<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/lib/oe/spdx30_tasks.py, branch scarthgap</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=scarthgap</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=scarthgap'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2026-05-04T12:57:30+00:00</updated>
<entry>
<title>spdx30_tasks: fix condition in create_spdx</title>
<updated>2026-05-04T12:57:30+00:00</updated>
<author>
<name>João Marcos Costa (Schneider Electric)</name>
<email>joaomarcos.costa@bootlin.com</email>
</author>
<published>2026-04-02T09:34:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=1f07faf3dce25bfcaf2c5c8f6652934baeed4db3'/>
<id>urn:sha1:1f07faf3dce25bfcaf2c5c8f6652934baeed4db3</id>
<content type='text'>
Considering that *detail* is an actual variable, not a string, remove the
quotes to make the 'in' statement coherent.

(From OE-Core rev: 8071a93c6b619dc9fcc2a7f1bcf94994499defbe)

Signed-off-by: João Marcos Costa (Schneider Electric) &lt;joaomarcos.costa@bootlin.com&gt;
Reviewed-by: Joshua Watt &lt;JPEWhacker@gmail.com&gt;
Signed-off-by: Yoann Congal &lt;yoann.congal@smile.fr&gt;
Signed-off-by: Paul Barker &lt;paul@pbarker.dev&gt;
</content>
</entry>
<entry>
<title>spdx: add option to include only compiled sources</title>
<updated>2026-04-02T12:41:54+00:00</updated>
<author>
<name>João Marcos Costa (Schneider Electric)</name>
<email>joaomarcos.costa@bootlin.com</email>
</author>
<published>2026-03-23T09:22:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=8cde17408f644e99b37496121d8f0171375ae0e7'/>
<id>urn:sha1:8cde17408f644e99b37496121d8f0171375ae0e7</id>
<content type='text'>
When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the
source code files that are used during compilation.

It uses debugsource information generated during do_package.

This enables an external tool to use the SPDX information to disregard
vulnerabilities that are not compiled.

As example, when used with the default config with linux-yocto, the spdx size is
reduced from 156MB to 61MB.

(From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968)
Adapted to existing files for SPDX3.0

Tested with:
- bitbake world on oe-core
- oe-selftest --run-tests spdx.SPDX30Check

Regarding SPDX2.2, the respective backport was already performed in
OE-Core rev: a2866934e58fb377a73e87576c8594988a63ad1b

(From OE-Core rev: 1c7dfab26d69a87bb026e05b3bbf6a266858c0d1)

Signed-off-by: João Marcos Costa (Schneider Electric) &lt;joaomarcos.costa@bootlin.com&gt;
Signed-off-by: Yoann Congal &lt;yoann.congal@smile.fr&gt;
Signed-off-by: Paul Barker &lt;paul@pbarker.dev&gt;
</content>
</entry>
<entry>
<title>spdx30_tasks: Exclude 'doc' when exporting PACKAGECONFIG to SPDX</title>
<updated>2026-02-27T17:45:06+00:00</updated>
<author>
<name>Benjamin Robin (Schneider Electric)</name>
<email>benjamin.robin@bootlin.com</email>
</author>
<published>2026-02-09T16:25:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=c4da6ca1c2e5d3bdbc78b9e9779071eb50efda71'/>
<id>urn:sha1:c4da6ca1c2e5d3bdbc78b9e9779071eb50efda71</id>
<content type='text'>
Currently when generating an SBOM, all packages have the 'doc' feature
indicated as disabled. This is in fact *not* a feature that was
declared in the recipe, but instead the documentation of the
PACKAGECONFIG variable.

But to be safe, if somehow a feature is named 'doc' and enabled, do
not exclude it when exporting PACKAGECONFIG features to SPDX.

