summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta/classes/create-spdx.bbclass679
-rw-r--r--meta/lib/oe/sbom.py63
-rw-r--r--meta/lib/oe/spdx.py263
3 files changed, 1005 insertions, 0 deletions
diff --git a/meta/classes/create-spdx.bbclass b/meta/classes/create-spdx.bbclass
new file mode 100644
index 0000000000..35fb4421d0
--- /dev/null
+++ b/meta/classes/create-spdx.bbclass
@@ -0,0 +1,679 @@
1#
2# SPDX-License-Identifier: GPL-2.0-only
3#
4
5DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx/${MACHINE}"
6
7# The product name that the CVE database uses. Defaults to BPN, but may need to
8# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
9CVE_PRODUCT ??= "${BPN}"
10CVE_VERSION ??= "${PV}"
11
12SPDXDIR ??= "${WORKDIR}/spdx"
13SPDXDEPLOY = "${SPDXDIR}/deploy"
14SPDXWORK = "${SPDXDIR}/work"
15
16SPDX_INCLUDE_SOURCES ??= "0"
17SPDX_INCLUDE_PACKAGED ??= "0"
18SPDX_ARCHIVE_SOURCES ??= "0"
19SPDX_ARCHIVE_PACKAGED ??= "0"
20
21SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
22SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdoc"
23
24do_image_complete[depends] = "virtual/kernel:do_create_spdx"
25
26def get_doc_namespace(d, doc):
27 import uuid
28 namespace_uuid = uuid.uuid5(uuid.NAMESPACE_DNS, d.getVar("SPDX_UUID_NAMESPACE"))
29 return "%s/%s-%s" % (d.getVar("SPDX_NAMESPACE_PREFIX"), doc.name, str(uuid.uuid5(namespace_uuid, doc.name)))
30
31
32def is_work_shared(d):
33 pn = d.getVar('PN')
34 return bb.data.inherits_class('kernel', d) or pn.startswith('gcc-source')
35
36
37def convert_license_to_spdx(lic, d):
38 def convert(l):
39 if l == "&":
40 return "AND"
41
42 if l == "|":
43 return "OR"
44
45 spdx = d.getVarFlag('SPDXLICENSEMAP', l)
46 if spdx is not None:
47 return spdx
48
49 return l
50
51 return ' '.join(convert(l) for l in lic.split())
52
53
54def process_sources(d):
55 pn = d.getVar('PN')
56 assume_provided = (d.getVar("ASSUME_PROVIDED") or "").split()
57 if pn in assume_provided:
58 for p in d.getVar("PROVIDES").split():
59 if p != pn:
60 pn = p
61 break
62
63 # glibc-locale: do_fetch, do_unpack and do_patch tasks have been deleted,
64 # so avoid archiving source here.
65 if pn.startswith('glibc-locale'):
66 return False
67 if d.getVar('PN') == "libtool-cross":
68 return False
69 if d.getVar('PN') == "libgcc-initial":
70 return False
71 if d.getVar('PN') == "shadow-sysroot":
72 return False
73
74 # We just archive gcc-source for all the gcc related recipes
75 if d.getVar('BPN') in ['gcc', 'libgcc']:
76 bb.debug(1, 'spdx: There is bug in scan of %s is, do nothing' % pn)
77 return False
78
79 return True
80
81
82def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archive=None, ignore_dirs=[], ignore_top_level_dirs=[]):
83 from pathlib import Path
84 import oe.spdx
85 import hashlib
86
87 source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
88
89 sha1s = []
90 spdx_files = []
91
92 file_counter = 1
93 for subdir, dirs, files in os.walk(topdir):
94 dirs[:] = [d for d in dirs if d not in ignore_dirs]
95 if subdir == str(topdir):
96 dirs[:] = [d for d in dirs if d not in ignore_top_level_dirs]
97
98 for file in files:
99 filepath = Path(subdir) / file
100 filename = str(filepath.relative_to(topdir))
101
102 if filepath.is_file() and not filepath.is_symlink():
103 spdx_file = oe.spdx.SPDXFile()
104 spdx_file.SPDXID = get_spdxid(file_counter)
105 for t in get_types(filepath):
106 spdx_file.fileTypes.append(t)
107 spdx_file.fileName = filename
108
109 hashes = {
110 "SHA1": hashlib.sha1(),
111 "SHA256": hashlib.sha256(),
112 }
113
114 with filepath.open("rb") as f:
115 while True:
116 chunk = f.read(4096)
117 if not chunk:
118 break
119
120 for h in hashes.values():
121 h.update(chunk)
122
123 if archive is not None:
124 f.seek(0)
125 info = archive.gettarinfo(fileobj=f)
126 info.name = filename
127 info.uid = 0
128 info.gid = 0
129 info.uname = "root"
130 info.gname = "root"
131
132 if source_date_epoch is not None and info.mtime > int(source_date_epoch):
133 info.mtime = int(source_date_epoch)
134
135 archive.addfile(info, f)
136
137 for k, v in hashes.items():
138 spdx_file.checksums.append(oe.spdx.SPDXChecksum(
