summaryrefslogtreecommitdiffstats
path: root/meta/lib/oe/sbom.py
Commit message (Collapse)AuthorAgeFilesLines
* create-spdx/sbom: Ensure files don't overlap between machinesRichard Purdie2023-09-221-7/+27
| | | | | | | | | | | | | | | | | | | | | | Currently the by-id and by-namespace SPDX files are created without reference to PACKAGE_ARCH. This means that for two machines using a common package architecture (e.g. genericx86-64 and qqemux86-64), there would be overlapping files. This means that the build of one can remove files from the other leading to build failures. An example would be: MACHINE=qemux86-64 bitbake core-image-minimal MACHINE=genericx86-64 bitbake core-image-minimal MACHINE=qemux86-64 bitbake linux-yocto -c clean MACHINE=genericx86-64 bitbake core-image-minimal -C rootfs To fix this, add PACKAGE_ARCH to the path used for the files and use a search path based upon PACKAGE_ARCHS to access them. (From OE-Core rev: b2db10e966438071d00d2057b84d5f347613d841) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx-2.2: Use hashfn from BB_TASKDEPDATA instead of MACHINEJoshua Watt2023-06-021-3/+19
| | | | | | | | | | | | | | | Enabling the SPDX class and running two builds, one with SDKMACHINE=i686 and then again with SDKMACHINE=x86_64 would lead to errors since the output was stored per MACHINE and the overlapping files would cause manifest errors. The hashfn data from bitbake has SSTATE_PKGARCH encoded into it which is how sstate separates out it's targets and SDPX should be using the same structure. Therefore switch to using this. (From OE-Core rev: 51049cde0cf477f7988b94c1041eb33b018a669f) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx-2.2: Report downloads as separate packagesJoshua Watt2023-02-191-0/+4
| | | | | | | | | | | | | | | | | | | | Moves the downloaded items from SRC_URI into separate packages in the recipe document. This is much better than the previous implementation because: 1) It can report multiple download locations in SRC_URI, instead of just the first one reported. 2) It prevents the assumption that the source files listed in the recipe are the exact file from the source URL; in particular, files that come from file:// SRC_URI entries, and source files that have been patched were problematic, since these aren't from the upstream source. 3) It allows the checksums to be specified (From OE-Core rev: 1dd4369b3638637a2cbba2a3c37c6b6f4df335cd) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib: Add copyright statements to files without oneRichard Purdie2022-08-121-0/+2
| | | | | | | | | Where there isn't a copyright statement, add one to make it explicit. Also add license identifiers as MIT if there isn't one. (From OE-Core rev: bb731d1f3d2a1d50ec0aed864dbca54cf795b040) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx: Add SPDX_PRETTY optionJoshua Watt2022-06-151-2/+2
| | | | | | | | | | | Adds an option to make the SPDX more human-readable (at the expense of a larger files) (From OE-Core rev: 4799594b26f77ed259dc661bf077519b338390c8) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* create-spdx: add support for SDKsAndres Beltran2022-02-251-0/+4
| | | | | | | | | | Currently, SPDX SBOMs are only created for images. Add support for SDKs. (From OE-Core rev: c3acbb936a339636153903daf127eec9f36de79b) Signed-off-by: Andres Beltran <abeltran@linux.microsoft.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx: Add runtime dependency mappingJoshua Watt2021-09-031-2/+3
| | | | | | | (From OE-Core rev: 82f3229bce41dc101c79865033432161dac269d8) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx: Add SHA1 to index fileJoshua Watt2021-09-031-3/+13
| | | | | | | (From OE-Core rev: ebfe78ad26b643ce0fb22ba5b3ede43da4a78987) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* classes/create-spdx: Add classJoshua Watt2021-09-031-0/+63
Adds a class as a first attempt to create SPDX SBoM documents during the build. This initial work was influenced by [meta-doubleopen][1], although almost completely rewritten. [1]: https://github.com/doubleopen-project/meta-doubleopen (From OE-Core rev: 78c79821ae7e2f060b9a74ea9aefce98102bb00e) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-11-12 14:33:30 +0000