create-spdx-2.2: support to override the version of a package in SPDX 2

By default, still use ${PV} as the the version of a package in SPDX 2 $ echo 'INHERIT:remove = "create-spdx"' >> conf/local.conf $ echo 'INHERIT += "create-spdx-2.2"' >> conf/local.conf $ bitbake acl $ jq . tmp/deploy/spdx/2.2/core2-64/recipes/recipe-acl.spdx.json ... "name": "acl", "summary": "Utilities for managing POSIX Access Control Lists", "supplier": "Organization: OpenEmbedded ()", "versionInfo": "2.3.2" }, ... Support to override it by setting SPDX_PACKAGE_VERSION, such as set SPDX_PACKAGE_VERSION = "${EXTENDPKGV}" in local.conf to append PR to versionInfo in SBOM 2 $ echo 'SPDX_PACKAGE_VERSION = "${EXTENDPKGV}"' >> conf/local.conf $ bitbake acl $ jq . tmp/deploy/spdx/2.2/core2-64/recipes/recipe-acl.spdx.json ... "name": "acl", "summary": "Utilities for managing POSIX Access Control Lists", "supplier": "Organization: OpenEmbedded ()", "versionInfo": "2.3.2-r0" }, ... (From OE-Core rev: 0bd069f526ee0d535477b75a4aa825b4cb589423) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hongxu Jia <hongxu.jia@windriver.com> 2025-06-25 17:20:39 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-07-01 08:49:37 +0100
commit: 5a6f74d4fc2c9ffad507aabec1779bd46c78ff78 (patch)
tree: 7f6fbd8801cf71ccf8653e6304e16450a9600242 /meta
parent: e065efc71d5f0c6cfd9a666c019db84b12f9b16d (diff)
download: poky-5a6f74d4fc2c9ffad507aabec1779bd46c78ff78.tar.gz
1 files changed, 5 insertions, 3 deletions
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
index 6fc60a1d97..94e0108815 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -23,6 +23,8 @@ def get_namespace(d, name):
    namespace_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, d.getVar("SPDX_UUID_NAMESPACE"))
    return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), name, str(uuid.uuid5(namespace_uuid, name)))
+SPDX_PACKAGE_VERSION ??= "${PV}"
+SPDX_PACKAGE_VERSION[doc] = "The version of a package, versionInfo in recipe, package and image"
 def create_annotation(d, comment):
    from datetime import datetime, timezone
@@ -447,7 +449,7 @@ python do_create_spdx() {
    recipe = oe.spdx.SPDXPackage()
    recipe.name = d.getVar("PN")
-    recipe.versionInfo = d.getVar("PV")
+    recipe.versionInfo = d.getVar("SPDX_PACKAGE_VERSION")
    recipe.SPDXID = oe.sbom.get_recipe_spdxid(d)
    recipe.supplier = d.getVar("SPDX_SUPPLIER")
    if bb.data.inherits_class("native", d) or bb.data.inherits_class("cross", d):
@@ -556,7 +558,7 @@ python do_create_spdx() {
            spdx_package.SPDXID = oe.sbom.get_package_spdxid(pkg_name)
            spdx_package.name = pkg_name
-            spdx_package.versionInfo = d.getVar("PV")
+            spdx_package.versionInfo = d.getVar("SPDX_PACKAGE_VERSION")
            spdx_package.licenseDeclared = convert_license_to_spdx(package_license, license_data, package_doc, d, found_licenses)
            spdx_package.supplier = d.getVar("SPDX_SUPPLIER")
@@ -832,7 +834,7 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages, spdx
    image = oe.spdx.SPDXPackage()
    image.name = d.getVar("PN")
-    image.versionInfo = d.getVar("PV")
+    image.versionInfo = d.getVar("SPDX_PACKAGE_VERSION")
    image.SPDXID = rootfs_spdxid
    image.supplier = d.getVar("SPDX_SUPPLIER")
author	Hongxu Jia <hongxu.jia@windriver.com>	2025-06-25 17:20:39 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-07-01 08:49:37 +0100
commit	5a6f74d4fc2c9ffad507aabec1779bd46c78ff78 (patch)
tree	7f6fbd8801cf71ccf8653e6304e16450a9600242 /meta
parent	e065efc71d5f0c6cfd9a666c019db84b12f9b16d (diff)
download	poky-5a6f74d4fc2c9ffad507aabec1779bd46c78ff78.tar.gz