139 algorithm=k,
140 checksumValue=v.hexdigest(),
141 ))
142
143 sha1s.append(hashes["SHA1"].hexdigest())
144
145 doc.files.append(spdx_file)
146 doc.add_relationship(spdx_pkg, "CONTAINS", spdx_file)
147 spdx_pkg.hasFiles.append(spdx_file.SPDXID)
148
149 spdx_files.append(spdx_file)
150
151 file_counter += 1
152
153 sha1s.sort()
154 verifier = hashlib.sha1()
155 for v in sha1s:
156 verifier.update(v.encode("utf-8"))
157 spdx_pkg.packageVerificationCode.packageVerificationCodeValue = verifier.hexdigest()
158
159 return spdx_files
160
161
162def add_package_sources_from_debug(d, package_doc, spdx_package, package, package_files, sources):
163 from pathlib import Path
164 import hashlib
165 import oe.packagedata
166 import oe.spdx
167
168 debug_search_paths = [
169 Path(d.getVar('PKGD')),
170 Path(d.getVar('STAGING_DIR_TARGET')),
171 Path(d.getVar('STAGING_DIR_NATIVE')),
172 ]
173
174 pkg_data = oe.packagedata.read_subpkgdata_extended(package, d)
175
176 if pkg_data is None:
177 return
178
179 for file_path, file_data in pkg_data["files_info"].items():
180 if not "debugsrc" in file_data:
181 continue
182
183 for pkg_file in package_files:
184 if file_path.lstrip("/") == pkg_file.fileName.lstrip("/"):
185 break
186 else:
187 bb.fatal("No package file found for %s" % str(file_path))
188 continue
189
190 for debugsrc in file_data["debugsrc"]:
191 for search in debug_search_paths:
192 debugsrc_path = search / debugsrc.lstrip("/")
193 if not debugsrc_path.exists():
194 continue
195
196 with debugsrc_path.open("rb") as f:
197 sha = hashlib.sha256()
198 while True:
199 chunk = f.read(4096)
200 if not chunk:
201 break
202 sha.update(chunk)
203
204 file_sha256 = sha.hexdigest()
205
206 if not file_sha256 in sources:
207 bb.debug(1, "Debug source %s with SHA256 %s not found in any dependency" % (str(debugsrc_path), file_sha256))
208 continue
209
210 source_file = sources[file_sha256]
211
212 doc_ref = package_doc.find_external_document_ref(source_file.doc.documentNamespace)
213 if doc_ref is None:
214 doc_ref = oe.spdx.SPDXExternalDocumentRef()
215 doc_ref.externalDocumentId = "DocumentRef-dependency-" + source_file.doc.name
216 doc_ref.spdxDocument = source_file.doc.documentNamespace
217 doc_ref.checksum.algorithm = "SHA1"
218 doc_ref.checksum.checksumValue = source_file.doc_sha1
219 package_doc.externalDocumentRefs.append(doc_ref)
220
221 package_doc.add_relationship(
222 pkg_file,
223 "GENERATED_FROM",
224 "%s:%s" % (doc_ref.externalDocumentId, source_file.file.SPDXID),
225 comment=debugsrc
226 )
227 break
228 else:
229 bb.debug(1, "Debug source %s not found" % debugsrc)
230
231
232def collect_dep_recipes(d, doc, spdx_recipe):
233 from pathlib import Path
234 import oe.sbom
235 import oe.spdx
236
237 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
238
239 dep_recipes = []
240 taskdepdata = d.getVar("BB_TASKDEPDATA", False)
241 deps = sorted(set(
242 dep[0] for dep in taskdepdata.values() if
243 dep[1] == "do_create_spdx" and dep[0] != d.getVar("PN")
244 ))
245 for dep_pn in deps:
246 dep_recipe_path = deploy_dir_spdx / "recipes" / ("recipe-%s.spdx.json" % dep_pn)
247
248 spdx_dep_doc, spdx_dep_sha1 = oe.sbom.read_doc(dep_recipe_path)
249
250 for pkg in spdx_dep_doc.packages:
251 if pkg.name == dep_pn:
252 spdx_dep_recipe = pkg
253 break
254 else:
255 continue
256
257 dep_recipes.append(oe.sbom.DepRecipe(spdx_dep_doc, spdx_dep_sha1, spdx_dep_recipe))
258
259 dep_recipe_ref = oe.spdx.SPDXExternalDocumentRef()
260 dep_recipe_ref.externalDocumentId = "DocumentRef-dependency-" + spdx_dep_doc.name
261 dep_recipe_ref.spdxDocument = spdx_dep_doc.documentNamespace
262 dep_recipe_ref.checksum.algorithm = "SHA1"
263 dep_recipe_ref.checksum.checksumValue = spdx_dep_sha1
264
265 doc.externalDocumentRefs.append(dep_recipe_ref)
266
267 doc.add_relationship(
268 "%s:%s" % (dep_recipe_ref.externalDocumentId, spdx_dep_recipe.SPDXID),
269 "BUILD_DEPENDENCY_OF",
270 spdx_recipe
271 )
272
273 return dep_recipes
274
275collect_dep_recipes[vardepsexclude] += "BB_TASKDEPDATA"
276
277
278def collect_dep_sources(d, dep_recipes):
279 import oe.sbom
