spdx30: Provide software_packageUrl field in SPDX 3.0 SBOM

Define var-SPDX_PACKAGE_URL to provide software_packageUrl field [1][2] in SPDX 3.0 SBOM, support to override with package name SPDX_PACKAGE_URL:<pkgname> Currently, the format of purl is not defined in Yocto, set empty for now until we have a comprehensive plan for what Yocto purls look like. But users could customize their own purl by setting var-SPDX_PACKAGE_URL [1] https://spdx.github.io/spdx-spec/v3.0.1/model/Software/Properties/packageUrl/ [2] https://spdx.github.io/spdx-spec/v3.0.1/annexes/pkg-url-specification/ (From OE-Core rev: c8e6953a0b6f59ffca994c440069db39e60b12d2) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hongxu Jia <hongxu.jia@windriver.com> 2025-04-28 13:57:17 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-05-08 10:28:18 +0100
commit: 2207150bc74811cce9df72464ce867e6f6b8b3ec (patch)
tree: 42f104bf8d2e08be629bbf23d04793ef61cf8700
parent: 26b1de046e9566ee1156e212ce9b5ba8cd5a12d6 (diff)
download: poky-2207150bc74811cce9df72464ce867e6f6b8b3ec.tar.gz
2 files changed, 13 insertions, 0 deletions
diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
index 044517d9f7..c0a5436ad6 100644
--- a/meta/classes/create-spdx-3.0.bbclass
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -117,6 +117,11 @@ SPDX_PACKAGE_VERSION ??= "${PV}"
 SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \
    in software_Package"
+SPDX_PACKAGE_URL ??= ""
+SPDX_PACKAGE_URL[doc] = "Provides a place for the SPDX data creator to record \
+the package URL string (in accordance with the Package URL specification) for \
+a software Package."
 IMAGE_CLASSES:append = " create-spdx-image-3.0"
 SDK_CLASSES += "create-spdx-sdk-3.0"
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index ba965821f8..61d7ba45e3 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -631,6 +631,14 @@ def create_spdx(d):
            set_var_field("SUMMARY", spdx_package, "summary", package=package)
            set_var_field("DESCRIPTION", spdx_package, "description", package=package)
+            if d.getVar("SPDX_PACKAGE_URL:%s" % package) or d.getVar("SPDX_PACKAGE_URL"):
+                set_var_field(
+                    "SPDX_PACKAGE_URL",
+                    spdx_package,
+                    "software_packageUrl",
+                    package=package
+                )
            pkg_objset.new_scoped_relationship(
                [oe.sbom30.get_element_link_id(build)],
                oe.spdx30.RelationshipType.hasOutput,
author	Hongxu Jia <hongxu.jia@windriver.com>	2025-04-28 13:57:17 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-05-08 10:28:18 +0100
commit	2207150bc74811cce9df72464ce867e6f6b8b3ec (patch)
tree	42f104bf8d2e08be629bbf23d04793ef61cf8700
parent	26b1de046e9566ee1156e212ce9b5ba8cd5a12d6 (diff)
download	poky-2207150bc74811cce9df72464ce867e6f6b8b3ec.tar.gz

diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass index 044517d9f7..c0a5436ad6 100644 --- a/meta/classes/create-spdx-3.0.bbclass +++ b/meta/classes/create-spdx-3.0.bbclass
@@ -117,6 +117,11 @@ SPDX_PACKAGE_VERSION ??= "${PV}"
117	SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \	117	SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \
118	in software_Package"	118	in software_Package"
119		119
		120	SPDX_PACKAGE_URL ??= ""
		121	SPDX_PACKAGE_URL[doc] = "Provides a place for the SPDX data creator to record \
		122	the package URL string (in accordance with the Package URL specification) for \
		123	a software Package."
		124
120	IMAGE_CLASSES:append = " create-spdx-image-3.0"	125	IMAGE_CLASSES:append = " create-spdx-image-3.0"
121	SDK_CLASSES += "create-spdx-sdk-3.0"	126	SDK_CLASSES += "create-spdx-sdk-3.0"
122		127


diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index ba965821f8..61d7ba45e3 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py
@@ -631,6 +631,14 @@ def create_spdx(d):
631	set_var_field("SUMMARY", spdx_package, "summary", package=package)	631	set_var_field("SUMMARY", spdx_package, "summary", package=package)
632	set_var_field("DESCRIPTION", spdx_package, "description", package=package)	632	set_var_field("DESCRIPTION", spdx_package, "description", package=package)
633		633
		634	if d.getVar("SPDX_PACKAGE_URL:%s" % package) or d.getVar("SPDX_PACKAGE_URL"):
		635	set_var_field(
		636	"SPDX_PACKAGE_URL",
		637	spdx_package,
		638	"software_packageUrl",
		639	package=package
		640	)
		641
634	pkg_objset.new_scoped_relationship(	642	pkg_objset.new_scoped_relationship(
635	[oe.sbom30.get_element_link_id(build)],	643	[oe.sbom30.get_element_link_id(build)],
636	oe.spdx30.RelationshipType.hasOutput,	644	oe.spdx30.RelationshipType.hasOutput,