1 files changed, 19 insertions, 250 deletions
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
index 486efadba9..3ebf92b5e1 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -4,65 +4,15 @@
 # SPDX-License-Identifier: GPL-2.0-only
 #
-DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx"
+inherit spdx-common
-# The product name that the CVE database uses.  Defaults to BPN, but may need to
+SPDX_VERSION = "2.2"
-# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
-CVE_PRODUCT ??= "${BPN}"
+def get_namespace(d, name):
-CVE_VERSION ??= "${PV}"
-SPDXDIR ??= "${WORKDIR}/spdx"
-SPDXDEPLOY = "${SPDXDIR}/deploy"
-SPDXWORK = "${SPDXDIR}/work"
-SPDXIMAGEWORK = "${SPDXDIR}/image-work"
-SPDXSDKWORK = "${SPDXDIR}/sdk-work"
-SPDXDEPS = "${SPDXDIR}/deps.json"
-SPDX_TOOL_NAME ??= "oe-spdx-creator"
-SPDX_TOOL_VERSION ??= "1.0"
-SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
-SPDX_INCLUDE_SOURCES ??= "0"
-SPDX_ARCHIVE_SOURCES ??= "0"
-SPDX_ARCHIVE_PACKAGED ??= "0"
-SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
-SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdoc"
-SPDX_PRETTY ??= "0"
-SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
-SPDX_CUSTOM_ANNOTATION_VARS ??= ""
-SPDX_ORG ??= "OpenEmbedded ()"
-SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
-SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \
-    this recipe. For SPDX documents create using this class during the build, this \
-    is the contact information for the person or organization who is doing the \
-    build."
-def extract_licenses(filename):
-    import re
-    lic_regex = re.compile(rb'^\W*SPDX-License-Identifier:\s*([ \w\d.()+-]+?)(?:\s+\W*)?$', re.MULTILINE)
-    try:
-        with open(filename, 'rb') as f:
-            size = min(15000, os.stat(filename).st_size)
-            txt = f.read(size)
-            licenses = re.findall(lic_regex, txt)
-            if licenses:
-                ascii_licenses = [lic.decode('ascii') for lic in licenses]
-                return ascii_licenses
-    except Exception as e:
-        bb.warn(f"Exception reading {filename}: {e}")
-    return None
-def get_doc_namespace(d, doc):
    import uuid
    namespace_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, d.getVar("SPDX_UUID_NAMESPACE"))
-    return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), doc.name, str(uuid.uuid5(namespace_uuid, doc.name)))
+    return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), name, str(uuid.uuid5(namespace_uuid, name)))
 def create_annotation(d, comment):
    from datetime import datetime, timezone
@@ -80,26 +30,6 @@ def recipe_spdx_is_native(d, recipe):
      a.annotator == "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), d.getVar("SPDX_TOOL_VERSION")) and
      a.comment == "isNative" for a in recipe.annotations)
-def is_work_shared_spdx(d):
-    return bb.data.inherits_class('kernel', d) or ('work-shared' in d.getVar('WORKDIR'))
-def get_json_indent(d):
-    if d.getVar("SPDX_PRETTY") == "1":
-        return 2
-    return None
-python() {
-    import json
-    if d.getVar("SPDX_LICENSE_DATA"):
-        return
-    with open(d.getVar("SPDX_LICENSES"), "r") as f:
-        data = json.load(f)
-        # Transform the license array to a dictionary
-        data["licenses"] = {l["licenseId"]: l for l in data["licenses"]}
-        d.setVar("SPDX_LICENSE_DATA", data)
-}
 def convert_license_to_spdx(lic, document, d, existing={}):
    from pathlib import Path
    import oe.spdx
@@ -172,34 +102,6 @@ def convert_license_to_spdx(lic, document, d, existing={}):
    return ' '.join(convert(l) for l in lic_split)
-def process_sources(d):
-    pn = d.getVar('PN')
-    assume_provided = (d.getVar("ASSUME_PROVIDED") or "").split()
-    if pn in assume_provided:
-        for p in d.getVar("PROVIDES").split():
-            if p != pn:
-                pn = p
-                break
-    # glibc-locale: do_fetch, do_unpack and do_patch tasks have been deleted,
-    # so avoid archiving source here.
