1 files changed, 12 insertions, 249 deletions
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
index 7c8a0b8b0f..3ebf92b5e1 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -4,65 +4,15 @@
 # SPDX-License-Identifier: GPL-2.0-only
 #
-DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx"
+inherit spdx-common
-# The product name that the CVE database uses.  Defaults to BPN, but may need to
+SPDX_VERSION = "2.2"
-# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
-CVE_PRODUCT ??= "${BPN}"
+def get_namespace(d, name):
-CVE_VERSION ??= "${PV}"
-SPDXDIR ??= "${WORKDIR}/spdx"
-SPDXDEPLOY = "${SPDXDIR}/deploy"
-SPDXWORK = "${SPDXDIR}/work"
-SPDXIMAGEWORK = "${SPDXDIR}/image-work"
-SPDXSDKWORK = "${SPDXDIR}/sdk-work"
-SPDXDEPS = "${SPDXDIR}/deps.json"
-SPDX_TOOL_NAME ??= "oe-spdx-creator"
-SPDX_TOOL_VERSION ??= "1.0"
-SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
-SPDX_INCLUDE_SOURCES ??= "0"
-SPDX_ARCHIVE_SOURCES ??= "0"
-SPDX_ARCHIVE_PACKAGED ??= "0"
-SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
-SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs"
-SPDX_PRETTY ??= "0"
-SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
-SPDX_CUSTOM_ANNOTATION_VARS ??= ""
-SPDX_ORG ??= "OpenEmbedded ()"
-SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
-SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \
-    this recipe. For SPDX documents create using this class during the build, this \
-    is the contact information for the person or organization who is doing the \
-    build."
-def extract_licenses(filename):
-    import re
-    lic_regex = re.compile(rb'^\W*SPDX-License-Identifier:\s*([ \w\d.()+-]+?)(?:\s+\W*)?$', re.MULTILINE)
-    try:
-        with open(filename, 'rb') as f:
-            size = min(15000, os.stat(filename).st_size)
-            txt = f.read(size)
-            licenses = re.findall(lic_regex, txt)
-            if licenses:
-                ascii_licenses = [lic.decode('ascii') for lic in licenses]
-                return ascii_licenses
-    except Exception as e:
-        bb.warn(f"Exception reading {filename}: {e}")
-    return None
-def get_doc_namespace(d, doc):
    import uuid
    namespace_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, d.getVar("SPDX_UUID_NAMESPACE"))
-    return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), doc.name, str(uuid.uuid5(namespace_uuid, doc.name)))
+    return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), name, str(uuid.uuid5(namespace_uuid, name)))
 def create_annotation(d, comment):
    from datetime import datetime, timezone
@@ -80,26 +30,6 @@ def recipe_spdx_is_native(d, recipe):
      a.annotator == "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), d.getVar("SPDX_TOOL_VERSION")) and
      a.comment == "isNative" for a in recipe.annotations)
-def is_work_shared_spdx(d):
-    return bb.data.inherits_class('kernel', d) or ('work-shared' in d.getVar('WORKDIR'))
-def get_json_indent(d):
-    if d.getVar("SPDX_PRETTY") == "1":
-        return 2
-    return None
-python() {
-    import json
-    if d.getVar("SPDX_LICENSE_DATA"):
-        return
-    with open(d.getVar("SPDX_LICENSES"), "r") as f:
-        data = json.load(f)
-        # Transform the license array to a dictionary
-        data["licenses"] = {l["licenseId"]: l for l in data["licenses"]}
-        d.setVar("SPDX_LICENSE_DATA", data)
-}
 def convert_license_to_spdx(lic, document, d, existing={}):
    from pathlib import Path
    import oe.spdx
@@ -172,34 +102,6 @@ def convert_license_to_spdx(lic, document, d, existing={}):
    return ' '.join(convert(l) for l in lic_split)
-def process_sources(d):
-    pn = d.getVar('PN')
-    assume_provided = (d.getVar("ASSUME_PROVIDED") or "").split()
-    if pn in assume_provided:
-        for p in d.getVar("PROVIDES").split():
-            if p != pn:
-                pn = p
-                break
-    # glibc-locale: do_fetch, do_unpack and do_patch tasks have been deleted,
-    # so avoid archiving source here.
