardepsexclude] += "BB_TASKDEPDATA" | ||
750 | |||
751 | python do_create_runtime_spdx() { | 574 | python do_create_runtime_spdx() { |
752 | from datetime import datetime, timezone | 575 | from datetime import datetime, timezone |
753 | import oe.sbom | 576 | import oe.sbom |
@@ -794,7 +617,7 @@ python do_create_runtime_spdx() { | |||
794 | 617 | ||
795 | runtime_doc = oe.spdx.SPDXDocument() | 618 | runtime_doc = oe.spdx.SPDXDocument() |
796 | runtime_doc.name = "runtime-" + pkg_name | 619 | runtime_doc.name = "runtime-" + pkg_name |
797 | runtime_doc.documentNamespace = get_doc_namespace(localdata, runtime_doc) | 620 | runtime_doc.documentNamespace = get_namespace(localdata, runtime_doc.name) |
798 | runtime_doc.creationInfo.created = creation_time | 621 | runtime_doc.creationInfo.created = creation_time |
799 | runtime_doc.creationInfo.comment = "This document was created by analyzing package runtime dependencies." | 622 | runtime_doc.creationInfo.comment = "This document was created by analyzing package runtime dependencies." |
800 | runtime_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"] | 623 | runtime_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"] |
@@ -885,60 +708,6 @@ do_create_runtime_spdx[dirs] = "${SPDXRUNTIMEDEPLOY}" | |||
885 | do_create_runtime_spdx[cleandirs] = "${SPDXRUNTIMEDEPLOY}" | 708 | do_create_runtime_spdx[cleandirs] = "${SPDXRUNTIMEDEPLOY}" |
886 | do_create_runtime_spdx[rdeptask] = "do_create_spdx" | 709 | do_create_runtime_spdx[rdeptask] = "do_create_spdx" |
887 | 710 | ||
888 | def spdx_get_src(d): | ||
889 | """ | ||
890 | save patched source of the recipe in SPDX_WORKDIR. | ||
891 | """ | ||
892 | import shutil | ||
893 | spdx_workdir = d.getVar('SPDXWORK') | ||
894 | spdx_sysroot_native = d.getVar('STAGING_DIR_NATIVE') | ||
895 | pn = d.getVar('PN') | ||
896 | |||
897 | workdir = d.getVar("WORKDIR") | ||
898 | |||
899 | try: | ||
900 | # The kernel class functions require it to be on work-shared, so we dont change WORKDIR | ||
901 | if not is_work_shared_spdx(d): | ||
902 | # Change the WORKDIR to make do_unpack do_patch run in another dir. | ||
903 | d.setVar('WORKDIR', spdx_workdir) | ||
904 | # Restore the original path to recipe's native sysroot (it's relative to WORKDIR). | ||
905 | d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native) | ||
906 | |||
907 | # The changed 'WORKDIR' also caused 'B' changed, create dir 'B' for the | ||
908 | # possibly requiring of the following tasks (such as some recipes's | ||
909 | # do_patch required 'B' existed). | ||
910 | bb.utils.mkdirhier(d.getVar('B')) | ||
911 | |||
912 | bb.build.exec_func('do_unpack', d) | ||
913 | # Copy source of kernel to spdx_workdir | ||
914 | if is_work_shared_spdx(d): | ||
915 | share_src = d.getVar('WORKDIR') | ||
916 | d.setVar('WORKDIR', spdx_workdir) | ||
917 | d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native) | ||
918 | src_dir = spdx_workdir + "/" + d.getVar('PN')+ "-" + d.getVar('PV') + "-" + d.getVar('PR') | ||
919 | bb.utils.mkdirhier(src_dir) | ||
920 | if bb.data.inherits_class('kernel',d): | ||
921 | share_src = d.getVar('STAGING_KERNEL_DIR') | ||
922 | cmd_copy_share = "cp -rf " + share_src + "/* " + src_dir + "/" | ||
923 | cmd_copy_shared_res = os.popen(cmd_copy_share).read() | ||
924 | bb.note("cmd_copy_shared_result = " + cmd_copy_shared_res) | ||
925 | |||
926 | git_path = src_dir + "/.git" | ||
927 | if os.path.exists(git_path): | ||
928 | shutils.rmtree(git_path) | ||
929 | |||
930 | # Make sure gcc and kernel sources are patched only once | ||
931 | if not (d.getVar('SRC_URI') == "" or is_work_shared_spdx(d)): | ||
932 | bb.build.exec_func('do_patch', d) | ||
933 | |||
934 | # Some userland has no source. | ||
935 | if not os.path.exists( spdx_workdir ): | ||
936 | bb.utils.mkdirhier(spdx_workdir) | ||
937 | finally: | ||
938 | d.setVar("WORKDIR", workdir) | ||
939 | |||
940 | spdx_get_src[vardepsexclude] += "STAGING_KERNEL_DIR" | ||
941 | |||
942 | do_rootfs[recrdeptask] += "do_create_spdx do_create_runtime_spdx" | 711 | do_rootfs[recrdeptask] += "do_create_spdx do_create_runtime_spdx" |
943 | do_rootfs[cleandirs] += "${SPDXIMAGEWORK}" | 712 | do_rootfs[cleandirs] += "${SPDXIMAGEWORK}" |
944 | 713 | ||
@@ -1013,7 +782,7 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages, spdx | |||
1013 | 782 | ||
1014 | doc = oe.spdx.SPDXDocument() | 783 | doc = oe.spdx.SPDXDocument() |
1015 | doc.name = rootfs_name | 784 | doc.name = rootfs_name |
1016 | doc.documentNamespace = get_doc_namespace(d, doc) | 785 | doc.documentNamespace = get_namespace(d, doc.name) |
1017 | doc.creationInfo.created = creation_time | 786 | doc.creationInfo.created = creation_time |
1018 | doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build." | 787 | doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build." |
1019 | doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"] | 788 | doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"] |