-    if pn.startswith('glibc-locale'):
-        return False
-    if d.getVar('PN') == "libtool-cross":
-        return False
-    if d.getVar('PN') == "libgcc-initial":
-        return False
-    if d.getVar('PN') == "shadow-sysroot":
-        return False
-    # We just archive gcc-source for all the gcc related recipes
-    if d.getVar('BPN') in ['gcc', 'libgcc']:
-        bb.debug(1, 'spdx: There is bug in scan of %s is, do nothing' % pn)
-        return False
-    return True
 def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archive=None, ignore_dirs=[], ignore_top_level_dirs=[]):
    from pathlib import Path
    import oe.spdx
@@ -348,16 +250,20 @@ def collect_dep_recipes(d, doc, spdx_recipe):
    import oe.spdx
    deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
-    spdx_deps_file = Path(d.getVar("SPDXDEPS"))
    package_archs = d.getVar("SSTATE_ARCHS").split()
    package_archs.reverse()
    dep_recipes = []
-    with spdx_deps_file.open("r") as f:
+    deps = get_spdx_deps(d)
-        deps = json.load(f)
+    for dep_pn, dep_hashfn, in_taskhash in deps:
+        # If this dependency is not calculated in the taskhash skip it.
+        # Otherwise, it can result in broken links since this task won't
+        # rebuild and see the new SPDX ID if the dependency changes
+        if not in_taskhash:
+            continue
-    for dep_pn, dep_hashfn in deps:
        dep_recipe_path = oe.sbom.doc_find_by_hashfn(deploy_dir_spdx, package_archs, "recipe-" + dep_pn, dep_hashfn)
        if not dep_recipe_path:
            bb.fatal("Cannot find any SPDX file for recipe %s, %s" % (dep_pn, dep_hashfn))
@@ -462,51 +368,6 @@ def add_download_packages(d, doc, recipe):
            # but this should be sufficient for now
            doc.add_relationship(package, "BUILD_DEPENDENCY_OF", recipe)
-def collect_direct_deps(d, dep_task):
-    current_task = "do_" + d.getVar("BB_CURRENTTASK")
-    pn = d.getVar("PN")
-    taskdepdata = d.getVar("BB_TASKDEPDATA", False)
-    for this_dep in taskdepdata.values():
-        if this_dep[0] == pn and this_dep[1] == current_task:
-            break
-    else:
-        bb.fatal(f"Unable to find this {pn}:{current_task} in taskdepdata")
-    deps = set()
-    for dep_name in this_dep[3]:
-        dep_data = taskdepdata[dep_name]
-        if dep_data[1] == dep_task and dep_data[0] != pn:
-            deps.add((dep_data[0], dep_data[7]))
-    return sorted(deps)
-collect_direct_deps[vardepsexclude] += "BB_TASKDEPDATA"
-collect_direct_deps[vardeps] += "DEPENDS"
-python do_collect_spdx_deps() {
-    # This task calculates the build time dependencies of the recipe, and is
-    # required because while a task can deptask on itself, those dependencies
-    # do not show up in BB_TASKDEPDATA. To work around that, this task does the
-    # deptask on do_create_spdx and writes out the dependencies it finds, then
-    # do_create_spdx reads in the found dependencies when writing the actual
-    # SPDX document
-    import json
-    from pathlib import Path
-    spdx_deps_file = Path(d.getVar("SPDXDEPS"))
-    deps = collect_direct_deps(d, "do_create_spdx")
-    with spdx_deps_file.open("w") as f:
-        json.dump(deps, f)
-}
-# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
-addtask do_collect_spdx_deps after do_unpack
-do_collect_spdx_deps[depends] += "${PATCHDEPENDENCY}"
-do_collect_spdx_deps[deptask] = "do_create_spdx"
-do_collect_spdx_deps[dirs] = "${SPDXDIR}"
 python do_create_spdx() {
    from datetime import datetime, timezone
@@ -545,7 +406,7 @@ python do_create_spdx() {
    doc = oe.spdx.SPDXDocument()
    doc.name = "recipe-" + d.getVar("PN")
-    doc.documentNamespace = get_doc_namespace(d, doc)
+    doc.documentNamespace = get_namespace(d, doc.name)
    doc.creationInfo.created = creation_time
    doc.creationInfo.comment = "This document was created by analyzing recipe files during the build."
    doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
@@ -649,7 +510,7 @@ python do_create_spdx() {
            package_doc = oe.spdx.SPDXDocument()
            pkg_name = d.getVar("PKG:%s" % package) or package
            package_doc.name = pkg_name
-            package_doc.documentNamespace = get_doc_namespace(d, package_doc)
+            package_doc.documentNamespace = get_namespace(d, package_doc.name)
            package_doc.creationInfo.created = creation_time
            package_doc.creationInfo.comment = "This document was created by analyzing packages created during the build."
            package_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
@@ -710,44 +571,6 @@ do_create_spdx[dirs] = "${SPDXWORK}"
 do_create_spdx[cleandirs] = "${SPDXDEPLOY} ${SPDXWORK}"
 do_create_spdx[depends] += "${PATCHDEPENDENCY}"
-def collect_package_providers(d):
-    from pathlib import Path
-    import oe.sbom
-    import oe.spdx
-    import json
-    deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
-    providers = {}
-    deps = collect_direct_deps(d, "do_create_spdx")
-    deps.append((d.getVar("PN"), d.getVar("BB_HASHFILENAME")))
-    for dep_pn, dep_hashfn in deps:
-        localdata = d
-        recipe_data = oe.packagedata.read_pkgdata(dep_pn, localdata)
-        if not recipe_data:
-            localdata = bb.data.createCopy(d)
-            localdata.setVar("PKGDATA_DIR", "${PKGDATA_DIR_SDK}")
-            recipe_data = oe.packagedata.read_pkgdata(dep_pn, localdata)
-        for pkg in recipe_data.get("PACKAGES", "").split():
-            pkg_data = oe.packagedata.read_subpkgdata_dict(pkg, localdata)
-            rprovides = set(n for n, _ in bb.utils.explode_dep_versions2(pkg_data.get("RPROVIDES", "")).items())
-            rprovides.add(pkg)
-            if "PKG" in pkg_data:
-                pkg = pkg_data["PKG"]
-                rprovides.add(pkg)
-            for r in rprovides:
-                providers[r] = (pkg, dep_hashfn)
-    return providers
-collect_package_providers[vardepsexclude] += "BB_TASKDEPDATA"
 python do_create_runtime_spdx() {
    from datetime import datetime, timezone
    import oe.sbom
@@ -794,7 +617,7 @@ python do_create_runtime_spdx() {
            runtime_doc = oe.spdx.SPDXDocument()
            runtime_doc.name = "runtime-" + pkg_name
-            runtime_doc.documentNamespace = get_doc_namespace(localdata, runtime_doc)
+            runtime_doc.documentNamespace = get_namespace(localdata, runtime_doc.name)
            runtime_doc.creationInfo.created = creation_time
            runtime_doc.creationInfo.comment = "This document was created by analyzing package runtime dependencies."
            runtime_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
@@ -885,60 +708,6 @@ do_create_runtime_spdx[dirs] = "${SPDXRUNTIMEDEPLOY}"
 do_create_runtime_spdx[cleandirs] = "${SPDXRUNTIMEDEPLOY}"
 do_create_runtime_spdx[rdeptask] = "do_create_spdx"
-def spdx_get_src(d):
-    """
-    save patched source of the recipe in SPDX_WORKDIR.
-    """
-    import shutil
-    spdx_workdir = d.getVar('SPDXWORK')
-    spdx_sysroot_native = d.getVar('STAGING_DIR_NATIVE')
-    pn = d.getVar('PN')
-    workdir = d.getVar("WORKDIR")
-    try:
-        # The kernel class functions require it to be on work-shared, so we dont change WORKDIR
-        if not is_work_shared_spdx(d):
-            # Change the WORKDIR to make do_unpack do_patch run in another dir.
-            d.setVar('WORKDIR', spdx_workdir)
-            # Restore the original path to recipe's native sysroot (it's relative to WORKDIR).
