backport: SPDX 3.0 fixes and tasks from upstream version Walnascar

Backports the SPDX 3.0 support and fixes from upstream walnascar commit 49f47169953b807d430461ca33f3a2b076119712 into upstream scarthgap. (From OE-Core rev: 9c9b9545049a2f6e5c99edcb079275d29a4d1ac6) Signed-off-by: Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com> 2025-11-07 14:14:35 +0100
committer: Steve Sakoman <steve@sakoman.com> 2025-11-14 06:45:29 -0800
commit: 11cd8498da86c61366e8701a8a49d60120c85248 (patch)
tree: cdec6b8c60c78687612dea2f0b61e81d22dbfdc7 /meta/classes
parent: d101e1410d05ba8faede730214db99c31476f733 (diff)
download: poky-11cd8498da86c61366e8701a8a49d60120c85248.tar.gz
2 files changed, 299 insertions, 0 deletions
diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
new file mode 100644
index 0000000000..044517d9f7
--- /dev/null
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -0,0 +1,200 @@
+#
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+inherit spdx-common
+SPDX_VERSION = "3.0.1"
+# The list of SPDX profiles generated documents will conform to
+SPDX_PROFILES ?= "core build software simpleLicensing security"
+SPDX_INCLUDE_BUILD_VARIABLES ??= "0"
+SPDX_INCLUDE_BUILD_VARIABLES[doc] = "If set to '1', the bitbake variables for a \
+    recipe will be included in the Build object. This will most likely result \
+    in non-reproducible SPDX output"
+SPDX_INCLUDE_BITBAKE_PARENT_BUILD ??= "0"
+SPDX_INCLUDE_BITBAKE_PARENT_BUILD[doc] = "Report the parent invocation of bitbake \
+    for each Build object. This allows you to know who invoked bitbake to perform \
+    a build, but will result in non-reproducible SPDX output."
+SPDX_PACKAGE_ADDITIONAL_PURPOSE ?= ""
+SPDX_PACKAGE_ADDITIONAL_PURPOSE[doc] = "The list of additional purposes to assign to \
+    the generated packages for a recipe. The primary purpose is always `install`. \
+    Packages overrides are allowed to override the additional purposes for \
+    individual packages."
+SPDX_IMAGE_PURPOSE ?= "filesystemImage"
+SPDX_IMAGE_PURPOSE[doc] = "The list of purposes to assign to the generated images. \
+    The first listed item will be the Primary Purpose and all additional items will \
+    be added as additional purposes"
+SPDX_SDK_PURPOSE ?= "install"
+SPDX_SDK_PURPOSE[doc] = "The list of purposes to assign to the generate SDK installer. \
+    The first listed item will be the Primary Purpose and all additional items will \
+    be added as additional purposes"
+SPDX_INCLUDE_VEX ??= "current"
+SPDX_INCLUDE_VEX[doc] = "Controls what VEX information is in the output. Set to \
+    'none' to disable all VEX data. Set to 'current' to only include VEX data \
+    for vulnerabilities not already fixed in the upstream source code \
+    (recommended). Set  to 'all' to get all known historical vulnerabilities, \
+    including those already fixed upstream (warning: This can be large and \
+    slow)."