-    if pn.startswith('glibc-locale'):
-        return False
-    if d.getVar('PN') == "libtool-cross":
-        return False
-    if d.getVar('PN') == "libgcc-initial":
-        return False
-    if d.getVar('PN') == "shadow-sysroot":
-        return False
-    # We just archive gcc-source for all the gcc related recipes
-    if d.getVar('BPN') in ['gcc', 'libgcc']:
-        bb.debug(1, 'spdx: There is bug in scan of %s is, do nothing' % pn)
-        return False
-    return True
 def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archive=None, ignore_dirs=[], ignore_top_level_dirs=[]):
    from pathlib import Path
    import oe.spdx
@@ -348,14 +250,12 @@ def collect_dep_recipes(d, doc, spdx_recipe):
    import oe.spdx
    deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
-    spdx_deps_file = Path(d.getVar("SPDXDEPS"))
    package_archs = d.getVar("SSTATE_ARCHS").split()
    package_archs.reverse()
    dep_recipes = []
-    with spdx_deps_file.open("r") as f:
+    deps = get_spdx_deps(d)
-        deps = json.load(f)
    for dep_pn, dep_hashfn, in_taskhash in deps:
        # If this dependency is not calculated in the taskhash skip it.
@@ -468,51 +368,6 @@ def add_download_packages(d, doc, recipe):
            # but this should be sufficient for now
            doc.add_relationship(package, "BUILD_DEPENDENCY_OF", recipe)
-def collect_direct_deps(d, dep_task):
-    current_task = "do_" + d.getVar("BB_CURRENTTASK")
-    pn = d.getVar("PN")
-    taskdepdata = d.getVar("BB_TASKDEPDATA", False)
-    for this_dep in taskdepdata.values():
-        if this_dep[0] == pn and this_dep[1] == current_task:
-            break
-    else:
-        bb.fatal(f"Unable to find this {pn}:{current_task} in taskdepdata")
-    deps = set()
-    for dep_name in this_dep[3]:
-        dep_data = taskdepdata[dep_name]
-        if dep_data[1] == dep_task and dep_data[0] != pn:
-            deps.add((dep_data[0], dep_data[7], dep_name in this_dep[8]))
-    return sorted(deps)
-collect_direct_deps[vardepsexclude] += "BB_TASKDEPDATA"
-collect_direct_deps[vardeps] += "DEPENDS"
-python do_collect_spdx_deps() {
-    # This task calculates the build time dependencies of the recipe, and is
-    # required because while a task can deptask on itself, those dependencies
-    # do not show up in BB_TASKDEPDATA. To work around that, this task does the
-    # deptask on do_create_spdx and writes out the dependencies it finds, then
-    # do_create_spdx reads in the found dependencies when writing the actual
-    # SPDX document
-    import json
-    from pathlib import Path
-    spdx_deps_file = Path(d.getVar("SPDXDEPS"))
-    deps = collect_direct_deps(d, "do_create_spdx")
-    with spdx_deps_file.open("w") as f:
-        json.dump(deps, f)
-}
-# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
-addtask do_collect_spdx_deps after do_unpack
-do_collect_spdx_deps[depends] += "${PATCHDEPENDENCY}"
-do_collect_spdx_deps[deptask] = "do_create_spdx"
-do_collect_spdx_deps[dirs] = "${SPDXDIR}"
 python do_create_spdx() {
    from datetime import datetime, timezone
@@ -551,7 +406,7 @@ python do_create_spdx() {
    doc = oe.spdx.SPDXDocument()
    doc.name = "recipe-" + d.getVar("PN")
-    doc.documentNamespace = get_doc_namespace(d, doc)
+    doc.documentNamespace = get_namespace(d, doc.name)
    doc.creationInfo.created = creation_time
    doc.creationInfo.comment = "This document was created by analyzing recipe files during the build."
    doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
@@ -655,7 +510,7 @@ python do_create_spdx() {
            package_doc = oe.spdx.SPDXDocument()
            pkg_name = d.getVar("PKG:%s" % package) or package
            package_doc.name = pkg_name
-            package_doc.documentNamespace = get_doc_namespace(d, package_doc)
+            package_doc.documentNamespace = get_namespace(d, package_doc.name)
            package_doc.creationInfo.created = creation_time
            package_doc.creationInfo.comment = "This document was created by analyzing packages created during the build."
            package_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
@@ -716,44 +571,6 @@ do_create_spdx[dirs] = "${SPDXWORK}"
 do_create_spdx[cleandirs] = "${SPDXDEPLOY} ${SPDXWORK}"
 do_create_spdx[depends] += "${PATCHDEPENDENCY}"
-def collect_package_providers(d):
-    from pathlib import Path
-    import oe.sbom
-    import oe.spdx
-    import json
-    deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
-    providers = {}
-    deps = collect_direct_deps(d, "do_create_spdx")
-    deps.append((d.getVar("PN"), d.getVar("BB_HASHFILENAME"), True))
-    for dep_pn, dep_hashfn, _ in deps:
-        localdata = d
-        recipe_data = oe.packagedata.read_pkgdata(dep_pn, localdata)
-        if not recipe_data:
-            localdata = bb.data.createCopy(d)
-            localdata.setVar("PKGDATA_DIR", "${PKGDATA_DIR_SDK}")
-            recipe_data = oe.packagedata.read_pkgdata(dep_pn, localdata)
-        for pkg in recipe_data.get("PACKAGES", "").split():
-            pkg_data = oe.packagedata.read_subpkgdata_dict(pkg, localdata)
-            rprovides = set(n for n, _ in bb.utils.explode_dep_versions2(pkg_data.get("RPROVIDES", "")).items())
-            rprovides.add(pkg)
-            if "PKG" in pkg_data:
-                pkg = pkg_data["PKG"]
-                rprovides.add(pkg)
-            for r in rprovides:
-                providers[r] = (pkg, dep_hashfn)
-    return providers
-collect_package_providers[vardepsexclude] += "BB_TASKDEPDATA"
 python do_create_runtime_spdx() {
    from datetime import datetime, timezone
    import oe.sbom
@@ -800,7 +617,7 @@ python do_create_runtime_spdx() {
            runtime_doc = oe.spdx.SPDXDocument()
            runtime_doc.name = "runtime-" + pkg_name
-            runtime_doc.documentNamespace = get_doc_namespace(localdata, runtime_doc)
+            runtime_doc.documentNamespace = get_namespace(localdata, runtime_doc.name)
            runtime_doc.creationInfo.created = creation_time
            runtime_doc.creationInfo.comment = "This document was created by analyzing package runtime dependencies."
            runtime_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
@@ -891,60 +708,6 @@ do_create_runtime_spdx[dirs] = "${SPDXRUNTIMEDEPLOY}"
 do_create_runtime_spdx[cleandirs] = "${SPDXRUNTIMEDEPLOY}"
 do_create_runtime_spdx[rdeptask] = "do_create_spdx"
-def spdx_get_src(d):
-    """
-    save patched source of the recipe in SPDX_WORKDIR.
-    """
-    import shutil
-    spdx_workdir = d.getVar('SPDXWORK')
-    spdx_sysroot_native = d.getVar('STAGING_DIR_NATIVE')
-    pn = d.getVar('PN')
-    workdir = d.getVar("WORKDIR")
-    try:
-        # The kernel class functions require it to be on work-shared, so we dont change WORKDIR
-        if not is_work_shared_spdx(d):
-            # Change the WORKDIR to make do_unpack do_patch run in another dir.
-            d.setVar('WORKDIR', spdx_workdir)
-            # Restore the original path to recipe's native sysroot (it's relative to WORKDIR).
-            d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
-            # The changed 'WORKDIR' also caused 'B' changed, create dir 'B' for the
-            # possibly requiring of the following tasks (such as some recipes's
-            # do_patch required 'B' existed).