-            d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
-            # The changed 'WORKDIR' also caused 'B' changed, create dir 'B' for the
-            # possibly requiring of the following tasks (such as some recipes's
-            # do_patch required 'B' existed).
-            bb.utils.mkdirhier(d.getVar('B'))
-            bb.build.exec_func('do_unpack', d)
-        # Copy source of kernel to spdx_workdir
-        if is_work_shared_spdx(d):
-            share_src = d.getVar('WORKDIR')
-            d.setVar('WORKDIR', spdx_workdir)
-            d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
-            src_dir = spdx_workdir + "/" + d.getVar('PN')+ "-" + d.getVar('PV') + "-" + d.getVar('PR')
-            bb.utils.mkdirhier(src_dir)
-            if bb.data.inherits_class('kernel',d):
-                share_src = d.getVar('STAGING_KERNEL_DIR')
-            cmd_copy_share = "cp -rf " + share_src + "/* " + src_dir + "/"
-            cmd_copy_shared_res = os.popen(cmd_copy_share).read()
-            bb.note("cmd_copy_shared_result = " + cmd_copy_shared_res)
-            git_path = src_dir + "/.git"
-            if os.path.exists(git_path):
-                shutils.rmtree(git_path)
-        # Make sure gcc and kernel sources are patched only once
-        if not (d.getVar('SRC_URI') == "" or is_work_shared_spdx(d)):
-            bb.build.exec_func('do_patch', d)
-        # Some userland has no source.
-        if not os.path.exists( spdx_workdir ):
-            bb.utils.mkdirhier(spdx_workdir)
-    finally:
-        d.setVar("WORKDIR", workdir)
-spdx_get_src[vardepsexclude] += "STAGING_KERNEL_DIR"
 do_rootfs[recrdeptask] += "do_create_spdx do_create_runtime_spdx"
 do_rootfs[cleandirs] += "${SPDXIMAGEWORK}"
@@ -1013,7 +782,7 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages, spdx
    doc = oe.spdx.SPDXDocument()
    doc.name = rootfs_name
-    doc.documentNamespace = get_doc_namespace(d, doc)
+    doc.documentNamespace = get_namespace(d, doc.name)
    doc.creationInfo.created = creation_time
    doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build."
    doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]

diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index 486efadba9..3ebf92b5e1 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass
@@ -4,65 +4,15 @@
4	# SPDX-License-Identifier: GPL-2.0-only	4	# SPDX-License-Identifier: GPL-2.0-only
5	#	5	#
6		6
7	DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx"	7	inherit spdx-common
8		8
9	# The product name that the CVE database uses. Defaults to BPN, but may need to	9	SPDX_VERSION = "2.2"
10	# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).	10
11	CVE_PRODUCT ??= "${BPN}"	11	def get_namespace(d, name):
12	CVE_VERSION ??= "${PV}"
13
14	SPDXDIR ??= "${WORKDIR}/spdx"
15	SPDXDEPLOY = "${SPDXDIR}/deploy"
16	SPDXWORK = "${SPDXDIR}/work"
17	SPDXIMAGEWORK = "${SPDXDIR}/image-work"
18	SPDXSDKWORK = "${SPDXDIR}/sdk-work"
19	SPDXDEPS = "${SPDXDIR}/deps.json"
20
21	SPDX_TOOL_NAME ??= "oe-spdx-creator"
22	SPDX_TOOL_VERSION ??= "1.0"
23
24	SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
25
26	SPDX_INCLUDE_SOURCES ??= "0"
27	SPDX_ARCHIVE_SOURCES ??= "0"
28	SPDX_ARCHIVE_PACKAGED ??= "0"
29
30	SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
31	SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdoc"
32	SPDX_PRETTY ??= "0"
33
34	SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
35
36	SPDX_CUSTOM_ANNOTATION_VARS ??= ""
37
38	SPDX_ORG ??= "OpenEmbedded ()"
39	SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
40	SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \
41	this recipe. For SPDX documents create using this class during the build, this \
42	is the contact information for the person or organization who is doing the \
43	build."
