summaryrefslogtreecommitdiffstats
path: root/meta/classes/create-spdx.bbclass
Commit message (Collapse)AuthorAgeFilesLines
* create-spdx: Fix key errors in do_create_runtime_spdxAndres Beltran2021-11-211-0/+3
| | | | | | | | | | | Currently, the do_create_runtime_spdx task fails with a Key Error if a dependency is not contained in the package providers dictionary. Add a check before using "dep" as a key in "providers". (From OE-Core rev: 140ce5ef5e8f10251091660e3ef76f315f409076) Signed-off-by: Andres Beltran <abeltran@linux.microsoft.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* create-spdx: Protect against None from LICENSE_PATHSaul Wold2021-11-211-2/+1
| | | | | | | | | If LICENSE_PATH is not set, then the split() will fail on a NoneType. (From OE-Core rev: d6260decae6d2654f6e058f12ca02d582a8ef5a4) Signed-off-by: Saul Wold <saul.wold@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* create_spdx: ensure is_work_shared() is uniqueSaul Wold2021-11-211-7/+5
| | | | | | | | | | | | There is a function with the same name is_work_shared() in the archiver class this causes a conflict when both classes are included. Use work-shared as the check in WORKDIR to allow for other packages beyond the kernel and gcc that use a common shared-work source directory. (From OE-Core rev: 18eab77ee65c73b17225e69c7ba446ab1c69fa92) Signed-off-by: Saul Wold <saul.wold@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* create-spdx: Set the Organization field via a variableAndres Beltran2021-11-051-4/+6
| | | | | | | | | | | Currently, the "Organization" field for SBOMs is hard-coded in create-spdx. Create a new variable SPDX_ORG to make this field more generic. (From OE-Core rev: f239814f3f5d9bd54de54b0f2a5081067336e32b) Signed-off-by: Andres Beltran <abeltran@linux.microsoft.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* create-spdx: cross recipes are native alsoSaul Wold2021-10-281-2/+2
| | | | | | | | | | Recipes that inherit cross should also be categorized as isNative (From OE-Core rev: ee113e3894deb1cfb18622085a3fe0600e1ef01d) Signed-off-by: Saul Wold <saul.wold@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* create-spdx: add create_annotation functionSaul Wold2021-10-281-6/+12
| | | | | | | | | | This allows code reuse and future usage with relationship annotations (From OE-Core rev: 1f8fdb7dc9d02d0ee3c42674ca16e03f0ec18cba) Signed-off-by: Saul Wold <saul.wold@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* create-spdx: Use SPDXAnnotation to track native recipesSaul Wold2021-09-281-2/+19
| | | | | | | | | | | | | | | Create a small function that checks for 'isNative' as part of an Annotation When the collect_dep_sources() runs, it collects sources from both native and non-native recipes. Later when the GENERATED_FROM matching occurs it may find the file (via checksum) from the native recipe since it's the same checksum as the target file. The that are generated DocumentRefs point to the native recipe rather than the target recipe DocumentRef. (From OE-Core rev: ba5ec03986a0bce8dccbc381fd34e44b8a135e66) Signed-off-by: Saul Wold <saul.wold@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* create-spdx.bbclass: Search all license directories for licensesPeter Kjellerstedt2021-09-161-5/+8
| | | | | | | | | | | | | | Before, even if the code was seemingly written to search through all licenses in ${COMMON_LICENSE_DIR} and ${LICENSE_PATH}, it would actually bail out after only searching ${COMMON_LICENSE_DIR} due to the exception handling. Also refrain from using f-strings. (From OE-Core rev: f58d54b31a1ddb4e60eb07365bfb7dfe78ed56af) Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* create-spdx: handle CLOSED licenseRoss Burton2021-09-101-0/+3
| | | | | | | | | | | The special CLOSED license means that this is closed source code with no other licensing assertions. It's not a generic license in oe-core, and not a SPDX license, so transform it to NONE explicitly. (From OE-Core rev: b71bfba1b5076ad1b9a10c08ef0e3393ccbed92a) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* create-spdx: remove trailing commaSaul Wold2021-09-081-1/+1
| | | | | | | | | | | The trailing comma turns ref_id into an object instead of a string when added to the relationship table. (From OE-Core rev: ec20e1a0e0ba61a7615b361bfc9d9dc58a91f9b3) Signed-off-by: Saul Wold <saul.wold@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* create-spdx: don't duplicate license texts in each packageRoss Burton2021-09-041-11/+14
| | | | | | | | | | | Instead of putting the full license text for non-SPDX licenses into the recipe and every package, use links to the recipe from the packages if possible. (From OE-Core rev: 9220d35dc9071ebbe991117af8261ad99f321bb3) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* create-spdx: embed unknown license textsRoss Burton2021-09-041-14/+37
| | | | | | | | | | For licenses which are not known to SPDX, find and embed the actual license text in an ExtractedLicesingInfo block. (From OE-Core rev: c638f4ae579520cab8cf30e1b4306bd0e2d2a788) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* create-spdx: remove redundant testRoss Burton2021-09-041-3/+0
| | | | | | | | | | add_extracted_document() is only called if the license isn't known to SPDX, so there's no need to check again. (From OE-Core rev: 03f084251510c810c8434d9ddd459187827c1ca8) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* create-spdx: transform license list into a dict for faster lookupsRoss Burton2021-09-041-7/+8
