linux/poky.git/meta/classes/create-spdx-2.2.bbclass, branch master

The poky repository master branch is no longer being updated.

2025-11-07T13:31:53+00:00

You can either: a) switch to individual clones of bitbake, openembedded-core, meta-yocto and yocto-docs b) use the new bitbake-setup You can find information about either approach in our documentation: https://docs.yoctoproject.org/ Note that "poky" the distro setting is still available in meta-yocto as before and we continue to use and maintain that. Long live Poky! Some further information on the background of this change can be found in: https://lists.openembedded.org/g/openembedded-architecture/message/2179 Signed-off-by: Richard Purdie

create-spdx-2.2: support to override the version of a package in SPDX 2

2025-07-01T07:49:37+00:00

By default, still use ${PV} as the the version of a package in SPDX 2 $ echo 'INHERIT:remove = "create-spdx"' >> conf/local.conf $ echo 'INHERIT += "create-spdx-2.2"' >> conf/local.conf $ bitbake acl $ jq . tmp/deploy/spdx/2.2/core2-64/recipes/recipe-acl.spdx.json ... "name": "acl", "summary": "Utilities for managing POSIX Access Control Lists", "supplier": "Organization: OpenEmbedded ()", "versionInfo": "2.3.2" }, ... Support to override it by setting SPDX_PACKAGE_VERSION, such as set SPDX_PACKAGE_VERSION = "${EXTENDPKGV}" in local.conf to append PR to versionInfo in SBOM 2 $ echo 'SPDX_PACKAGE_VERSION = "${EXTENDPKGV}"' >> conf/local.conf $ bitbake acl $ jq . tmp/deploy/spdx/2.2/core2-64/recipes/recipe-acl.spdx.json ... "name": "acl", "summary": "Utilities for managing POSIX Access Control Lists", "supplier": "Organization: OpenEmbedded ()", "versionInfo": "2.3.2-r0" }, ... (From OE-Core rev: 0bd069f526ee0d535477b75a4aa825b4cb589423) Signed-off-by: Hongxu Jia Signed-off-by: Antonin Godard Signed-off-by: Richard Purdie

spdx: add option to include only compiled sources

2025-06-17T22:38:18+00:00

When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the source code files that are used during compilation. It uses debugsource information generated during do_package. This enables an external tool to use the SPDX information to disregard vulnerabilities that are not compiled. As example, when used with the default config with linux-yocto, the spdx size is reduced from 156MB to 61MB. Tested with bitbake world on oe-core. CC: Quentin Schulz CC: Joshua Watt CC: Peter Marko (From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968) Signed-off-by: Daniel Turull Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie

classes/spdx-*.bbclass: move spdx2 specific variables out of spdx-common class

2025-03-28T11:19:40+00:00

Setting SPDX_ARCHIVE_SOURCES and SPDX_ARCHIVE_PACKAGED makes no difference when using the spdx-3.0 class. Move these two in the spdx-2.0 class since they are only used there. (From OE-Core rev: 8ce06538c9cde0f09909a5a2e61ec10b0d35df49) Signed-off-by: Antonin Godard Signed-off-by: Richard Purdie

classes: create-spdx-2.2: Fix dependency handling

2025-03-24T17:29:16+00:00

The common SPDX code was changed to return a dataclass for dependency information instead of a namedtuple, but the SPDX 2.2 was missed to account for this. Correct the SPDX 2.2 code to correctly handle the new datatype (From OE-Core rev: 79a03abd37839973996efc957d44614edcbd6b87) Signed-off-by: Joshua Watt Signed-off-by: Richard Purdie

spdx: Update for bitbake changes

2025-03-20T13:50:40+00:00

Bitbake is dropping the need for fetcher name iteration and multiple revisions per url. Update the code to match (removal of the for loop). (From OE-Core rev: 4859cdf97fd9a260036e148e25f0b78eb393df1e) Signed-off-by: Richard Purdie

create-spdx: support line numbers

2025-01-23T12:14:29+00:00

LIC_FILES_CHKSUM supports begin-/endline for licenses included in for instance header files. This patch adds support for line numbers to NO_GENERIC_LICENSE, too. (From OE-Core rev: 8e7ee19fc9e74cf042880f4bc317782482ba6f66) Signed-off-by: Denis Osterland-Heim Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Ross Burton

create-spdx-{2.2,3.0}: fix do_create_spdx dependency while spdx include sources

2024-11-01T12:07:12+00:00

Call function ${@create_spdx_source_deps(d)} or ${create_spdx_source_deps(d)} along with addtask not working, use task do_create_spdx flag 'depends' to instead Move function create_spdx_source_deps to spdx-common.bbclass for both of create-spdx-2.2.bbclass and create-spdx-3.0.bbclass (From OE-Core rev: dda4b7ccd416ef370634babd150e944f2aa9116e) Signed-off-by: Hongxu Jia Reviewed-by: Joshua Watt Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie

spdx 3.0: Map gitsm URI to git

2024-09-30T16:07:18+00:00

"gitsm" is not a recognized URI protocol (outside of bitbake), so map it to "git" when writing. This should be OK since we report all of the submodule source code (if enabled), and it's still possible for 3rd party analyzers to determine that submodules are in use by looking at .gitmodules. The code to do the mapping is moved to a common location so it covers SPDX 2.2 also [YOCTO #15582] (From OE-Core rev: 6ecf89c75b1a74515266085acc5d3621a0fb2fa1) Signed-off-by: Joshua Watt Signed-off-by: Richard Purdie

sdpx: Avoid loading of SPDX_LICENSE_DATA into global config

2024-08-07T14:47:15+00:00

Loading a load of json files into a memory structure and stashing in a bitbake variable is relatively anti-social making bitbake -e output hard to read for example as well as other potential performance issues. Defer loading of that data until it is actually needed/used in a funciton where it is now passed as a parameter. (From OE-Core rev: 6f21cc9598178288784ff451ab3c40b174c0ef3e) Signed-off-by: Richard Purdie