44
45	def extract_licenses(filename):
46	import re
47
48	lic_regex = re.compile(rb'^\WSPDX-License-Identifier:\s([ \w\d.()+-]+?)(?:\s+\W*)?$', re.MULTILINE)
49
50	try:
51	with open(filename, 'rb') as f:
52	size = min(15000, os.stat(filename).st_size)
53	txt = f.read(size)
54	licenses = re.findall(lic_regex, txt)
55	if licenses:
56	ascii_licenses = [lic.decode('ascii') for lic in licenses]
57	return ascii_licenses
58	except Exception as e:
59	bb.warn(f"Exception reading {filename}: {e}")
60	return None
61
62	def get_doc_namespace(d, doc):
63	import uuid	12	import uuid
64	namespace_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, d.getVar("SPDX_UUID_NAMESPACE"))	13	namespace_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, d.getVar("SPDX_UUID_NAMESPACE"))
65	return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), doc.name, str(uuid.uuid5(namespace_uuid, doc.name)))	14	return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), name, str(uuid.uuid5(namespace_uuid, name)))
		15
66		16
67	def create_annotation(d, comment):	17	def create_annotation(d, comment):
68	from datetime import datetime, timezone	18	from datetime import datetime, timezone
@@ -80,26 +30,6 @@ def recipe_spdx_is_native(d, recipe):
80	a.annotator == "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), d.getVar("SPDX_TOOL_VERSION")) and	30	a.annotator == "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), d.getVar("SPDX_TOOL_VERSION")) and
81	a.comment == "isNative" for a in recipe.annotations)	31	a.comment == "isNative" for a in recipe.annotations)
82		32
83	def is_work_shared_spdx(d):
84	return bb.data.inherits_class('kernel', d) or ('work-shared' in d.getVar('WORKDIR'))
85
86	def get_json_indent(d):
87	if d.getVar("SPDX_PRETTY") == "1":
88	return 2
89	return None
90
91	python() {
92	import json
93	if d.getVar("SPDX_LICENSE_DATA"):
94	return
95
96	with open(d.getVar("SPDX_LICENSES"), "r") as f:
97	data = json.load(f)
98	# Transform the license array to a dictionary
99	data["licenses"] = {l["licenseId"]: l for l in data["licenses"]}
100	d.setVar("SPDX_LICENSE_DATA", data)
101	}
102
103	def convert_license_to_spdx(lic, document, d, existing={}):	33	def convert_license_to_spdx(lic, document, d, existing={}):
104	from pathlib import Path	34	from pathlib import Path
105	import oe.spdx	35	import oe.spdx
@@ -172,34 +102,6 @@ def convert_license_to_spdx(lic, document, d, existing={}):
172		102
173	return ' '.join(convert(l) for l in lic_split)	103	return ' '.join(convert(l) for l in lic_split)
174		104
175	def process_sources(d):
176	pn = d.getVar('PN')
177	assume_provided = (d.getVar("ASSUME_PROVIDED") or "").split()
178	if pn in assume_provided:
179	for p in d.getVar("PROVIDES").split():
180	if p != pn:
181	pn = p
182	break
183
184	# glibc-locale: do_fetch, do_unpack and do_patch tasks have been deleted,
185	# so avoid archiving source here.
186	if pn.startswith('glibc-locale'):
187	return False
188	if d.getVar('PN') == "libtool-cross":
189	return False
190	if d.getVar('PN') == "libgcc-initial":
191	return False
192	if d.getVar('PN') == "shadow-sysroot":
193	return False
194
195	# We just archive gcc-source for all the gcc related recipes
196	if d.getVar('BPN') in ['gcc', 'libgcc']:
197	bb.debug(1, 'spdx: There is bug in scan of %s is, do nothing' % pn)
198	return False
199
200	return True
201
202
203	def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archive=None, ignore_dirs=[], ignore_top_level_dirs=[]):	105	def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archive=None, ignore_dirs=[], ignore_top_level_dirs=[]):
204	from pathlib import Path	106	from pathlib import Path
205	import oe.spdx	107	import oe.spdx
@@ -348,16 +250,20 @@ def collect_dep_recipes(d, doc, spdx_recipe):
348	import oe.spdx	250	import oe.spdx
349		251
350	deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))	252	deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
351	spdx_deps_file = Path(d.getVar("SPDXDEPS"))
352	package_archs = d.getVar("SSTATE_ARCHS").split()	253	package_archs = d.getVar("SSTATE_ARCHS").split()
353	package_archs.reverse()	254	package_archs.reverse()
354		255
355	dep_recipes = []	256	dep_recipes = []
356		257
357	with spdx_deps_file.open("r") as f:	258	deps = get_spdx_deps(d)
358	deps = json.load(f)	259
		260	for dep_pn, dep_hashfn, in_taskhash in deps:
		261	# If this dependency is not calculated in the taskhash skip it.
