diff options
| author | Daniel Turull <daniel.turull@ericsson.com> | 2025-06-10 17:24:42 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2025-06-17 23:38:18 +0100 |
| commit | 33fd6f6e82cf2c9d20a0532d8cfe850280a83051 (patch) | |
| tree | 91084d1320c8a0490f4cbca974b508c6d6eadaf8 /meta/classes/create-spdx-2.2.bbclass | |
| parent | 5132c991e648d9ae8a6701d9da9e80bec65f0d25 (diff) | |
| download | poky-33fd6f6e82cf2c9d20a0532d8cfe850280a83051.tar.gz | |
spdx: add option to include only compiled sources
When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the
source code files that are used during compilation.
It uses debugsource information generated during do_package.
This enables an external tool to use the SPDX information to disregard
vulnerabilities that are not compiled.
As example, when used with the default config with linux-yocto, the spdx size is
reduced from 156MB to 61MB.
Tested with bitbake world on oe-core.
CC: Quentin Schulz <quentin.schulz@cherry.de>
CC: Joshua Watt <JPEWhacker@gmail.com>
CC: Peter Marko <peter.marko@siemens.com>
(From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968)
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes/create-spdx-2.2.bbclass')
| -rw-r--r-- | meta/classes/create-spdx-2.2.bbclass | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index 7e8f8b9ff5..6fc60a1d97 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass | |||
| @@ -137,6 +137,11 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv | |||
| 137 | spdx_files = [] | 137 | spdx_files = [] |
| 138 | 138 | ||
| 139 | file_counter = 1 | 139 | file_counter = 1 |
| 140 | |||
| 141 | check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1" | ||
| 142 | if check_compiled_sources: | ||
| 143 | compiled_sources, types = oe.spdx_common.get_compiled_sources(d) | ||
| 144 | bb.debug(1, f"Total compiled files: {len(compiled_sources)}") | ||
| 140 | for subdir, dirs, files in os.walk(topdir): | 145 | for subdir, dirs, files in os.walk(topdir): |
| 141 | dirs[:] = [d for d in dirs if d not in ignore_dirs] | 146 | dirs[:] = [d for d in dirs if d not in ignore_dirs] |
| 142 | if subdir == str(topdir): | 147 | if subdir == str(topdir): |
| @@ -147,6 +152,10 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv | |||
| 147 | filename = str(filepath.relative_to(topdir)) | 152 | filename = str(filepath.relative_to(topdir)) |
| 148 | 153 | ||
| 149 | if not filepath.is_symlink() and filepath.is_file(): | 154 | if not filepath.is_symlink() and filepath.is_file(): |
| 155 | # Check if file is compiled | ||
| 156 | if check_compiled_sources: | ||
| 157 | if not oe.spdx_common.is_compiled_source(filename, compiled_sources, types): | ||
| 158 | continue | ||
| 150 | spdx_file = oe.spdx.SPDXFile() | 159 | spdx_file = oe.spdx.SPDXFile() |
| 151 | spdx_file.SPDXID = get_spdxid(file_counter) | 160 | spdx_file.SPDXID = get_spdxid(file_counter) |
| 152 | for t in get_types(filepath): | 161 | for t in get_types(filepath): |