+SPDX_INCLUDE_TIMESTAMPS ?= "0"
+SPDX_INCLUDE_TIMESTAMPS[doc] = "Include time stamps in SPDX output. This is \
+    useful if you want to know when artifacts were produced and when builds \
+    occurred, but will result in non-reproducible SPDX output"
+SPDX_IMPORTS ??= ""
+SPDX_IMPORTS[doc] = "SPDX_IMPORTS is the base variable that describes how to \
+    reference external SPDX ids. Each import is defined as a key in this \
+    variable with a suffix to describe to as a suffix to look up more \
+    information about the import. Each key can have the following variables: \
+        SPDX_IMPORTS_<key>_spdxid: The Fully qualified SPDX ID of the object \
+        SPDX_IMPORTS_<key>_uri: The URI where the SPDX Document that contains \
+            the external object can be found. Optional but recommended \
+        SPDX_IMPORTS_<key>_hash_<hash>: The Checksum of the SPDX Document that \
+            contains the External ID. <hash> must be one the valid SPDX hashing \
+            algorithms, as described by the HashAlgorithm vocabulary in the\
+            SPDX 3 spec. Optional but recommended"
+# Agents
+#   Bitbake variables can be used to describe an SPDX Agent that may be used
+#   during the build. An Agent is specified using a set of variables which all
+#   start with some common base name:
+#
+#   <BASE>_name: The name of the Agent (required)
+#   <BASE>_type: The type of Agent. Must be one of "person", "organization",
+#       "software", or "agent" (the default if not specified)
+#   <BASE>_comment: The comment for the Agent (optional)
+#   <BASE>_id_<ID>: And External Identifier for the Agent. <ID> must be a valid
+#       ExternalIdentifierType from the SPDX 3 spec. Commonly, an E-mail address
+#       can be specified with <BASE>_id_email
+#
+#   Alternatively, an Agent can be an external reference by referencing a key
+#   in SPDX_IMPORTS like so:
+#
+#   <BASE>_import = "<key>"
+#
+#   Finally, the same agent described by another set of agent variables can be
+#   referenced by specifying the basename of the variable that should be
+#   referenced:
+#
+#   SPDX_PACKAGE_SUPPLIER_ref = "SPDX_AUTHORS_openembedded"
+SPDX_AUTHORS ??= "openembedded"
+SPDX_AUTHORS[doc] = "A space separated list of the document authors. Each item \
+    is used to name a base variable like SPDX_AUTHORS_<AUTHOR> that \
+    describes the author."
+SPDX_AUTHORS_openembedded_name = "OpenEmbedded"
+SPDX_AUTHORS_openembedded_type = "organization"
+SPDX_BUILD_HOST[doc] = "The base variable name to describe the build host on \
+    which a build is running. Must be an SPDX_IMPORTS key. Requires \
+    SPDX_INCLUDE_BITBAKE_PARENT_BUILD. NOTE: Setting this will result in \
+    non-reproducible SPDX output"
+SPDX_INVOKED_BY[doc] = "The base variable name to describe the Agent that \
+    invoked the build, which builds will link to if specified. Requires \
+    SPDX_INCLUDE_BITBAKE_PARENT_BUILD. NOTE: Setting this will likely result in \
+    non-reproducible SPDX output"
+SPDX_ON_BEHALF_OF[doc] = "The base variable name to describe the Agent on who's \
+    behalf the invoking Agent (SPDX_INVOKED_BY) is running the build. Requires \
+    SPDX_INCLUDE_BITBAKE_PARENT_BUILD. NOTE: Setting this will likely result in \
+    non-reproducible SPDX output"
+SPDX_PACKAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who \
+    is supplying artifacts produced by the build"
+SPDX_PACKAGE_VERSION ??= "${PV}"
+SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \
+    in software_Package"
+IMAGE_CLASSES:append = " create-spdx-image-3.0"
+SDK_CLASSES += "create-spdx-sdk-3.0"
+oe.spdx30_tasks.set_timestamp_now[vardepsexclude] = "SPDX_INCLUDE_TIMESTAMPS"
+oe.spdx30_tasks.get_package_sources_from_debug[vardepsexclude] += "STAGING_KERNEL_DIR"
+oe.spdx30_tasks.collect_dep_objsets[vardepsexclude] = "SPDX_MULTILIB_SSTATE_ARCHS"
+# SPDX library code makes heavy use of classes, which bitbake cannot easily
+# parse out dependencies. As such, the library code files that make use of
+# classes are explicitly added as file checksum dependencies.