-            bb.utils.mkdirhier(d.getVar('B'))
-            bb.build.exec_func('do_unpack', d)
-        # Copy source of kernel to spdx_workdir
-        if is_work_shared_spdx(d):
-            share_src = d.getVar('WORKDIR')
-            d.setVar('WORKDIR', spdx_workdir)
-            d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
-            src_dir = spdx_workdir + "/" + d.getVar('PN')+ "-" + d.getVar('PV') + "-" + d.getVar('PR')
-            bb.utils.mkdirhier(src_dir)
-            if bb.data.inherits_class('kernel',d):
-                share_src = d.getVar('STAGING_KERNEL_DIR')
-            cmd_copy_share = "cp -rf " + share_src + "/* " + src_dir + "/"
-            cmd_copy_shared_res = os.popen(cmd_copy_share).read()
-            bb.note("cmd_copy_shared_result = " + cmd_copy_shared_res)
-            git_path = src_dir + "/.git"
-            if os.path.exists(git_path):
-                shutils.rmtree(git_path)
-        # Make sure gcc and kernel sources are patched only once
-        if not (d.getVar('SRC_URI') == "" or is_work_shared_spdx(d)):
-            bb.build.exec_func('do_patch', d)
-        # Some userland has no source.
-        if not os.path.exists( spdx_workdir ):
-            bb.utils.mkdirhier(spdx_workdir)
-    finally:
-        d.setVar("WORKDIR", workdir)
-spdx_get_src[vardepsexclude] += "STAGING_KERNEL_DIR"
 do_rootfs[recrdeptask] += "do_create_spdx do_create_runtime_spdx"
 do_rootfs[cleandirs] += "${SPDXIMAGEWORK}"
@@ -1019,7 +782,7 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages, spdx
    doc = oe.spdx.SPDXDocument()
    doc.name = rootfs_name
-    doc.documentNamespace = get_doc_namespace(d, doc)
+    doc.documentNamespace = get_namespace(d, doc.name)
    doc.creationInfo.created = creation_time
    doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build."
    doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]

diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index 7c8a0b8b0f..3ebf92b5e1 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass
@@ -4,65 +4,15 @@
4	# SPDX-License-Identifier: GPL-2.0-only	4	# SPDX-License-Identifier: GPL-2.0-only
5	#	5	#
6		6
7	DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx"	7	inherit spdx-common
8		8
9	# The product name that the CVE database uses. Defaults to BPN, but may need to	9	SPDX_VERSION = "2.2"
10	# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).	10
11	CVE_PRODUCT ??= "${BPN}"	11	def get_namespace(d, name):
12	CVE_VERSION ??= "${PV}"
13
14	SPDXDIR ??= "${WORKDIR}/spdx"
15	SPDXDEPLOY = "${SPDXDIR}/deploy"
16	SPDXWORK = "${SPDXDIR}/work"
17	SPDXIMAGEWORK = "${SPDXDIR}/image-work"
18	SPDXSDKWORK = "${SPDXDIR}/sdk-work"
19	SPDXDEPS = "${SPDXDIR}/deps.json"
20
21	SPDX_TOOL_NAME ??= "oe-spdx-creator"
22	SPDX_TOOL_VERSION ??= "1.0"
23
24	SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
25
26	SPDX_INCLUDE_SOURCES ??= "0"
27	SPDX_ARCHIVE_SOURCES ??= "0"
28	SPDX_ARCHIVE_PACKAGED ??= "0"
29
30	SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
31	SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs"
32	SPDX_PRETTY ??= "0"
33
34	SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
35
36	SPDX_CUSTOM_ANNOTATION_VARS ??= ""
37
38	SPDX_ORG ??= "OpenEmbedded ()"
39	SPDX_SUPPLIER ??= "Organization: ${SPDX_ORG}"
40	SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created from \
41	this recipe. For SPDX documents create using this class during the build, this \
42	is the contact information for the person or organization who is doing the \
43	build."
