spdx: add option to include only compiled sources

When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the source code files that are used during compilation. It uses debugsource information generated during do_package. This enables an external tool to use the SPDX information to disregard vulnerabilities that are not compiled. As example, when used with the default config with linux-yocto, the spdx size is reduced from 156MB to 61MB. Tested with bitbake world on oe-core. (From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968) Adapted to existing files for create-spdx-2.2 CC: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> CC: Joshua Watt <JPEWhacker@gmail.com> (From OE-Core rev: a2866934e58fb377a73e87576c8594988a63ad1b) Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Daniel Turull <daniel.turull@ericsson.com> 2025-06-19 10:47:36 +0200
committer: Steve Sakoman <steve@sakoman.com> 2025-07-07 07:42:58 -0700
commit: 2366605a35443565e259d03791d7b662c6ea03e2 (patch)
tree: 96c219df0c6c47d1bf0342b4bfbc39bcee4d682f /meta/lib
parent: 5b7a6dec8542968b5062e4da407e322dda50326b (diff)
download: poky-2366605a35443565e259d03791d7b662c6ea03e2.tar.gz
1 files changed, 42 insertions, 0 deletions
diff --git a/meta/lib/oe/spdx.py b/meta/lib/oe/spdx.py
index 7aaf2af5ed..92dcd2da05 100644
--- a/meta/lib/oe/spdx.py
+++ b/meta/lib/oe/spdx.py
@@ -355,3 +355,45 @@ class SPDXDocument(SPDXObject):
            if r.spdxDocument == namespace:
                return r
        return None
+def is_compiled_source (filename, compiled_sources, types):
+    """
+    Check if the file is a compiled file
+    """
+    import os
+    # If we don't have compiled source, we assume all are compiled.
+    if not compiled_sources:
+        return True
+    # We return always true if the file type is not in the list of compiled files.
+    # Some files in the source directory are not compiled, for example, Makefiles,
+    # but also python .py file. We need to include them in the SPDX.
+    basename = os.path.basename(filename)
+    ext = basename.partition(".")[2]
+    if ext not in types:
+        return True
+    # Check that the file is in the list
+    return filename in compiled_sources
+def get_compiled_sources(d):
+    """
+    Get list of compiled sources from debug information and normalize the paths
+    """
+    import itertools
+    import oe.package
+    source_info = oe.package.read_debugsources_info(d)
+    if not source_info:
+        bb.debug(1, "Do not have debugsources.list. Skipping")
+        return [], []
+    # Sources are not split now in SPDX, so we aggregate them
+    sources = set(itertools.chain.from_iterable(source_info.values()))
+    # Check extensions of files
+    types = set()
+    for src in sources:
+        basename = os.path.basename(src)
+        ext = basename.partition(".")[2]
+        if ext not in types and ext:
+            types.add(ext)
+    bb.debug(1, f"Num of sources: {len(sources)} and types: {len(types)} {str(types)}")
+    return sources, types
author	Daniel Turull <daniel.turull@ericsson.com>	2025-06-19 10:47:36 +0200
committer	Steve Sakoman <steve@sakoman.com>	2025-07-07 07:42:58 -0700
commit	2366605a35443565e259d03791d7b662c6ea03e2 (patch)
tree	96c219df0c6c47d1bf0342b4bfbc39bcee4d682f /meta/lib
parent	5b7a6dec8542968b5062e4da407e322dda50326b (diff)
download	poky-2366605a35443565e259d03791d7b662c6ea03e2.tar.gz

diff --git a/meta/lib/oe/spdx.py b/meta/lib/oe/spdx.py index 7aaf2af5ed..92dcd2da05 100644 --- a/meta/lib/oe/spdx.py +++ b/meta/lib/oe/spdx.py
@@ -355,3 +355,45 @@ class SPDXDocument(SPDXObject):
355	if r.spdxDocument == namespace:	355	if r.spdxDocument == namespace:
356	return r	356	return r
357	return None	357	return None
		358
		359	def is_compiled_source (filename, compiled_sources, types):
		360	"""
		361	Check if the file is a compiled file
		362	"""
		363	import os
		364	# If we don't have compiled source, we assume all are compiled.
		365	if not compiled_sources:
		366	return True
		367
		368	# We return always true if the file type is not in the list of compiled files.
		369	# Some files in the source directory are not compiled, for example, Makefiles,
		370	# but also python .py file. We need to include them in the SPDX.
		371	basename = os.path.basename(filename)
		372	ext = basename.partition(".")[2]
		373	if ext not in types:
		374	return True
		375	# Check that the file is in the list
		376	return filename in compiled_sources
		377
		378	def get_compiled_sources(d):
		379	"""
		380	Get list of compiled sources from debug information and normalize the paths
		381	"""
		382	import itertools
		383	import oe.package
		384	source_info = oe.package.read_debugsources_info(d)
		385	if not source_info:
		386	bb.debug(1, "Do not have debugsources.list. Skipping")
		387	return [], []
		388
		389	# Sources are not split now in SPDX, so we aggregate them
		390	sources = set(itertools.chain.from_iterable(source_info.values()))
		391	# Check extensions of files
		392	types = set()
		393	for src in sources:
		394	basename = os.path.basename(src)
		395	ext = basename.partition(".")[2]
		396	if ext not in types and ext:
		397	types.add(ext)
		398	bb.debug(1, f"Num of sources: {len(sources)} and types: {len(types)} {str(types)}")
		399	return sources, types