+SPDX3_LIB_DEP_FILES = "\
+    ${COREBASE}/meta/lib/oe/sbom30.py:True \
+    ${COREBASE}/meta/lib/oe/spdx30.py:True \
+    "
+python do_create_spdx() {
+    import oe.spdx30_tasks
+    oe.spdx30_tasks.create_spdx(d)
+}
+do_create_spdx[vardeps] += "\
+    SPDX_INCLUDE_BITBAKE_PARENT_BUILD \
+    SPDX_PACKAGE_ADDITIONAL_PURPOSE \
+    SPDX_PROFILES \
+    SPDX_NAMESPACE_PREFIX \
+    SPDX_UUID_NAMESPACE \
+    "
+addtask do_create_spdx after \
+    do_collect_spdx_deps \
+    do_deploy_source_date_epoch \
+    do_populate_sysroot do_package do_packagedata \
+    before do_populate_sdk do_populate_sdk_ext do_build do_rm_work
+SSTATETASKS += "do_create_spdx"
+do_create_spdx[sstate-inputdirs] = "${SPDXDEPLOY}"
+do_create_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}"
+do_create_spdx[file-checksums] += "${SPDX3_LIB_DEP_FILES}"
+python do_create_spdx_setscene () {
+    sstate_setscene(d)
+}
+addtask do_create_spdx_setscene
+do_create_spdx[dirs] = "${SPDXWORK}"
+do_create_spdx[cleandirs] = "${SPDXDEPLOY} ${SPDXWORK}"
+do_create_spdx[depends] += " \
+    ${PATCHDEPENDENCY} \
+    ${@create_spdx_source_deps(d)} \
+"
+python do_create_package_spdx() {
+    import oe.spdx30_tasks
+    oe.spdx30_tasks.create_package_spdx(d)
+}
+oe.spdx30_tasks.create_package_spdx[vardepsexclude] = "OVERRIDES"
+addtask do_create_package_spdx after do_create_spdx before do_build do_rm_work
+SSTATETASKS += "do_create_package_spdx"
+do_create_package_spdx[sstate-inputdirs] = "${SPDXRUNTIMEDEPLOY}"
+do_create_package_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}"
+do_create_package_spdx[file-checksums] += "${SPDX3_LIB_DEP_FILES}"
+python do_create_package_spdx_setscene () {
+    sstate_setscene(d)
+}
+addtask do_create_package_spdx_setscene
+do_create_package_spdx[dirs] = "${SPDXRUNTIMEDEPLOY}"
+do_create_package_spdx[cleandirs] = "${SPDXRUNTIMEDEPLOY}"
+do_create_package_spdx[rdeptask] = "do_create_spdx"
+python spdx30_build_started_handler () {
+    import oe.spdx30_tasks
+    d = e.data.createCopy()
+    oe.spdx30_tasks.write_bitbake_spdx(d)
+}
+addhandler spdx30_build_started_handler
+spdx30_build_started_handler[eventmask] = "bb.event.BuildStarted"
diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass
new file mode 100644
index 0000000000..36feb56807
--- /dev/null
+++ b/meta/classes/spdx-common.bbclass
@@ -0,0 +1,99 @@
+#
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+SPDX_VERSION ??= ""
+DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx/${SPDX_VERSION}"
+# The product name that the CVE database uses.  Defaults to BPN, but may need to
+# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
+CVE_PRODUCT ??= "${BPN}"
+CVE_VERSION ??= "${PV}"
+SPDXDIR ??= "${WORKDIR}/spdx/${SPDX_VERSION}"
+SPDXDEPLOY = "${SPDXDIR}/deploy"
+SPDXWORK = "${SPDXDIR}/work"
+SPDXIMAGEWORK = "${SPDXDIR}/image-work"
+SPDXSDKWORK = "${SPDXDIR}/sdk-work"
+SPDXSDKEXTWORK = "${SPDXDIR}/sdk-ext-work"
+SPDXDEPS = "${SPDXDIR}/deps.json"
+SPDX_TOOL_NAME ??= "oe-spdx-creator"
+SPDX_TOOL_VERSION ??= "1.0"
+SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
+SPDX_INCLUDE_SOURCES ??= "0"
+SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
+SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs"
+SPDX_PRETTY ??= "0"
+SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
+SPDX_CUSTOM_ANNOTATION_VARS ??= ""
+SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
+def create_spdx_source_deps(d):
+    import oe.spdx_common
+    deps = []
+    if d.getVar("SPDX_INCLUDE_SOURCES") == "1":
+        pn = d.getVar('PN')
+        # do_unpack is a hack for now; we only need it to get the
+        # dependencies do_unpack already has so we can extract the source