44
45	def extract_licenses(filename):
46	import re
47
48	lic_regex = re.compile(rb'^\WSPDX-License-Identifier:\s([ \w\d.()+-]+?)(?:\s+\W*)?$', re.MULTILINE)
49
50	try:
51	with open(filename, 'rb') as f:
52	size = min(15000, os.stat(filename).st_size)
53	txt = f.read(size)
54	licenses = re.findall(lic_regex, txt)
55	if licenses:
56	ascii_licenses = [lic.decode('ascii') for lic in licenses]
57	return ascii_licenses
58	except Exception as e:
59	bb.warn(f"Exception reading {filename}: {e}")
60	return None
61
62	def get_doc_namespace(d, doc):
63	import uuid	12	import uuid
64	namespace_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, d.getVar("SPDX_UUID_NAMESPACE"))	13	namespace_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, d.getVar("SPDX_UUID_NAMESPACE"))
65	return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), doc.name, str(uuid.uuid5(namespace_uuid, doc.name)))	14	return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), name, str(uuid.uuid5(namespace_uuid, name)))
		15
66		16
67	def create_annotation(d, comment):	17	def create_annotation(d, comment):
68	from datetime import datetime, timezone	18	from datetime import datetime, timezone
@@ -80,26 +30,6 @@ def recipe_spdx_is_native(d, recipe):
80	a.annotator == "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), d.getVar("SPDX_TOOL_VERSION")) and	30	a.annotator == "Tool: %s - %s" % (d.getVar("SPDX_TOOL_NAME"), d.getVar("SPDX_TOOL_VERSION")) and
81	a.comment == "isNative" for a in recipe.annotations)	31	a.comment == "isNative" for a in recipe.annotations)
82		32
83	def is_work_shared_spdx(d):
84	return bb.data.inherits_class('kernel', d) or ('work-shared' in d.getVar('WORKDIR'))
85
86	def get_json_indent(d):
87	if d.getVar("SPDX_PRETTY") == "1":
88	return 2
89	return None
90
91	python() {
92	import json
93	if d.getVar("SPDX_LICENSE_DATA"):
94	return
95
96	with open(d.getVar("SPDX_LICENSES"), "r") as f:
97	data = json.load(f)
98	# Transform the license array to a dictionary
99	data["licenses"] = {l["licenseId"]: l for l in data["licenses"]}
100	d.setVar("SPDX_LICENSE_DATA", data)
101	}
102
103	def convert_license_to_spdx(lic, document, d, existing={}):	33	def convert_license_to_spdx(lic, document, d, existing={}):
104	from pathlib import Path	34	from pathlib import Path
105	import oe.spdx	35	import oe.spdx
@@ -172,34 +102,6 @@ def convert_license_to_spdx(lic, document, d, existing={}):
172		102
173	return ' '.join(convert(l) for l in lic_split)	103	return ' '.join(convert(l) for l in lic_split)
174		104
175	def process_sources(d):
176	pn = d.getVar('PN')
177	assume_provided = (d.getVar("ASSUME_PROVIDED") or "").split()
178	if pn in assume_provided:
179	for p in d.getVar("PROVIDES").split():
180	if p != pn:
181	pn = p
182	break
183
184	# glibc-locale: do_fetch, do_unpack and do_patch tasks have been deleted,
185	# so avoid archiving source here.
