diff options
| author | Daniel Turull <daniel.turull@ericsson.com> | 2025-06-19 15:22:57 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2025-06-20 09:48:15 +0100 |
| commit | 63fb85ec3709ae6899ad82ae4cc6ce00e11e0018 (patch) | |
| tree | 20afbbf326857c50831ca07946b0f7088f17a92a /documentation/ref-manual | |
| parent | 7d68886200255a1e4bf7460ab31cc3e4da2aa93f (diff) | |
| download | poky-63fb85ec3709ae6899ad82ae4cc6ce00e11e0018.tar.gz | |
Add SPDX_INCLUDE_COMPILED_SOURCES documentation
Adding documentation for the new feature to store in SPDX
only the compiled sources.
Merged in oe-core: c6a2f1fca76fae4c3ea471a0c63d0b453beea968
- spdx: add option to include only compiled sources
CC: Antonin Godard <antonin.godard@bootlin.com>
(From yocto-docs rev: 4dbc63ed1381fe47723d6ba5b7baf2a3b7fd19aa)
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'documentation/ref-manual')
| -rw-r--r-- | documentation/ref-manual/variables.rst | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index 65c54f3861..c6ae3fb8bc 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst | |||
| @@ -8762,6 +8762,28 @@ system and gives an overview of their function and contents. | |||
| 8762 | image), compared to just using the :ref:`ref-classes-create-spdx` class | 8762 | image), compared to just using the :ref:`ref-classes-create-spdx` class |
| 8763 | with no option. | 8763 | with no option. |
| 8764 | 8764 | ||
| 8765 | :term:`SPDX_INCLUDE_COMPILED_SOURCES` | ||
| 8766 | This option allows the same as :term:`SPDX_INCLUDE_SOURCES` but including | ||
| 8767 | only the sources used to compile the host tools and the target packages. | ||
| 8768 | While :term:`SPDX_INCLUDE_SOURCES` includes all files in the source | ||
| 8769 | directory as source file descriptions, :term:`SPDX_INCLUDE_COMPILED_SOURCES` | ||
| 8770 | includes only the sources that are used to produce the binaries delivered | ||
| 8771 | as packages. The source files that are not used during compilation are not | ||
| 8772 | included in the SBOM. It uses debugsource information generated during | ||
| 8773 | ``do_package`` to filter out source files. | ||
| 8774 | |||
| 8775 | This enables an external tool to use the SPDX information to disregard | ||
| 8776 | vulnerabilities that are not compiled in the packages. | ||
| 8777 | |||
| 8778 | Enable this option as follows:: | ||
| 8779 | |||
| 8780 | SPDX_INCLUDE_COMPILED_SOURCES = "1" | ||
| 8781 | |||
| 8782 | According to our tests, building ``core-image-minimal`` for the | ||
| 8783 | ``qemux86-64`` machine, enabling this option compared with the | ||
| 8784 | :term:`SPDX_INCLUDE_SOURCES` reduces the size of the ``tmp/deploy/spdx`` | ||
| 8785 | directory from 2GB to 1.6GB. | ||
| 8786 | |||
| 8765 | :term:`SPDX_NAMESPACE_PREFIX` | 8787 | :term:`SPDX_NAMESPACE_PREFIX` |
| 8766 | This option could be used in order to change the prefix of ``spdxDocument`` | 8788 | This option could be used in order to change the prefix of ``spdxDocument`` |
| 8767 | and the prefix of ``documentNamespace``. It is set by default to | 8789 | and the prefix of ``documentNamespace``. It is set by default to |