+        # ourselves
+        if oe.spdx_common.has_task(d, "do_unpack"):
+            deps.append("%s:do_unpack" % pn)
+        if oe.spdx_common.is_work_shared_spdx(d) and \
+           oe.spdx_common.process_sources(d):
+            # For kernel source code
+            if oe.spdx_common.has_task(d, "do_shared_workdir"):
+                deps.append("%s:do_shared_workdir" % pn)
+            elif d.getVar('S') == d.getVar('STAGING_KERNEL_DIR'):
+                deps.append("virtual/kernel:do_shared_workdir")
+            # For gcc-source-${PV} source code
+            if oe.spdx_common.has_task(d, "do_preconfigure"):
+                deps.append("%s:do_preconfigure" % pn)
+            elif oe.spdx_common.has_task(d, "do_patch"):
+                deps.append("%s:do_patch" % pn)
+            # For gcc-cross-x86_64 source code
+            elif oe.spdx_common.has_task(d, "do_configure"):
+                deps.append("%s:do_configure" % pn)
+    return " ".join(deps)
+python do_collect_spdx_deps() {
+    # This task calculates the build time dependencies of the recipe, and is
+    # required because while a task can deptask on itself, those dependencies
+    # do not show up in BB_TASKDEPDATA. To work around that, this task does the
+    # deptask on do_create_spdx and writes out the dependencies it finds, then
+    # do_create_spdx reads in the found dependencies when writing the actual
+    # SPDX document
+    import json
+    import oe.spdx_common
+    from pathlib import Path
+    spdx_deps_file = Path(d.getVar("SPDXDEPS"))
+    deps = oe.spdx_common.collect_direct_deps(d, "do_create_spdx")
+    with spdx_deps_file.open("w") as f:
+        json.dump(deps, f)
+}
+# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
+addtask do_collect_spdx_deps after do_unpack
+do_collect_spdx_deps[depends] += "${PATCHDEPENDENCY}"
+do_collect_spdx_deps[deptask] = "do_create_spdx"
+do_collect_spdx_deps[dirs] = "${SPDXDIR}"
+oe.spdx_common.collect_direct_deps[vardepsexclude] += "BB_TASKDEPDATA"
+oe.spdx_common.collect_direct_deps[vardeps] += "DEPENDS"
+oe.spdx_common.collect_package_providers[vardepsexclude] += "BB_TASKDEPDATA"
+oe.spdx_common.get_patched_src[vardepsexclude] += "STAGING_KERNEL_DIR"
author	Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com>	2025-11-07 14:14:35 +0100
committer	Steve Sakoman <steve@sakoman.com>	2025-11-14 06:45:29 -0800
commit	11cd8498da86c61366e8701a8a49d60120c85248 (patch)
tree	cdec6b8c60c78687612dea2f0b61e81d22dbfdc7 /meta/classes
parent	d101e1410d05ba8faede730214db99c31476f733 (diff)
download	poky-11cd8498da86c61366e8701a8a49d60120c85248.tar.gz

diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass new file mode 100644 index 0000000000..044517d9f7 --- /dev/null +++ b/meta/classes/create-spdx-3.0.bbclass
@@ -0,0 +1,200 @@
	1	#
	2	# Copyright OpenEmbedded Contributors
	3	#
	4	# SPDX-License-Identifier: GPL-2.0-only
	5	#
	6
	7	inherit spdx-common
	8
	9	SPDX_VERSION = "3.0.1"
	10
	11	# The list of SPDX profiles generated documents will conform to
	12	SPDX_PROFILES ?= "core build software simpleLicensing security"
	13
	14	SPDX_INCLUDE_BUILD_VARIABLES ??= "0"
	15	SPDX_INCLUDE_BUILD_VARIABLES[doc] = "If set to '1', the bitbake variables for a \
	16	recipe will be included in the Build object. This will most likely result \
	17	in non-reproducible SPDX output"
	18
	19	SPDX_INCLUDE_BITBAKE_PARENT_BUILD ??= "0"
	20	SPDX_INCLUDE_BITBAKE_PARENT_BUILD[doc] = "Report the parent invocation of bitbake \
	21	for each Build object. This allows you to know who invoked bitbake to perform \
	22	a build, but will result in non-reproducible SPDX output."