		262	# Otherwise, it can result in broken links since this task won't
		263	# rebuild and see the new SPDX ID if the dependency changes
		264	if not in_taskhash:
		265	continue
359		266
360	for dep_pn, dep_hashfn in deps:
361	dep_recipe_path = oe.sbom.doc_find_by_hashfn(deploy_dir_spdx, package_archs, "recipe-" + dep_pn, dep_hashfn)	267	dep_recipe_path = oe.sbom.doc_find_by_hashfn(deploy_dir_spdx, package_archs, "recipe-" + dep_pn, dep_hashfn)
362	if not dep_recipe_path:	268	if not dep_recipe_path:
363	bb.fatal("Cannot find any SPDX file for recipe %s, %s" % (dep_pn, dep_hashfn))	269	bb.fatal("Cannot find any SPDX file for recipe %s, %s" % (dep_pn, dep_hashfn))
@@ -462,51 +368,6 @@ def add_download_packages(d, doc, recipe):
462	# but this should be sufficient for now	368	# but this should be sufficient for now
463	doc.add_relationship(package, "BUILD_DEPENDENCY_OF", recipe)	369	doc.add_relationship(package, "BUILD_DEPENDENCY_OF", recipe)
464		370
465	def collect_direct_deps(d, dep_task):
466	current_task = "do_" + d.getVar("BB_CURRENTTASK")
467	pn = d.getVar("PN")
468
469	taskdepdata = d.getVar("BB_TASKDEPDATA", False)
470
471	for this_dep in taskdepdata.values():
472	if this_dep[0] == pn and this_dep[1] == current_task:
473	break
474	else:
475	bb.fatal(f"Unable to find this {pn}:{current_task} in taskdepdata")
476
477	deps = set()
478	for dep_name in this_dep[3]:
479	dep_data = taskdepdata[dep_name]
480	if dep_data[1] == dep_task and dep_data[0] != pn:
481	deps.add((dep_data[0], dep_data[7]))
482
483	return sorted(deps)
484
485	collect_direct_deps[vardepsexclude] += "BB_TASKDEPDATA"
486	collect_direct_deps[vardeps] += "DEPENDS"
487
488	python do_collect_spdx_deps() {
489	# This task calculates the build time dependencies of the recipe, and is
490	# required because while a task can deptask on itself, those dependencies
491	# do not show up in BB_TASKDEPDATA. To work around that, this task does the
492	# deptask on do_create_spdx and writes out the dependencies it finds, then
493	# do_create_spdx reads in the found dependencies when writing the actual
494	# SPDX document
495	import json
496	from pathlib import Path
497
498	spdx_deps_file = Path(d.getVar("SPDXDEPS"))
499
500	deps = collect_direct_deps(d, "do_create_spdx")
501
502	with spdx_deps_file.open("w") as f:
503	json.dump(deps, f)
504	}
505	# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
506	addtask do_collect_spdx_deps after do_unpack
507	do_collect_spdx_deps[depends] += "${PATCHDEPENDENCY}"
508	do_collect_spdx_deps[deptask] = "do_create_spdx"
509	do_collect_spdx_deps[dirs] = "${SPDXDIR}"
510		371
511	python do_create_spdx() {	372	python do_create_spdx() {
512	from datetime import datetime, timezone	373	from datetime import datetime, timezone
@@ -545,7 +406,7 @@ python do_create_spdx() {
545	doc = oe.spdx.SPDXDocument()	406	doc = oe.spdx.SPDXDocument()
546		407
547	doc.name = "recipe-" + d.getVar("PN")	408	doc.name = "recipe-" + d.getVar("PN")
548	doc.documentNamespace = get_doc_namespace(d, doc)	409	doc.documentNamespace = get_namespace(d, doc.name)
549	doc.creationInfo.created = creation_time	410	doc.creationInfo.created = creation_time
550	doc.creationInfo.comment = "This document was created by analyzing recipe files during the build."	411	doc.creationInfo.comment = "This document was created by analyzing recipe files during the build."
