spdx30: Link license and build by alias

The license information and Build created by do_create_spdx are changed to be referenced by their link alias instead of the actual SPDX ID. This fixes a case where do_create_package_spdx would pull these from mismatching sstate, and then the SPDX IDs would be unresolved when assembling the final document (From OE-Core rev: c0fcdc72a7c8fca86a874d1b04298fe9e500c796) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Joshua Watt <JPEWhacker@gmail.com> 2024-10-07 10:24:15 -0600
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-10-15 11:47:24 +0100
commit: 19aa2c0a99b02dfa157f38d8975ea73e95647861 (patch)
tree: 71ba9519e7d535c79e6ec54f2e67919512c738a8 /meta/lib
parent: ca5472cd2ce30061dc8bd18efe9e85c8f76b8444 (diff)
download: poky-19aa2c0a99b02dfa157f38d8975ea73e95647861.tar.gz
2 files changed, 31 insertions, 22 deletions
diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py
index 7b4f78cc71..27ab5e45ac 100644
--- a/meta/lib/oe/sbom30.py
+++ b/meta/lib/oe/sbom30.py
@@ -305,24 +305,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
    def add_aliases(self):
        for o in self.foreach_type(oe.spdx30.Element):
-            if not o._id or o._id.startswith("_:"):
+            self.set_element_alias(o)
-                continue
-            alias_ext = get_alias(o)
-            if alias_ext is None:
-                unihash = self.d.getVar("BB_UNIHASH")
-                namespace = self.get_namespace()
-                if unihash not in o._id:
-                    bb.warn(f"Unihash {unihash} not found in {o._id}")
-                elif namespace not in o._id:
-                    bb.warn(f"Namespace {namespace} not found in {o._id}")
-                else:
-                    alias_ext = set_alias(
-                        o,
-                        o._id.replace(unihash, "UNIHASH").replace(
-                            namespace, self.d.getVar("PN")
-                        ),
-                    )
    def remove_internal_extensions(self):
        def remove(o):
@@ -345,6 +328,26 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
            str(uuid.uuid5(namespace_uuid, pn)),
        )
+    def set_element_alias(self, e):
+        if not e._id or e._id.startswith("_:"):
+            return
+        alias_ext = get_alias(e)
+        if alias_ext is None:
+            unihash = self.d.getVar("BB_UNIHASH")
+            namespace = self.get_namespace()
+            if unihash not in e._id:
+                bb.warn(f"Unihash {unihash} not found in {e._id}")
+            elif namespace not in e._id:
+                bb.warn(f"Namespace {namespace} not found in {e._id}")
+            else:
+                alias_ext = set_alias(
+                    e,
+                    e._id.replace(unihash, "UNIHASH").replace(
+                        namespace, self.d.getVar("PN")
+                    ),
+                )
    def new_spdxid(self, *suffix, include_unihash=True):
        items = [self.get_namespace()]
        if include_unihash:
@@ -557,7 +560,9 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
            scope=scope,
        )
-    def new_license_expression(self, license_expression, license_data, license_text_map={}):
+    def new_license_expression(
+        self, license_expression, license_data, license_text_map={}
+    ):
        license_list_version = license_data["licenseListVersion"]
        # SPDX 3 requires that the license list version be a semver
        # MAJOR.MINOR.MICRO, but the actual license version might be
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index d0dd40877e..e0b656d81f 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -119,9 +119,11 @@ def add_license_expression(d, objset, license_expression, license_data):
    )
    spdx_license_expression = " ".join(convert(l) for l in lic_split)
-    return objset.new_license_expression(
+    o = objset.new_license_expression(
        spdx_license_expression, license_data, license_text_map
    )
+    objset.set_element_alias(o)
+    return o
 def add_package_files(
@@ -462,6 +464,8 @@ def create_spdx(d):
    build_objset = oe.sbom30.ObjectSet.new_objset(d, d.getVar("PN"))
    build = build_objset.new_task_build("recipe", "recipe")
+    build_objset.set_element_alias(build)
    build_objset.doc.rootElement.append(build)
    build_objset.set_is_native(is_native)
@@ -603,7 +607,7 @@ def create_spdx(d):
            set_var_field("DESCRIPTION", spdx_package, "description", package=package)
            pkg_objset.new_scoped_relationship(
-                [build._id],
+                [oe.sbom30.get_element_link_id(build)],
                oe.spdx30.RelationshipType.hasOutput,
                oe.spdx30.LifecycleScopeType.build,
                [spdx_package],
@@ -650,7 +654,7 @@ def create_spdx(d):
            pkg_objset.new_relationship(
                [spdx_package],
                oe.spdx30.RelationshipType.hasConcludedLicense,
-                [package_spdx_license._id],
+                [oe.sbom30.get_element_link_id(package_spdx_license)],
            )
            # NOTE: CVE Elements live in the recipe collection
author	Joshua Watt <JPEWhacker@gmail.com>	2024-10-07 10:24:15 -0600
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2024-10-15 11:47:24 +0100
commit	19aa2c0a99b02dfa157f38d8975ea73e95647861 (patch)
tree	71ba9519e7d535c79e6ec54f2e67919512c738a8 /meta/lib
parent	ca5472cd2ce30061dc8bd18efe9e85c8f76b8444 (diff)
download	poky-19aa2c0a99b02dfa157f38d8975ea73e95647861.tar.gz