| | | | | | | | | | spdx-licenses.json contains an array of licenses objects. As we'll be searching it often, convert that to a dictionary when we parse it. (From OE-Core rev: 3405d9114ca9fe4ba820e0025c91670d1a5150b1) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx: Comment out placeholder license warningJoshua Watt2021-09-031-1/+2
| | | | | | | | | | We don't want this warning causing problems on the AB, so leave it comment out for now (From OE-Core rev: d41018311abf91899645b8f3160db540abdb5398) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx: Skip package processing for native recipesJoshua Watt2021-09-031-129/+134
| | | | | | | | | | Native recipes do not produce packages and should not process them, otherwise it can trigger an error in read_subpackage_metadata (From OE-Core rev: ea077b1ff6a4ccd5241a085bf9a3f67011e0f7bf) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx: Collect all task dependenciesJoshua Watt2021-09-031-2/+1
| | | | | | | | | | | | | Stop filtering the runtime dependencies based on do_create_sdpx (makes it only pick up things in DEPENDS) and instead include all task dependencies that are not the current PN. This allows other dependency methods to be picked up correctly, for example the dependency on the kernel used by kernel modules. (From OE-Core rev: c9659562cf88a820c668ff1eb20814dcb4829392) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx: Add special exception for Public Domain licenseJoshua Watt2021-09-031-12/+21
| | | | | | | | | | | The Public Domain license (PD) needs a special exception in the license processing since there is no common license text to be extracted for these licenses. (From OE-Core rev: fe5b757712aa99ff1ff10d2304ac320100635200) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx: Fix file:// in downloadLocationJoshua Watt2021-09-031-3/+6
| | | | | | | | | | | file:// URIs should not be included as the downloadLocation. Instead, loop until a non-file:// URI is found, or set the location to NOASSERTION if none is found (From OE-Core rev: 19c61ec3986213b336d965d90b1329085e7d6179) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx: Speed up hash calculationsJoshua Watt2021-09-031-33/+16
| | | | | | | | | | Use the bb.utils.sha* utilities to hash files since they are much faster than the loops we were rolling ourselves (From OE-Core rev: a6d9de5350937c7e25899491db59f473345f0b69) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx: Fix up license reportingJoshua Watt2021-09-031-8/+47
| | | | | | | | | | | | | | | | | | Licenses reported in the SPDX documents should be either: A) A valid SPDX identifier cross referenced from the SPDX license database B) A "LicenseRef" to a license described in the SPDX document The licensing code will now add a placeholder extracted license with corresponding "LicenseRef" for any licenses that are not matched to the SPDX database Parenthesis in the license expression are now handled correctly (From OE-Core rev: 28d9d035c0ff8fcaf28bc96a976a43a602a47e94) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx: extend DocumentRef to include nameSaul Wold2021-09-031-2/+2
| | | | | | | | | | | | | This will create a more uniq DocumentRef, which will allow the individual spdx files to be merged into a single SBOM file reflecting the image. Do the same with the runtime dependencies also (From OE-Core rev: df7c88a48621d32c02f328eedc314f10d475b758) Signed-off-by: Saul Wold <saul.wold@windriver.com> Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx: Fix another creatorJoshua Watt2021-09-031-2/+2
| | | | | | | | | Fixes another creator that was missed earlier (From OE-Core rev: 046c05fec9fc5162d7a14971ed1402d86605d229) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx: Add NOASSERTION for unknown debug sourcesJoshua Watt2021-09-031-20/+16
| | | | | | | | | | If a debug source cannot be found, mark it as NOASSERTION so that other tools at least know we were unable to locate it. (From OE-Core rev: 0e6bdd3f208c50153087c2baca67e9fd64a458d0) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx: Add runtime dependency mappingJoshua Watt2021-09-031-1/+178
| | | | | | | (From OE-Core rev: 82f3229bce41dc101c79865033432161dac269d8) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx: Add index to DEPLOYDIRJoshua Watt2021-09-031-2/+11
| | | | | | | | | Add the index to DEPLOYDIR in addition to adding it to the SPDX archive (From OE-Core rev: 374dc08c0f22e98a267676f71308592d17f77d64) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx: Add SHA1 to index fileJoshua Watt2021-09-031-1/+2
| | | | | | | (From OE-Core rev: ebfe78ad26b643ce0fb22ba5b3ede43da4a78987) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx: Change creatorJoshua Watt2021-09-031-6/+6
| | | | | | | | | Update the creator name since this no longer lives in meta-doubleopen (From OE-Core rev: 6fdea64ef53eb4de3d0e58e70ae6b391fdff6cd0) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx: Add classJoshua Watt2021-09-031-0/+679
Adds a class as a first attempt to create SPDX SBoM documents during the build. This initial work was influenced by [meta-doubleopen][1], although almost completely rewritten. [1]: https://github.com/doubleopen-project/meta-doubleopen (From OE-Core rev: 78c79821ae7e2f060b9a74ea9aefce98102bb00e) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-07-01 22:42:28 +0000