	23
	24	SPDX_PACKAGE_ADDITIONAL_PURPOSE ?= ""
	25	SPDX_PACKAGE_ADDITIONAL_PURPOSE[doc] = "The list of additional purposes to assign to \
	26	the generated packages for a recipe. The primary purpose is always `install`. \
	27	Packages overrides are allowed to override the additional purposes for \
	28	individual packages."
	29
	30	SPDX_IMAGE_PURPOSE ?= "filesystemImage"
	31	SPDX_IMAGE_PURPOSE[doc] = "The list of purposes to assign to the generated images. \
	32	The first listed item will be the Primary Purpose and all additional items will \
	33	be added as additional purposes"
	34
	35	SPDX_SDK_PURPOSE ?= "install"
	36	SPDX_SDK_PURPOSE[doc] = "The list of purposes to assign to the generate SDK installer. \
	37	The first listed item will be the Primary Purpose and all additional items will \
	38	be added as additional purposes"
	39
	40	SPDX_INCLUDE_VEX ??= "current"
	41	SPDX_INCLUDE_VEX[doc] = "Controls what VEX information is in the output. Set to \
	42	'none' to disable all VEX data. Set to 'current' to only include VEX data \
	43	for vulnerabilities not already fixed in the upstream source code \
	44	(recommended). Set to 'all' to get all known historical vulnerabilities, \
	45	including those already fixed upstream (warning: This can be large and \
	46	slow)."
	47
	48	SPDX_INCLUDE_TIMESTAMPS ?= "0"
	49	SPDX_INCLUDE_TIMESTAMPS[doc] = "Include time stamps in SPDX output. This is \
	50	useful if you want to know when artifacts were produced and when builds \
	51	occurred, but will result in non-reproducible SPDX output"
	52
	53	SPDX_IMPORTS ??= ""
	54	SPDX_IMPORTS[doc] = "SPDX_IMPORTS is the base variable that describes how to \
	55	reference external SPDX ids. Each import is defined as a key in this \
	56	variable with a suffix to describe to as a suffix to look up more \
	57	information about the import. Each key can have the following variables: \
	58	SPDX_IMPORTS_<key>_spdxid: The Fully qualified SPDX ID of the object \
	59	SPDX_IMPORTS_<key>_uri: The URI where the SPDX Document that contains \
	60	the external object can be found. Optional but recommended \
	61	SPDX_IMPORTS_<key>_hash_<hash>: The Checksum of the SPDX Document that \
	62	contains the External ID. <hash> must be one the valid SPDX hashing \
	63	algorithms, as described by the HashAlgorithm vocabulary in the\
	64	SPDX 3 spec. Optional but recommended"
	65
	66	# Agents
	67	# Bitbake variables can be used to describe an SPDX Agent that may be used
	68	# during the build. An Agent is specified using a set of variables which all
	69	# start with some common base name:
	70	#
	71	# <BASE>_name: The name of the Agent (required)
	72	# <BASE>_type: The type of Agent. Must be one of "person", "organization",
