diff options
| author | Daniel Turull <daniel.turull@ericsson.com> | 2025-06-19 10:47:36 +0200 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-07-07 07:42:58 -0700 |
| commit | 2366605a35443565e259d03791d7b662c6ea03e2 (patch) | |
| tree | 96c219df0c6c47d1bf0342b4bfbc39bcee4d682f /meta/classes/create-spdx-2.2.bbclass | |
| parent | 5b7a6dec8542968b5062e4da407e322dda50326b (diff) | |
| download | poky-2366605a35443565e259d03791d7b662c6ea03e2.tar.gz | |
spdx: add option to include only compiled sources
When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the
source code files that are used during compilation.
It uses debugsource information generated during do_package.
This enables an external tool to use the SPDX information to disregard
vulnerabilities that are not compiled.
As example, when used with the default config with linux-yocto, the spdx size is
reduced from 156MB to 61MB.
Tested with bitbake world on oe-core.
(From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968)
Adapted to existing files for create-spdx-2.2
CC: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
CC: Joshua Watt <JPEWhacker@gmail.com>
(From OE-Core rev: a2866934e58fb377a73e87576c8594988a63ad1b)
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/classes/create-spdx-2.2.bbclass')
| -rw-r--r-- | meta/classes/create-spdx-2.2.bbclass | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index ade1a04be3..1fc11ad7ac 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass | |||
| @@ -100,6 +100,9 @@ python() { | |||
| 100 | # Transform the license array to a dictionary | 100 | # Transform the license array to a dictionary |
| 101 | data["licenses"] = {l["licenseId"]: l for l in data["licenses"]} | 101 | data["licenses"] = {l["licenseId"]: l for l in data["licenses"]} |
| 102 | d.setVar("SPDX_LICENSE_DATA", data) | 102 | d.setVar("SPDX_LICENSE_DATA", data) |
| 103 | |||
| 104 | if d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1": | ||
| 105 | d.setVar("SPDX_INCLUDE_SOURCES", "1") | ||
| 103 | } | 106 | } |
| 104 | 107 | ||
| 105 | def convert_license_to_spdx(lic, document, d, existing={}): | 108 | def convert_license_to_spdx(lic, document, d, existing={}): |
| @@ -215,6 +218,11 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv | |||
| 215 | spdx_files = [] | 218 | spdx_files = [] |
| 216 | 219 | ||
| 217 | file_counter = 1 | 220 | file_counter = 1 |
| 221 | |||
| 222 | check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1" | ||
| 223 | if check_compiled_sources: | ||
| 224 | compiled_sources, types = oe.spdx.get_compiled_sources(d) | ||
| 225 | bb.debug(1, f"Total compiled files: {len(compiled_sources)}") | ||
| 218 | for subdir, dirs, files in os.walk(topdir): | 226 | for subdir, dirs, files in os.walk(topdir): |
| 219 | dirs[:] = [d for d in dirs if d not in ignore_dirs] | 227 | dirs[:] = [d for d in dirs if d not in ignore_dirs] |
| 220 | if subdir == str(topdir): | 228 | if subdir == str(topdir): |
| @@ -225,6 +233,10 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv | |||
| 225 | filename = str(filepath.relative_to(topdir)) | 233 | filename = str(filepath.relative_to(topdir)) |
| 226 | 234 | ||
| 227 | if not filepath.is_symlink() and filepath.is_file(): | 235 | if not filepath.is_symlink() and filepath.is_file(): |
| 236 | # Check if file is compiled | ||
| 237 | if check_compiled_sources: | ||
| 238 | if not oe.spdx.is_compiled_source(filename, compiled_sources, types): | ||
| 239 | continue | ||
| 228 | spdx_file = oe.spdx.SPDXFile() | 240 | spdx_file = oe.spdx.SPDXFile() |
| 229 | spdx_file.SPDXID = get_spdxid(file_counter) | 241 | spdx_file.SPDXID = get_spdxid(file_counter) |
| 230 | for t in get_types(filepath): | 242 | for t in get_types(filepath): |