1 files changed, 107 insertions, 0 deletions
diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass
new file mode 100644
index 0000000000..ca0416d1c7
--- /dev/null
+++ b/meta/classes/spdx-common.bbclass
@@ -0,0 +1,107 @@
+#
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+SPDX_VERSION ??= ""
+DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx/${SPDX_VERSION}"
+# The product name that the CVE database uses.  Defaults to BPN, but may need to
+# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
+CVE_PRODUCT ??= "${BPN}"
+CVE_VERSION ??= "${PV}"
+SPDXDIR ??= "${WORKDIR}/spdx/${SPDX_VERSION}"
+SPDXDEPLOY = "${SPDXDIR}/deploy"
+SPDXWORK = "${SPDXDIR}/work"
+SPDXIMAGEWORK = "${SPDXDIR}/image-work"
+SPDXSDKWORK = "${SPDXDIR}/sdk-work"
+SPDXSDKEXTWORK = "${SPDXDIR}/sdk-ext-work"
+SPDXDEPS = "${SPDXDIR}/deps.json"
+SPDX_TOOL_NAME ??= "oe-spdx-creator"
+SPDX_TOOL_VERSION ??= "1.0"
+SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
+SPDX_INCLUDE_SOURCES ??= "0"
+SPDX_INCLUDE_COMPILED_SOURCES ??= "0"
+SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
+SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs"
+SPDX_PRETTY ??= "0"
+SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
+SPDX_CUSTOM_ANNOTATION_VARS ??= ""
+SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
+python () {
+    from oe.cve_check import extend_cve_status
+    extend_cve_status(d)
+    if d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1":
+        d.setVar("SPDX_INCLUDE_SOURCES", "1")
+}
+def create_spdx_source_deps(d):
+    import oe.spdx_common
+    deps = []
+    if d.getVar("SPDX_INCLUDE_SOURCES") == "1":
+        pn = d.getVar('PN')
+        # do_unpack is a hack for now; we only need it to get the
+        # dependencies do_unpack already has so we can extract the source
+        # ourselves
+        if oe.spdx_common.has_task(d, "do_unpack"):
+            deps.append("%s:do_unpack" % pn)
+        if oe.spdx_common.is_work_shared_spdx(d) and \
+           oe.spdx_common.process_sources(d):
+            # For kernel source code
+            if oe.spdx_common.has_task(d, "do_shared_workdir"):
+                deps.append("%s:do_shared_workdir" % pn)
+            elif d.getVar('S') == d.getVar('STAGING_KERNEL_DIR'):
+                deps.append("virtual/kernel:do_shared_workdir")
+            # For gcc-source-${PV} source code
+            if oe.spdx_common.has_task(d, "do_preconfigure"):
+                deps.append("%s:do_preconfigure" % pn)
+            elif oe.spdx_common.has_task(d, "do_patch"):
+                deps.append("%s:do_patch" % pn)
+            # For gcc-cross-x86_64 source code
+            elif oe.spdx_common.has_task(d, "do_configure"):
+                deps.append("%s:do_configure" % pn)
+    return " ".join(deps)
+python do_collect_spdx_deps() {
+    # This task calculates the build time dependencies of the recipe, and is
+    # required because while a task can deptask on itself, those dependencies
+    # do not show up in BB_TASKDEPDATA. To work around that, this task does the
+    # deptask on do_create_spdx and writes out the dependencies it finds, then
+    # do_create_spdx reads in the found dependencies when writing the actual
+    # SPDX document
+    import json
+    import oe.spdx_common
+    from pathlib import Path
+    spdx_deps_file = Path(d.getVar("SPDXDEPS"))
+    deps = oe.spdx_common.collect_direct_deps(d, "do_create_spdx")
+    with spdx_deps_file.open("w") as f:
+        json.dump(deps, f)
+}
+# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
+addtask do_collect_spdx_deps after do_unpack
+do_collect_spdx_deps[depends] += "${PATCHDEPENDENCY}"
+do_collect_spdx_deps[deptask] = "do_create_spdx"
+do_collect_spdx_deps[dirs] = "${SPDXDIR}"
+oe.spdx_common.collect_direct_deps[vardepsexclude] += "BB_TASKDEPDATA"
+oe.spdx_common.collect_direct_deps[vardeps] += "DEPENDS"
+oe.spdx_common.collect_package_providers[vardepsexclude] += "BB_TASKDEPDATA"
+oe.spdx_common.get_patched_src[vardepsexclude] += "STAGING_KERNEL_DIR"

diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass new file mode 100644 index 0000000000..ca0416d1c7 --- /dev/null +++ b/meta/classes/spdx-common.bbclass
@@ -0,0 +1,107 @@
	1	#
	2	# Copyright OpenEmbedded Contributors
	3	#
	4	# SPDX-License-Identifier: GPL-2.0-only
	5	#
	6
	7	SPDX_VERSION ??= ""
	8	DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx/${SPDX_VERSION}"
	9
	10	# The product name that the CVE database uses. Defaults to BPN, but may need to
	11	# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
	12	CVE_PRODUCT ??= "${BPN}"
	13	CVE_VERSION ??= "${PV}"
	14
	15	SPDXDIR ??= "${WORKDIR}/spdx/${SPDX_VERSION}"
	16	SPDXDEPLOY = "${SPDXDIR}/deploy"
	17	SPDXWORK = "${SPDXDIR}/work"
	18	SPDXIMAGEWORK = "${SPDXDIR}/image-work"
	19	SPDXSDKWORK = "${SPDXDIR}/sdk-work"
	20	SPDXSDKEXTWORK = "${SPDXDIR}/sdk-ext-work"
	21	SPDXDEPS = "${SPDXDIR}/deps.json"
	22
	23	SPDX_TOOL_NAME ??= "oe-spdx-creator"
	24	SPDX_TOOL_VERSION ??= "1.0"
	25
	26	SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
	27
	28	SPDX_INCLUDE_SOURCES ??= "0"
	29	SPDX_INCLUDE_COMPILED_SOURCES ??= "0"
	30
	31	SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
	32	SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs"
	33	SPDX_PRETTY ??= "0"
	34
	35	SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
	36
	37	SPDX_CUSTOM_ANNOTATION_VARS ??= ""
	38
	39	SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
	40
	41	python () {
	42	from oe.cve_check import extend_cve_status
	43	extend_cve_status(d)
	44	if d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1":
	45	d.setVar("SPDX_INCLUDE_SOURCES", "1")
	46	}
	47
	48	def create_spdx_source_deps(d):
	49	import oe.spdx_common
	50
	51	deps = []
	52	if d.getVar("SPDX_INCLUDE_SOURCES") == "1":
	53	pn = d.getVar('PN')
	54	# do_unpack is a hack for now; we only need it to get the
	55	# dependencies do_unpack already has so we can extract the source
	56	# ourselves
	57	if oe.spdx_common.has_task(d, "do_unpack"):
	58	deps.append("%s:do_unpack" % pn)
	59
	60	if oe.spdx_common.is_work_shared_spdx(d) and \
	61	oe.spdx_common.process_sources(d):
	62	# For kernel source code
	63	if oe.spdx_common.has_task(d, "do_shared_workdir"):
	64	deps.append("%s:do_shared_workdir" % pn)
	65	elif d.getVar('S') == d.getVar('STAGING_KERNEL_DIR'):
	66	deps.append("virtual/kernel:do_shared_workdir")
	67
	68	# For gcc-source-${PV} source code
	69	if oe.spdx_common.has_task(d, "do_preconfigure"):
	70	deps.append("%s:do_preconfigure" % pn)
	71	elif oe.spdx_common.has_task(d, "do_patch"):
	72	deps.append("%s:do_patch" % pn)
	73	# For gcc-cross-x86_64 source code
	74	elif oe.spdx_common.has_task(d, "do_configure"):
	75	deps.append("%s:do_configure" % pn)
	76
	77	return " ".join(deps)
	78
	79
	80	python do_collect_spdx_deps() {
	81	# This task calculates the build time dependencies of the recipe, and is
	82	# required because while a task can deptask on itself, those dependencies
	83	# do not show up in BB_TASKDEPDATA. To work around that, this task does the
	84	# deptask on do_create_spdx and writes out the dependencies it finds, then
	85	# do_create_spdx reads in the found dependencies when writing the actual
	86	# SPDX document
	87	import json
	88	import oe.spdx_common
	89	from pathlib import Path
	90
	91	spdx_deps_file = Path(d.getVar("SPDXDEPS"))
	92
	93	deps = oe.spdx_common.collect_direct_deps(d, "do_create_spdx")
	94
	95	with spdx_deps_file.open("w") as f:
	96	json.dump(deps, f)
	97	}
	98	# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
	99	addtask do_collect_spdx_deps after do_unpack
	100	do_collect_spdx_deps[depends] += "${PATCHDEPENDENCY}"
	101	do_collect_spdx_deps[deptask] = "do_create_spdx"
	102	do_collect_spdx_deps[dirs] = "${SPDXDIR}"
	103
	104	oe.spdx_common.collect_direct_deps[vardepsexclude] += "BB_TASKDEPDATA"
	105	oe.spdx_common.collect_direct_deps[vardeps] += "DEPENDS"
	106	oe.spdx_common.collect_package_providers[vardepsexclude] += "BB_TASKDEPDATA"
	107	oe.spdx_common.get_patched_src[vardepsexclude] += "STAGING_KERNEL_DIR"