186	if pn.startswith('glibc-locale'):
187	return False
188	if d.getVar('PN') == "libtool-cross":
189	return False
190	if d.getVar('PN') == "libgcc-initial":
191	return False
192	if d.getVar('PN') == "shadow-sysroot":
193	return False
194
195	# We just archive gcc-source for all the gcc related recipes
196	if d.getVar('BPN') in ['gcc', 'libgcc']:
197	bb.debug(1, 'spdx: There is bug in scan of %s is, do nothing' % pn)
198	return False
199
200	return True
201
202
203	def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archive=None, ignore_dirs=[], ignore_top_level_dirs=[]):	105	def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archive=None, ignore_dirs=[], ignore_top_level_dirs=[]):
204	from pathlib import Path	106	from pathlib import Path
205	import oe.spdx	107	import oe.spdx
@@ -348,14 +250,12 @@ def collect_dep_recipes(d, doc, spdx_recipe):
348	import oe.spdx	250	import oe.spdx
349		251
350	deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))	252	deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
351	spdx_deps_file = Path(d.getVar("SPDXDEPS"))
352	package_archs = d.getVar("SSTATE_ARCHS").split()	253	package_archs = d.getVar("SSTATE_ARCHS").split()
353	package_archs.reverse()	254	package_archs.reverse()
354		255
355	dep_recipes = []	256	dep_recipes = []
356		257
357	with spdx_deps_file.open("r") as f:	258	deps = get_spdx_deps(d)
358	deps = json.load(f)
359		259
360	for dep_pn, dep_hashfn, in_taskhash in deps:	260	for dep_pn, dep_hashfn, in_taskhash in deps:
361	# If this dependency is not calculated in the taskhash skip it.	261	# If this dependency is not calculated in the taskhash skip it.
@@ -468,51 +368,6 @@ def add_download_packages(d, doc, recipe):
468	# but this should be sufficient for now	368	# but this should be sufficient for now
469	doc.add_relationship(package, "BUILD_DEPENDENCY_OF", recipe)	369	doc.add_relationship(package, "BUILD_DEPENDENCY_OF", recipe)
470		370
471	def collect_direct_deps(d, dep_task):
472	current_task = "do_" + d.getVar("BB_CURRENTTASK")
473	pn = d.getVar("PN")
474
475	taskdepdata = d.getVar("BB_TASKDEPDATA", False)
476
477	for this_dep in taskdepdata.values():
478	if this_dep[0] == pn and this_dep[1] == current_task:
479	break
480	else:
481	bb.fatal(f"Unable to find this {pn}:{current_task} in taskdepdata")
482
483	deps = set()
484	for dep_name in this_dep[3]:
485	dep_data = taskdepdata[dep_name]
486	if dep_data[1] == dep_task and dep_data[0] != pn:
487	deps.add((dep_data[0], dep_data[7], dep_name in this_dep[8]))
488
489	return sorted(deps)
490
491	collect_direct_deps[vardepsexclude] += "BB_TASKDEPDATA"
492	collect_direct_deps[vardeps] += "DEPENDS"
493
494	python do_collect_spdx_deps() {
495	# This task calculates the build time dependencies of the recipe, and is
496	# required because while a task can deptask on itself, those dependencies
497	# do not show up in BB_TASKDEPDATA. To work around that, this task does the
498	# deptask on do_create_spdx and writes out the dependencies it finds, then
499	# do_create_spdx reads in the found dependencies when writing the actual
500	# SPDX document
501	import json
502	from pathlib import Path
503
504	spdx_deps_file = Path(d.getVar("SPDXDEPS"))
505
506	deps = collect_direct_deps(d, "do_create_spdx")
507
508	with spdx_deps_file.open("w") as f:
509	json.dump(deps, f)
510	}
511	# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
512	addtask do_collect_spdx_deps after do_unpack
513	do_collect_spdx_deps[depends] += "${PATCHDEPENDENCY}"
514	do_collect_spdx_deps[deptask] = "do_create_spdx"
515	do_collect_spdx_deps[dirs] = "${SPDXDIR}"
516		371
517	python do_create_spdx() {	372	python do_create_spdx() {
518	from datetime import datetime, timezone	373	from datetime import datetime, timezone
@@ -551,7 +406,7 @@ python do_create_spdx() {
551	doc = oe.spdx.SPDXDocument()	406	doc = oe.spdx.SPDXDocument()
552		407
553	doc.name = "recipe-" + d.getVar("PN")	408	doc.name = "recipe-" + d.getVar("PN")
554	doc.documentNamespace = get_doc_namespace(d, doc)	409	doc.documentNamespace = get_namespace(d, doc.name)
555	doc.creationInfo.created = creation_time	410	doc.creationInfo.created = creation_time
556	doc.creationInfo.comment = "This document was created by analyzing recipe files during the build."	411	doc.creationInfo.comment = "This document was created by analyzing recipe files during the build."
