Add SPDX_INCLUDE_COMPILED_SOURCES documentation

Adding documentation for the new feature to store in SPDX only the compiled sources. Merged in oe-core: c6a2f1fca76fae4c3ea471a0c63d0b453beea968 - spdx: add option to include only compiled sources CC: Antonin Godard <antonin.godard@bootlin.com> (From yocto-docs rev: 4dbc63ed1381fe47723d6ba5b7baf2a3b7fd19aa) Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Daniel Turull <daniel.turull@ericsson.com> 2025-06-19 15:22:57 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-06-20 09:48:15 +0100
commit: 63fb85ec3709ae6899ad82ae4cc6ce00e11e0018 (patch)
tree: 20afbbf326857c50831ca07946b0f7088f17a92a /documentation
parent: 7d68886200255a1e4bf7460ab31cc3e4da2aa93f (diff)
download: poky-63fb85ec3709ae6899ad82ae4cc6ce00e11e0018.tar.gz
2 files changed, 25 insertions, 0 deletions
diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst
index e6806ce929..ca0fc8b9d6 100644
--- a/documentation/dev-manual/sbom.rst
+++ b/documentation/dev-manual/sbom.rst
@@ -60,6 +60,9 @@ more information in the output :term:`SPDX` data:
 -  Add a description of the source files used to generate host tools and target
   packages (:term:`SPDX_INCLUDE_SOURCES`)
+-  Add a description of the **compiled** source files used to generate host tools
+   and target packages (:term:`SPDX_INCLUDE_COMPILED_SOURCES`)
 -  Add archives of these source files themselves (:term:`SPDX_ARCHIVE_SOURCES`).
 Though the toplevel :term:`SPDX` output is available in
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index 65c54f3861..c6ae3fb8bc 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -8762,6 +8762,28 @@ system and gives an overview of their function and contents.
      image), compared to just using the :ref:`ref-classes-create-spdx` class
      with no option.
+   :term:`SPDX_INCLUDE_COMPILED_SOURCES`
+      This option allows the same as :term:`SPDX_INCLUDE_SOURCES` but including
+      only the sources used to compile the host tools and the target packages.
+      While :term:`SPDX_INCLUDE_SOURCES` includes all files in the source
+      directory as source file descriptions, :term:`SPDX_INCLUDE_COMPILED_SOURCES`
+      includes only the sources that are used to produce the binaries delivered
+      as packages. The source files that are not used during compilation are not
+      included in the SBOM. It uses debugsource information generated during
+      ``do_package`` to filter out source files.
+      This enables an external tool to use the SPDX information to disregard
+      vulnerabilities that are not compiled in the packages.
+      Enable this option as follows::
+         SPDX_INCLUDE_COMPILED_SOURCES = "1"
+      According to our tests, building ``core-image-minimal`` for the
+      ``qemux86-64`` machine, enabling this option compared with the
+      :term:`SPDX_INCLUDE_SOURCES` reduces the size of the  ``tmp/deploy/spdx``
+      directory from 2GB to 1.6GB.
   :term:`SPDX_NAMESPACE_PREFIX`
      This option could be used in order to change the prefix of ``spdxDocument``
      and the prefix of ``documentNamespace``. It is set by default to
author	Daniel Turull <daniel.turull@ericsson.com>	2025-06-19 15:22:57 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-06-20 09:48:15 +0100
commit	63fb85ec3709ae6899ad82ae4cc6ce00e11e0018 (patch)
tree	20afbbf326857c50831ca07946b0f7088f17a92a /documentation
parent	7d68886200255a1e4bf7460ab31cc3e4da2aa93f (diff)
download	poky-63fb85ec3709ae6899ad82ae4cc6ce00e11e0018.tar.gz

diff --git a/documentation/dev-manual/sbom.rst b/documentation/dev-manual/sbom.rst index e6806ce929..ca0fc8b9d6 100644 --- a/documentation/dev-manual/sbom.rst +++ b/documentation/dev-manual/sbom.rst
@@ -60,6 +60,9 @@ more information in the output :term:`SPDX` data:
60	- Add a description of the source files used to generate host tools and target	60	- Add a description of the source files used to generate host tools and target
61	packages (:term:`SPDX_INCLUDE_SOURCES`)	61	packages (:term:`SPDX_INCLUDE_SOURCES`)
62		62
		63	- Add a description of the compiled source files used to generate host tools
		64	and target packages (:term:`SPDX_INCLUDE_COMPILED_SOURCES`)
		65
63	- Add archives of these source files themselves (:term:`SPDX_ARCHIVE_SOURCES`).	66	- Add archives of these source files themselves (:term:`SPDX_ARCHIVE_SOURCES`).
64		67
65	Though the toplevel :term:`SPDX` output is available in	68	Though the toplevel :term:`SPDX` output is available in


diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index 65c54f3861..c6ae3fb8bc 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst
@@ -8762,6 +8762,28 @@ system and gives an overview of their function and contents.
8762	image), compared to just using the :ref:`ref-classes-create-spdx` class	8762	image), compared to just using the :ref:`ref-classes-create-spdx` class
8763	with no option.	8763	with no option.
8764		8764
		8765	:term:`SPDX_INCLUDE_COMPILED_SOURCES`
		8766	This option allows the same as :term:`SPDX_INCLUDE_SOURCES` but including
		8767	only the sources used to compile the host tools and the target packages.
		8768	While :term:`SPDX_INCLUDE_SOURCES` includes all files in the source
		8769	directory as source file descriptions, :term:`SPDX_INCLUDE_COMPILED_SOURCES`
		8770	includes only the sources that are used to produce the binaries delivered
		8771	as packages. The source files that are not used during compilation are not
		8772	included in the SBOM. It uses debugsource information generated during
		8773	``do_package`` to filter out source files.
		8774
		8775	This enables an external tool to use the SPDX information to disregard
		8776	vulnerabilities that are not compiled in the packages.
		8777
		8778	Enable this option as follows::
		8779
		8780	SPDX_INCLUDE_COMPILED_SOURCES = "1"
		8781
		8782	According to our tests, building ``core-image-minimal`` for the
		8783	``qemux86-64`` machine, enabling this option compared with the
		8784	:term:`SPDX_INCLUDE_SOURCES` reduces the size of the ``tmp/deploy/spdx``
		8785	directory from 2GB to 1.6GB.
		8786
8765	:term:`SPDX_NAMESPACE_PREFIX`	8787	:term:`SPDX_NAMESPACE_PREFIX`
8766	This option could be used in order to change the prefix of ``spdxDocument``	8788	This option could be used in order to change the prefix of ``spdxDocument``
8767	and the prefix of ``documentNamespace``. It is set by default to	8789	and the prefix of ``documentNamespace``. It is set by default to