551	doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]	412	doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
@@ -649,7 +510,7 @@ python do_create_spdx() {
649	package_doc = oe.spdx.SPDXDocument()	510	package_doc = oe.spdx.SPDXDocument()
650	pkg_name = d.getVar("PKG:%s" % package) or package	511	pkg_name = d.getVar("PKG:%s" % package) or package
651	package_doc.name = pkg_name	512	package_doc.name = pkg_name
652	package_doc.documentNamespace = get_doc_namespace(d, package_doc)	513	package_doc.documentNamespace = get_namespace(d, package_doc.name)
653	package_doc.creationInfo.created = creation_time	514	package_doc.creationInfo.created = creation_time
654	package_doc.creationInfo.comment = "This document was created by analyzing packages created during the build."	515	package_doc.creationInfo.comment = "This document was created by analyzing packages created during the build."
655	package_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]	516	package_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
@@ -710,44 +571,6 @@ do_create_spdx[dirs] = "${SPDXWORK}"
710	do_create_spdx[cleandirs] = "${SPDXDEPLOY} ${SPDXWORK}"	571	do_create_spdx[cleandirs] = "${SPDXDEPLOY} ${SPDXWORK}"
711	do_create_spdx[depends] += "${PATCHDEPENDENCY}"	572	do_create_spdx[depends] += "${PATCHDEPENDENCY}"
712		573
713	def collect_package_providers(d):
714	from pathlib import Path
715	import oe.sbom
716	import oe.spdx
717	import json
718
719	deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
720
721	providers = {}
722
723	deps = collect_direct_deps(d, "do_create_spdx")
724	deps.append((d.getVar("PN"), d.getVar("BB_HASHFILENAME")))
725
726	for dep_pn, dep_hashfn in deps:
727	localdata = d
728	recipe_data = oe.packagedata.read_pkgdata(dep_pn, localdata)
729	if not recipe_data:
730	localdata = bb.data.createCopy(d)
731	localdata.setVar("PKGDATA_DIR", "${PKGDATA_DIR_SDK}")
732	recipe_data = oe.packagedata.read_pkgdata(dep_pn, localdata)
733
734	for pkg in recipe_data.get("PACKAGES", "").split():
735
736	pkg_data = oe.packagedata.read_subpkgdata_dict(pkg, localdata)
737	rprovides = set(n for n, _ in bb.utils.explode_dep_versions2(pkg_data.get("RPROVIDES", "")).items())
738	rprovides.add(pkg)
739
740	if "PKG" in pkg_data:
741	pkg = pkg_data["PKG"]
742	rprovides.add(pkg)
743
744	for r in rprovides:
745	providers[r] = (pkg, dep_hashfn)
746
747	return providers
748
749	collect_package_providers[vardepsexclude] += "BB_TASKDEPDATA"
750
751	python do_create_runtime_spdx() {	574	python do_create_runtime_spdx() {
752	from datetime import datetime, timezone	575	from datetime import datetime, timezone
753	import oe.sbom	576	import oe.sbom
@@ -794,7 +617,7 @@ python do_create_runtime_spdx() {
794		617
795	runtime_doc = oe.spdx.SPDXDocument()	618	runtime_doc = oe.spdx.SPDXDocument()
796	runtime_doc.name = "runtime-" + pkg_name	619	runtime_doc.name = "runtime-" + pkg_name
797	runtime_doc.documentNamespace = get_doc_namespace(localdata, runtime_doc)	620	runtime_doc.documentNamespace = get_namespace(localdata, runtime_doc.name)
798	runtime_doc.creationInfo.created = creation_time	621	runtime_doc.creationInfo.created = creation_time
799	runtime_doc.creationInfo.comment = "This document was created by analyzing package runtime dependencies."	622	runtime_doc.creationInfo.comment = "This document was created by analyzing package runtime dependencies."