557	doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]	412	doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
@@ -655,7 +510,7 @@ python do_create_spdx() {
655	package_doc = oe.spdx.SPDXDocument()	510	package_doc = oe.spdx.SPDXDocument()
656	pkg_name = d.getVar("PKG:%s" % package) or package	511	pkg_name = d.getVar("PKG:%s" % package) or package
657	package_doc.name = pkg_name	512	package_doc.name = pkg_name
658	package_doc.documentNamespace = get_doc_namespace(d, package_doc)	513	package_doc.documentNamespace = get_namespace(d, package_doc.name)
659	package_doc.creationInfo.created = creation_time	514	package_doc.creationInfo.created = creation_time
660	package_doc.creationInfo.comment = "This document was created by analyzing packages created during the build."	515	package_doc.creationInfo.comment = "This document was created by analyzing packages created during the build."
661	package_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]	516	package_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
@@ -716,44 +571,6 @@ do_create_spdx[dirs] = "${SPDXWORK}"
716	do_create_spdx[cleandirs] = "${SPDXDEPLOY} ${SPDXWORK}"	571	do_create_spdx[cleandirs] = "${SPDXDEPLOY} ${SPDXWORK}"
717	do_create_spdx[depends] += "${PATCHDEPENDENCY}"	572	do_create_spdx[depends] += "${PATCHDEPENDENCY}"
718		573
719	def collect_package_providers(d):
720	from pathlib import Path
721	import oe.sbom
722	import oe.spdx
723	import json
724
725	deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
726
727	providers = {}
728
729	deps = collect_direct_deps(d, "do_create_spdx")
730	deps.append((d.getVar("PN"), d.getVar("BB_HASHFILENAME"), True))
731
732	for dep_pn, dep_hashfn, _ in deps:
733	localdata = d
734	recipe_data = oe.packagedata.read_pkgdata(dep_pn, localdata)
735	if not recipe_data:
736	localdata = bb.data.createCopy(d)
737	localdata.setVar("PKGDATA_DIR", "${PKGDATA_DIR_SDK}")
738	recipe_data = oe.packagedata.read_pkgdata(dep_pn, localdata)
739
740	for pkg in recipe_data.get("PACKAGES", "").split():
741
742	pkg_data = oe.packagedata.read_subpkgdata_dict(pkg, localdata)
743	rprovides = set(n for n, _ in bb.utils.explode_dep_versions2(pkg_data.get("RPROVIDES", "")).items())
744	rprovides.add(pkg)
745
746	if "PKG" in pkg_data:
747	pkg = pkg_data["PKG"]
748	rprovides.add(pkg)
749
750	for r in rprovides:
751	providers[r] = (pkg, dep_hashfn)
752
753	return providers
754
755	collect_package_providers[vardepsexclude] += "BB_TASKDEPDATA"
756
757	python do_create_runtime_spdx() {	574	python do_create_runtime_spdx() {
758	from datetime import datetime, timezone	575	from datetime import datetime, timezone
759	import oe.sbom	576	import oe.sbom
@@ -800,7 +617,7 @@ python do_create_runtime_spdx() {
800		617
801	runtime_doc = oe.spdx.SPDXDocument()	618	runtime_doc = oe.spdx.SPDXDocument()
802	runtime_doc.name = "runtime-" + pkg_name	619	runtime_doc.name = "runtime-" + pkg_name
803	runtime_doc.documentNamespace = get_doc_namespace(localdata, runtime_doc)	620	runtime_doc.documentNamespace = get_namespace(localdata, runtime_doc.name)
804	runtime_doc.creationInfo.created = creation_time	621	runtime_doc.creationInfo.created = creation_time
805	runtime_doc.creationInfo.comment = "This document was created by analyzing package runtime dependencies."	622	runtime_doc.creationInfo.comment = "This document was created by analyzing package runtime dependencies."