	73	# "software", or "agent" (the default if not specified)
	74	# <BASE>_comment: The comment for the Agent (optional)
	75	# <BASE>_id_<ID>: And External Identifier for the Agent. <ID> must be a valid
	76	# ExternalIdentifierType from the SPDX 3 spec. Commonly, an E-mail address
	77	# can be specified with <BASE>_id_email
	78	#
	79	# Alternatively, an Agent can be an external reference by referencing a key
	80	# in SPDX_IMPORTS like so:
	81	#
	82	# <BASE>_import = "<key>"
	83	#
	84	# Finally, the same agent described by another set of agent variables can be
	85	# referenced by specifying the basename of the variable that should be
	86	# referenced:
	87	#
	88	# SPDX_PACKAGE_SUPPLIER_ref = "SPDX_AUTHORS_openembedded"
	89
	90	SPDX_AUTHORS ??= "openembedded"
	91	SPDX_AUTHORS[doc] = "A space separated list of the document authors. Each item \
	92	is used to name a base variable like SPDX_AUTHORS_<AUTHOR> that \
	93	describes the author."
	94
	95	SPDX_AUTHORS_openembedded_name = "OpenEmbedded"
	96	SPDX_AUTHORS_openembedded_type = "organization"
	97
	98	SPDX_BUILD_HOST[doc] = "The base variable name to describe the build host on \
	99	which a build is running. Must be an SPDX_IMPORTS key. Requires \
	100	SPDX_INCLUDE_BITBAKE_PARENT_BUILD. NOTE: Setting this will result in \
	101	non-reproducible SPDX output"
	102
	103	SPDX_INVOKED_BY[doc] = "The base variable name to describe the Agent that \
	104	invoked the build, which builds will link to if specified. Requires \
	105	SPDX_INCLUDE_BITBAKE_PARENT_BUILD. NOTE: Setting this will likely result in \
	106	non-reproducible SPDX output"
	107
	108	SPDX_ON_BEHALF_OF[doc] = "The base variable name to describe the Agent on who's \
	109	behalf the invoking Agent (SPDX_INVOKED_BY) is running the build. Requires \
	110	SPDX_INCLUDE_BITBAKE_PARENT_BUILD. NOTE: Setting this will likely result in \
	111	non-reproducible SPDX output"
	112
	113	SPDX_PACKAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who \
	114	is supplying artifacts produced by the build"
	115
	116	SPDX_PACKAGE_VERSION ??= "${PV}"
	117	SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \
	118	in software_Package"
	119
	120	IMAGE_CLASSES:append = " create-spdx-image-3.0"
	121	SDK_CLASSES += "create-spdx-sdk-3.0"
	122
	123	oe.spdx30_tasks.set_timestamp_now[vardepsexclude] = "SPDX_INCLUDE_TIMESTAMPS"
	124	oe.spdx30_tasks.get_package_sources_from_debug[vardepsexclude] += "STAGING_KERNEL_DIR"
	125	oe.spdx30_tasks.collect_dep_objsets[vardepsexclude] = "SPDX_MULTILIB_SSTATE_ARCHS"
	126
	127
	128	# SPDX library code makes heavy use of classes, which bitbake cannot easily
	129	# parse out dependencies. As such, the library code files that make use of
	130	# classes are explicitly added as file checksum dependencies.