800	runtime_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]	623	runtime_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
@@ -885,60 +708,6 @@ do_create_runtime_spdx[dirs] = "${SPDXRUNTIMEDEPLOY}"
885	do_create_runtime_spdx[cleandirs] = "${SPDXRUNTIMEDEPLOY}"	708	do_create_runtime_spdx[cleandirs] = "${SPDXRUNTIMEDEPLOY}"
886	do_create_runtime_spdx[rdeptask] = "do_create_spdx"	709	do_create_runtime_spdx[rdeptask] = "do_create_spdx"
887		710
888	def spdx_get_src(d):
889	"""
890	save patched source of the recipe in SPDX_WORKDIR.
891	"""
892	import shutil
893	spdx_workdir = d.getVar('SPDXWORK')
894	spdx_sysroot_native = d.getVar('STAGING_DIR_NATIVE')
895	pn = d.getVar('PN')
896
897	workdir = d.getVar("WORKDIR")
898
899	try:
900	# The kernel class functions require it to be on work-shared, so we dont change WORKDIR
901	if not is_work_shared_spdx(d):
902	# Change the WORKDIR to make do_unpack do_patch run in another dir.
903	d.setVar('WORKDIR', spdx_workdir)
904	# Restore the original path to recipe's native sysroot (it's relative to WORKDIR).
905	d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
906
907	# The changed 'WORKDIR' also caused 'B' changed, create dir 'B' for the
908	# possibly requiring of the following tasks (such as some recipes's
909	# do_patch required 'B' existed).
910	bb.utils.mkdirhier(d.getVar('B'))
911
912	bb.build.exec_func('do_unpack', d)
913	# Copy source of kernel to spdx_workdir
914	if is_work_shared_spdx(d):
915	share_src = d.getVar('WORKDIR')
916	d.setVar('WORKDIR', spdx_workdir)
917	d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
918	src_dir = spdx_workdir + "/" + d.getVar('PN')+ "-" + d.getVar('PV') + "-" + d.getVar('PR')
919	bb.utils.mkdirhier(src_dir)
920	if bb.data.inherits_class('kernel',d):
921	share_src = d.getVar('STAGING_KERNEL_DIR')
922	cmd_copy_share = "cp -rf " + share_src + "/* " + src_dir + "/"
923	cmd_copy_shared_res = os.popen(cmd_copy_share).read()
924	bb.note("cmd_copy_shared_result = " + cmd_copy_shared_res)
925
926	git_path = src_dir + "/.git"
927	if os.path.exists(git_path):
928	shutils.rmtree(git_path)
929
930	# Make sure gcc and kernel sources are patched only once
931	if not (d.getVar('SRC_URI') == "" or is_work_shared_spdx(d)):
932	bb.build.exec_func('do_patch', d)
933
934	# Some userland has no source.
935	if not os.path.exists( spdx_workdir ):
936	bb.utils.mkdirhier(spdx_workdir)
937	finally:
938	d.setVar("WORKDIR", workdir)
939
940	spdx_get_src[vardepsexclude] += "STAGING_KERNEL_DIR"
941
942	do_rootfs[recrdeptask] += "do_create_spdx do_create_runtime_spdx"	711	do_rootfs[recrdeptask] += "do_create_spdx do_create_runtime_spdx"
943	do_rootfs[cleandirs] += "${SPDXIMAGEWORK}"	712	do_rootfs[cleandirs] += "${SPDXIMAGEWORK}"
944		713
@@ -1013,7 +782,7 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages, spdx
1013		782
1014	doc = oe.spdx.SPDXDocument()	783	doc = oe.spdx.SPDXDocument()
1015	doc.name = rootfs_name	784	doc.name = rootfs_name
1016	doc.documentNamespace = get_doc_namespace(d, doc)	785	doc.documentNamespace = get_namespace(d, doc.name)
1017	doc.creationInfo.created = creation_time	786	doc.creationInfo.created = creation_time
1018	doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build."	787	doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build."
1019	doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]	788	doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]