806	runtime_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]	623	runtime_doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]
@@ -891,60 +708,6 @@ do_create_runtime_spdx[dirs] = "${SPDXRUNTIMEDEPLOY}"
891	do_create_runtime_spdx[cleandirs] = "${SPDXRUNTIMEDEPLOY}"	708	do_create_runtime_spdx[cleandirs] = "${SPDXRUNTIMEDEPLOY}"
892	do_create_runtime_spdx[rdeptask] = "do_create_spdx"	709	do_create_runtime_spdx[rdeptask] = "do_create_spdx"
893		710
894	def spdx_get_src(d):
895	"""
896	save patched source of the recipe in SPDX_WORKDIR.
897	"""
898	import shutil
899	spdx_workdir = d.getVar('SPDXWORK')
900	spdx_sysroot_native = d.getVar('STAGING_DIR_NATIVE')
901	pn = d.getVar('PN')
902
903	workdir = d.getVar("WORKDIR")
904
905	try:
906	# The kernel class functions require it to be on work-shared, so we dont change WORKDIR
907	if not is_work_shared_spdx(d):
908	# Change the WORKDIR to make do_unpack do_patch run in another dir.
909	d.setVar('WORKDIR', spdx_workdir)
910	# Restore the original path to recipe's native sysroot (it's relative to WORKDIR).
911	d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
912
913	# The changed 'WORKDIR' also caused 'B' changed, create dir 'B' for the
914	# possibly requiring of the following tasks (such as some recipes's
915	# do_patch required 'B' existed).
916	bb.utils.mkdirhier(d.getVar('B'))
917
918	bb.build.exec_func('do_unpack', d)
919	# Copy source of kernel to spdx_workdir
920	if is_work_shared_spdx(d):
921	share_src = d.getVar('WORKDIR')
922	d.setVar('WORKDIR', spdx_workdir)
923	d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
924	src_dir = spdx_workdir + "/" + d.getVar('PN')+ "-" + d.getVar('PV') + "-" + d.getVar('PR')
925	bb.utils.mkdirhier(src_dir)
926	if bb.data.inherits_class('kernel',d):
927	share_src = d.getVar('STAGING_KERNEL_DIR')
928	cmd_copy_share = "cp -rf " + share_src + "/* " + src_dir + "/"
929	cmd_copy_shared_res = os.popen(cmd_copy_share).read()
930	bb.note("cmd_copy_shared_result = " + cmd_copy_shared_res)
931
932	git_path = src_dir + "/.git"
933	if os.path.exists(git_path):
934	shutils.rmtree(git_path)
935
936	# Make sure gcc and kernel sources are patched only once
937	if not (d.getVar('SRC_URI') == "" or is_work_shared_spdx(d)):
938	bb.build.exec_func('do_patch', d)
939
940	# Some userland has no source.
941	if not os.path.exists( spdx_workdir ):
942	bb.utils.mkdirhier(spdx_workdir)
943	finally:
944	d.setVar("WORKDIR", workdir)
945
946	spdx_get_src[vardepsexclude] += "STAGING_KERNEL_DIR"
947
948	do_rootfs[recrdeptask] += "do_create_spdx do_create_runtime_spdx"	711	do_rootfs[recrdeptask] += "do_create_spdx do_create_runtime_spdx"
949	do_rootfs[cleandirs] += "${SPDXIMAGEWORK}"	712	do_rootfs[cleandirs] += "${SPDXIMAGEWORK}"
950		713
@@ -1019,7 +782,7 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages, spdx
1019		782
1020	doc = oe.spdx.SPDXDocument()	783	doc = oe.spdx.SPDXDocument()
1021	doc.name = rootfs_name	784	doc.name = rootfs_name
1022	doc.documentNamespace = get_doc_namespace(d, doc)	785	doc.documentNamespace = get_namespace(d, doc.name)
1023	doc.creationInfo.created = creation_time	786	doc.creationInfo.created = creation_time
1024	doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build."	787	doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build."
1025	doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]	788	doc.creationInfo.licenseListVersion = d.getVar("SPDX_LICENSE_DATA")["licenseListVersion"]