(From OE-Core rev: 87de87206b71bb165b946d5f4f6e9e5395292179)

Signed-off-by: Benjamin Robin (Schneider Electric) &lt;benjamin.robin@bootlin.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 933394adcb0d2db66ef7e0656a464241e58ec2e7)
Signed-off-by: Yoann Congal &lt;yoann.congal@smile.fr&gt;
Signed-off-by: Paul Barker &lt;paul@pbarker.dev&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>spdx30_tasks: Add support for exporting PACKAGECONFIG to SPDX</title>
<updated>2025-12-31T15:49:31+00:00</updated>
<author>
<name>Kamel Bouhara (Schneider Electric)</name>
<email>kamel.bouhara@bootlin.com</email>
</author>
<published>2025-12-15T15:54:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=707dce4f01527b23e775ec31282e94c3a74e71da'/>
<id>urn:sha1:707dce4f01527b23e775ec31282e94c3a74e71da</id>
<content type='text'>
Introduce the SPDX_INCLUDE_PACKAGECONFIG variable, which when enabled causes
PACKAGECONFIG features to be recorded in the SPDX document as build parameters.

Each feature is recorded as a DictionaryEntry with key PACKAGECONFIG:&lt;feature&gt;
and value enabled or disabled, depending on whether the feature is active in
the current build.

This makes the build-time configuration more transparent in SPDX output and
improves reproducibility tracking.

This makes the build-time configuration more transparent in SPDX output and
improves reproducibility tracking. In particular, it allows consumers of the
SBOM to identify enabled/disabled features that may affect security posture
or feature set.

Reviewed-by: Joshua Watt &lt;JPEWhacker@gmail.com&gt;
(From OE-Core rev: 5cfd0690f819379d9f97c86d2078c3e529efe385)

Signed-off-by: Kamel Bouhara (Schneider Electric) &lt;kamel.bouhara@bootlin.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 7ec61ac40345a5c0ef1ce20513a4596989c91ef4)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>spdx30: provide all CVE_STATUS, not only Patched status</title>
<updated>2025-12-01T15:34:55+00:00</updated>
<author>
<name>Benjamin Robin (Schneider Electric)</name>
<email>benjamin.robin@bootlin.com</email>
</author>
<published>2025-11-21T09:54:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=976648aa6087a8bd815bf9b1e2bae3d1e8f3600b'/>
<id>urn:sha1:976648aa6087a8bd815bf9b1e2bae3d1e8f3600b</id>
<content type='text'>
In scarthgap, the `oe.cve_check.get_patched_cves()` method only returns
CVEs with a "Patched" status. We want to retrieve all annotations,
including those with an "Ignored" status. Therefore, to avoid modifying
the current API, we integrate the logic for retrieving all CVE_STATUS
values ​​directly into `spdx30_task`.

(From OE-Core rev: 9a204670b1c0daedf1ed8ff944f8e5443b39c8f7)

Signed-off-by: Benjamin Robin (Schneider Electric) &lt;benjamin.robin@bootlin.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>Revert "spdx: Update for bitbake changes"</title>
<updated>2025-12-01T15:34:54+00:00</updated>
<author>
<name>Kai Kang</name>
<email>kai.kang@windriver.com</email>
</author>
<published>2025-11-24T13:55:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=91ba7b5d6613c8ea493c9eb7e592c30d5a0bf335'/>
<id>urn:sha1:91ba7b5d6613c8ea493c9eb7e592c30d5a0bf335</id>
<content type='text'>
This reverts part of commit 4859cdf97fd9a260036e148e25f0b78eb393df1e.

Modification of meta/classes/create-spdx-2.2.bbclass is not backported,
so no need to consider it.

In the commit, it updates spdx according to bitbake change. But the
bitbake commit

* 2515fbd10 fetch: Drop multiple branch/revision support for single git urls

doesn't backport for scarthgap.

So revert the other parts of the commit 4859cdf97fd9a260036e148e25f0b.

(From OE-Core rev: f3bfb98d1cf928678d9931308c116e9e6ec64ba5)

Signed-off-by: Kai Kang &lt;kai.kang@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>spdx30: Provide software_packageUrl field in SPDX 3.0 SBOM</title>
<updated>2025-11-26T15:50:35+00:00</updated>
<author>
<name>Hongxu Jia</name>
<email>hongxu.jia@windriver.com</email>
</author>
<published>2025-11-18T12:09:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=e77289e9a4c9960fad9cf15ff9ac8787a6c350aa'/>
<id>urn:sha1:e77289e9a4c9960fad9cf15ff9ac8787a6c350aa</id>
<content type='text'>
Define var-SPDX_PACKAGE_URL to provide software_packageUrl field [1][2]
in SPDX 3.0 SBOM, support to override with package name
SPDX_PACKAGE_URL:&lt;pkgname&gt;