	131	SPDX3_LIB_DEP_FILES = "\
	132	${COREBASE}/meta/lib/oe/sbom30.py:True \
	133	${COREBASE}/meta/lib/oe/spdx30.py:True \
	134	"
	135
	136	python do_create_spdx() {
	137	import oe.spdx30_tasks
	138	oe.spdx30_tasks.create_spdx(d)
	139	}
	140	do_create_spdx[vardeps] += "\
	141	SPDX_INCLUDE_BITBAKE_PARENT_BUILD \
	142	SPDX_PACKAGE_ADDITIONAL_PURPOSE \
	143	SPDX_PROFILES \
	144	SPDX_NAMESPACE_PREFIX \
	145	SPDX_UUID_NAMESPACE \
	146	"
	147
	148	addtask do_create_spdx after \
	149	do_collect_spdx_deps \
	150	do_deploy_source_date_epoch \
	151	do_populate_sysroot do_package do_packagedata \
	152	before do_populate_sdk do_populate_sdk_ext do_build do_rm_work
	153
	154	SSTATETASKS += "do_create_spdx"
	155	do_create_spdx[sstate-inputdirs] = "${SPDXDEPLOY}"
	156	do_create_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}"
	157	do_create_spdx[file-checksums] += "${SPDX3_LIB_DEP_FILES}"
	158
	159	python do_create_spdx_setscene () {
	160	sstate_setscene(d)
	161	}
	162	addtask do_create_spdx_setscene
	163
	164	do_create_spdx[dirs] = "${SPDXWORK}"
	165	do_create_spdx[cleandirs] = "${SPDXDEPLOY} ${SPDXWORK}"
	166	do_create_spdx[depends] += " \
	167	${PATCHDEPENDENCY} \
	168	${@create_spdx_source_deps(d)} \
	169	"
	170
	171	python do_create_package_spdx() {
	172	import oe.spdx30_tasks
	173	oe.spdx30_tasks.create_package_spdx(d)
	174	}
	175	oe.spdx30_tasks.create_package_spdx[vardepsexclude] = "OVERRIDES"
	176
	177	addtask do_create_package_spdx after do_create_spdx before do_build do_rm_work
	178	SSTATETASKS += "do_create_package_spdx"
	179	do_create_package_spdx[sstate-inputdirs] = "${SPDXRUNTIMEDEPLOY}"
	180	do_create_package_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}"
	181	do_create_package_spdx[file-checksums] += "${SPDX3_LIB_DEP_FILES}"
	182
	183	python do_create_package_spdx_setscene () {
	184	sstate_setscene(d)
	185	}
	186	addtask do_create_package_spdx_setscene
	187
	188	do_create_package_spdx[dirs] = "${SPDXRUNTIMEDEPLOY}"
	189	do_create_package_spdx[cleandirs] = "${SPDXRUNTIMEDEPLOY}"
	190	do_create_package_spdx[rdeptask] = "do_create_spdx"
	191
	192	python spdx30_build_started_handler () {
	193	import oe.spdx30_tasks
	194	d = e.data.createCopy()
	195	oe.spdx30_tasks.write_bitbake_spdx(d)
	196	}
	197
	198	addhandler spdx30_build_started_handler
	199	spdx30_build_started_handler[eventmask] = "bb.event.BuildStarted"
	200


diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass new file mode 100644 index 0000000000..36feb56807 --- /dev/null +++ b/meta/classes/spdx-common.bbclass
@@ -0,0 +1,99 @@
	1	#
	2	# Copyright OpenEmbedded Contributors
	3	#
	4	# SPDX-License-Identifier: GPL-2.0-only
	5	#
	6
	7	SPDX_VERSION ??= ""
	8	DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx/${SPDX_VERSION}"
	9
	10	# The product name that the CVE database uses. Defaults to BPN, but may need to
	11	# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
	12	CVE_PRODUCT ??= "${BPN}"
	13	CVE_VERSION ??= "${PV}"
	14
	15	SPDXDIR ??= "${WORKDIR}/spdx/${SPDX_VERSION}"
	16	SPDXDEPLOY = "${SPDXDIR}/deploy"
	17	SPDXWORK = "${SPDXDIR}/work"
