From ceb95cf9c2c6948645bf798e4e9554d955a8c8fb Mon Sep 17 00:00:00 2001
From: Joshua Watt <JPEWhacker@gmail.com>
Date: Wed, 15 Feb 2023 15:13:46 -0600
Subject: classes/create-spdx-2.2: Report downloads as separate packages

Moves the downloaded items from SRC_URI into separate packages in the
recipe document. This is much better than the previous implementation
because:
 1) It can report multiple download locations in SRC_URI, instead of
    just the first one reported.
 2) It prevents the assumption that the source files listed in the
    recipe are the exact file from the source URL; in particular, files
    that come from file:// SRC_URI entries, and source files that have
    been patched were problematic, since these aren't from the upstream
    source.
 3) It allows the checksums to be specified

(From OE-Core rev: 1dd4369b3638637a2cbba2a3c37c6b6f4df335cd)

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/lib/oe/sbom.py |  4 ++++
 meta/lib/oe/spdx.py | 13 +++++++++++++
 2 files changed, 17 insertions(+)

(limited to 'meta/lib')

diff --git a/meta/lib/oe/sbom.py b/meta/lib/oe/sbom.py
index bbf466bbad..22ed5070ea 100644
--- a/meta/lib/oe/sbom.py
+++ b/meta/lib/oe/sbom.py
@@ -14,6 +14,10 @@ def get_recipe_spdxid(d):
     return "SPDXRef-%s-%s" % ("Recipe", d.getVar("PN"))
 
 
+def get_download_spdxid(d, idx):
+    return "SPDXRef-Download-%s-%d" % (d.getVar("PN"), idx)
+
+
 def get_package_spdxid(pkg):
     return "SPDXRef-Package-%s" % pkg
 
diff --git a/meta/lib/oe/spdx.py b/meta/lib/oe/spdx.py
index c74ea68878..7aaf2af5ed 100644
--- a/meta/lib/oe/spdx.py
+++ b/meta/lib/oe/spdx.py
@@ -216,6 +216,18 @@ class SPDXPackageVerificationCode(SPDXObject):
 
 
 class SPDXPackage(SPDXObject):
+    ALLOWED_CHECKSUMS = [
+        "SHA1",
+        "SHA224",
+        "SHA256",
+        "SHA384",
+        "SHA512",
+        "MD2",
+        "MD4",
+        "MD5",
+        "MD6",
+    ]
+
     name = _String()
     SPDXID = _String()
     versionInfo = _String()
@@ -234,6 +246,7 @@ class SPDXPackage(SPDXObject):
     hasFiles = _StringList()
     packageFileName = _String()
     annotations = _ObjectList(SPDXAnnotation)
+    checksums = _ObjectList(SPDXChecksum)
 
 
 class SPDXFile(SPDXObject):
-- 
cgit v1.2.3-54-g00ecf