Currently, the format of purl is not defined in Yocto, set empty for now
until we have a comprehensive plan for what Yocto purls look like.
But users could customize their own purl by setting var-SPDX_PACKAGE_URL

[1] https://spdx.github.io/spdx-spec/v3.0.1/model/Software/Properties/packageUrl/
[2] https://spdx.github.io/spdx-spec/v3.0.1/annexes/pkg-url-specification/

(From OE-Core rev: c8e6953a0b6f59ffca994c440069db39e60b12d2)

(From OE-Core rev: 60724efdb3a243bc796b390ad0c478584a0fb7fa)

Signed-off-by: Hongxu Jia &lt;hongxu.jia@windriver.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>spdx30: fix cve status for patch files in VEX</title>
<updated>2025-11-26T15:50:35+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-11-18T12:08:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=c06e4e6e609892f3c121893a0e02e9765bafcaff'/>
<id>urn:sha1:c06e4e6e609892f3c121893a0e02e9765bafcaff</id>
<content type='text'>
This commit fixes commit 08595b39b46ef2bf3a928d4528292ee31a990c98
which adapts vex creation between function create_spdx where all changes
were backported and funtion get_patched_cves where changes were not
backported.

CVE patches were previously ignored as they cannot be decoded from
CVE_STATUS variables and each caused a warning like:
WARNING: ncurses-native-6.4-r0 do_create_spdx: Skipping CVE-2023-50495 — missing or unknown CVE status

Master branch uses fix-file-included for CVE patches however since
cve-check-map.conf was not part of spdx-3.0 backport, closest one
available (backported-patch) was implemented.

(From OE-Core rev: 8d14b2bb02861612130f02c445392f34090ba5d9)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>spdx30_tasks: adapt CVE handling to new cve-check API</title>
<updated>2025-11-14T14:45:30+00:00</updated>
<author>
<name>Kamel Bouhara (Schneider Electric)</name>
<email>kamel.bouhara@bootlin.com</email>
</author>
<published>2025-11-07T13:14:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=5b74a8f1a54d62d2cf2330bef6ffad3508540a91'/>
<id>urn:sha1:5b74a8f1a54d62d2cf2330bef6ffad3508540a91</id>
<content type='text'>
Changes to cve-check (see poky commit fb3f440b7d8,
"cve-check: annotate CVEs during analysis") modified the
get_patched_cves() API to return a set of CVE IDs instead of a
dictionary of CVE metadata.

The SPDX 3 backport still expected a dictionary and attempted to call
.items(), leading to:

    AttributeError: 'set' object has no attribute 'items'

This patch updates the SPDX3 code to iterate directly over the CVE IDs
and use `oe.cve_check.decode_cve_status()` to retrieve the mapping,
detail, and description for each CVE. This restores compatibility with
the updated CVE API and matches the behavior of SPDX3 handling on
Walnascar.

A warning is logged if a CVE has missing or unknown status.

(From OE-Core rev: 55fdeea44ffbecb705f7900bfa85ab88e1191878)

Signed-off-by: Kamel Bouhara (Schneider Electric) &lt;kamel.bouhara@bootlin.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>spdx30_tasks: fix FetchData attribute in add_download_files</title>
<updated>2025-11-14T14:45:29+00:00</updated>
<author>
<name>Kamel Bouhara (Schneider Electric)</name>
<email>kamel.bouhara@bootlin.com</email>
</author>
<published>2025-11-07T13:14:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=b16bf27386d3a411f452908c913aaf2335be0f22'/>
<id>urn:sha1:b16bf27386d3a411f452908c913aaf2335be0f22</id>
<content type='text'>
The add_download_files() function incorrectly accessed fd.name, which
does not exist on FetchData objects.

Change to use fd.names[0] to correctly retrieve the first filename.

This fixes AttributeError during SPDX document generation.

(From OE-Core rev: 17031d71cf4bc4fc19dd8a41c49b94e1f6a1edee)

Signed-off-by: Kamel Bouhara (Schneider Electric) &lt;kamel.bouhara@bootlin.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
</feed>