	18	SPDXIMAGEWORK = "${SPDXDIR}/image-work"
	19	SPDXSDKWORK = "${SPDXDIR}/sdk-work"
	20	SPDXSDKEXTWORK = "${SPDXDIR}/sdk-ext-work"
	21	SPDXDEPS = "${SPDXDIR}/deps.json"
	22
	23	SPDX_TOOL_NAME ??= "oe-spdx-creator"
	24	SPDX_TOOL_VERSION ??= "1.0"
	25
	26	SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
	27
	28	SPDX_INCLUDE_SOURCES ??= "0"
	29
	30	SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
	31	SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs"
	32	SPDX_PRETTY ??= "0"
	33
	34	SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
	35
	36	SPDX_CUSTOM_ANNOTATION_VARS ??= ""
	37
	38	SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
	39
	40	def create_spdx_source_deps(d):
	41	import oe.spdx_common
	42
	43	deps = []
	44	if d.getVar("SPDX_INCLUDE_SOURCES") == "1":
	45	pn = d.getVar('PN')
	46	# do_unpack is a hack for now; we only need it to get the
	47	# dependencies do_unpack already has so we can extract the source
	48	# ourselves
	49	if oe.spdx_common.has_task(d, "do_unpack"):
	50	deps.append("%s:do_unpack" % pn)
	51
	52	if oe.spdx_common.is_work_shared_spdx(d) and \
	53	oe.spdx_common.process_sources(d):
	54	# For kernel source code
	55	if oe.spdx_common.has_task(d, "do_shared_workdir"):
	56	deps.append("%s:do_shared_workdir" % pn)
	57	elif d.getVar('S') == d.getVar('STAGING_KERNEL_DIR'):
	58	deps.append("virtual/kernel:do_shared_workdir")
	59
	60	# For gcc-source-${PV} source code
	61	if oe.spdx_common.has_task(d, "do_preconfigure"):
	62	deps.append("%s:do_preconfigure" % pn)
	63	elif oe.spdx_common.has_task(d, "do_patch"):
	64	deps.append("%s:do_patch" % pn)
	65	# For gcc-cross-x86_64 source code
	66	elif oe.spdx_common.has_task(d, "do_configure"):
	67	deps.append("%s:do_configure" % pn)
	68
	69	return " ".join(deps)
	70
	71
	72	python do_collect_spdx_deps() {
	73	# This task calculates the build time dependencies of the recipe, and is
	74	# required because while a task can deptask on itself, those dependencies
	75	# do not show up in BB_TASKDEPDATA. To work around that, this task does the
	76	# deptask on do_create_spdx and writes out the dependencies it finds, then
	77	# do_create_spdx reads in the found dependencies when writing the actual
	78	# SPDX document
	79	import json
	80	import oe.spdx_common
	81	from pathlib import Path
	82
	83	spdx_deps_file = Path(d.getVar("SPDXDEPS"))
	84
	85	deps = oe.spdx_common.collect_direct_deps(d, "do_create_spdx")
	86
	87	with spdx_deps_file.open("w") as f:
	88	json.dump(deps, f)
	89	}
	90	# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
	91	addtask do_collect_spdx_deps after do_unpack
	92	do_collect_spdx_deps[depends] += "${PATCHDEPENDENCY}"
	93	do_collect_spdx_deps[deptask] = "do_create_spdx"
	94	do_collect_spdx_deps[dirs] = "${SPDXDIR}"
	95
	96	oe.spdx_common.collect_direct_deps[vardepsexclude] += "BB_TASKDEPDATA"
	97	oe.spdx_common.collect_direct_deps[vardeps] += "DEPENDS"
	98	oe.spdx_common.collect_package_providers[vardepsexclude] += "BB_TASKDEPDATA"
	99	oe.spdx_common.get_patched_src[vardepsexclude] += "STAGING_KERNEL_DIR"