280
281 sources = {}
282 for dep in dep_recipes:
283 recipe_files = set(dep.recipe.hasFiles)
284
285 for spdx_file in dep.doc.files:
286 if spdx_file.SPDXID not in recipe_files:
287 continue
288
289 if "SOURCE" in spdx_file.fileTypes:
290 for checksum in spdx_file.checksums:
291 if checksum.algorithm == "SHA256":
292 sources[checksum.checksumValue] = oe.sbom.DepSource(dep.doc, dep.doc_sha1, dep.recipe, spdx_file)
293 break
294
295 return sources
296
297
298python do_create_spdx() {
299 from datetime import datetime, timezone
300 import oe.sbom
301 import oe.spdx
302 import uuid
303 from pathlib import Path
304 from contextlib import contextmanager
305 import oe.cve_check
306
307 @contextmanager
308 def optional_tarfile(name, guard, mode="w"):
309 import tarfile
310 import bb.compress.zstd
311
312 num_threads = int(d.getVar("BB_NUMBER_THREADS"))
313
314 if guard:
315 name.parent.mkdir(parents=True, exist_ok=True)
316 with bb.compress.zstd.open(name, mode=mode + "b", num_threads=num_threads) as f:
317 with tarfile.open(fileobj=f, mode=mode + "|") as tf:
318 yield tf
319 else:
320 yield None
321
322 bb.build.exec_func("read_subpackage_metadata", d)
323
324 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
325 spdx_workdir = Path(d.getVar("SPDXWORK"))
326 include_packaged = d.getVar("SPDX_INCLUDE_PACKAGED") == "1"
327 include_sources = d.getVar("SPDX_INCLUDE_SOURCES") == "1"
328 archive_sources = d.getVar("SPDX_ARCHIVE_SOURCES") == "1"
329 archive_packaged = d.getVar("SPDX_ARCHIVE_PACKAGED") == "1"
330
331 creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
332
333 doc = oe.spdx.SPDXDocument()
334
335 doc.name = "recipe-" + d.getVar("PN")
336 doc.documentNamespace = get_doc_namespace(d, doc)
337 doc.creationInfo.created = creation_time
338 doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build."
339 doc.creationInfo.creators.append("Tool: meta-doubleopen")
340 doc.creationInfo.creators.append("Organization: Double Open Project ()")
341 doc.creationInfo.creators.append("Person: N/A ()")
342
343 recipe = oe.spdx.SPDXPackage()
344 recipe.name = d.getVar("PN")
345 recipe.versionInfo = d.getVar("PV")
346 recipe.SPDXID = oe.sbom.get_recipe_spdxid(d)
347
348 src_uri = d.getVar('SRC_URI')
349 if src_uri:
350 recipe.downloadLocation = src_uri.split()[0]
351
352 homepage = d.getVar("HOMEPAGE")
353 if homepage:
354 recipe.homepage = homepage
355
356 license = d.getVar("LICENSE")
357 if license:
358 recipe.licenseDeclared = convert_license_to_spdx(license, d)
359
360 summary = d.getVar("SUMMARY")
361 if summary:
362 recipe.summary = summary
363
364 description = d.getVar("DESCRIPTION")
365 if description:
366 recipe.description = description
367
368 # Some CVEs may be patched during the build process without incrementing the version number,
369 # so querying for CVEs based on the CPE id can lead to false positives. To account for this,
370 # save the CVEs fixed by patches to source information field in the SPDX.
371 patched_cves = oe.cve_check.get_patched_cves(d)
372 patched_cves = list(patched_cves)
373 patched_cves = ' '.join(patched_cves)
374 if patched_cves:
375 recipe.sourceInfo = "CVEs fixed: " + patched_cves
376
377 cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION"))
378 if cpe_ids:
379 for cpe_id in cpe_ids:
380 cpe = oe.spdx.SPDXExternalReference()
381 cpe.referenceCategory = "SECURITY"
382 cpe.referenceType = "http://spdx.org/rdf/references/cpe23Type"
383 cpe.referenceLocator = cpe_id
384 recipe.externalRefs.append(cpe)
385
386 doc.packages.append(recipe)
387 doc.add_relationship(doc, "DESCRIBES", recipe)
388
389 if process_sources(d) and include_sources:
390 recipe_archive = deploy_dir_spdx / "recipes" / (doc.name + ".tar.zst")
391 with optional_tarfile(recipe_archive, archive_sources) as archive:
392 spdx_get_src(d)
393
394 add_package_files(
395 d,
396 doc,
397 recipe,
398 spdx_workdir,
399 lambda file_counter: "SPDXRef-SourceFile-%s-%d" % (d.getVar("PN"), file_counter),
400 lambda filepath: ["SOURCE"],
401 ignore_dirs=[".git"],
402 ignore_top_level_dirs=["temp"],
403 archive=archive,
404 )
405
406 if archive is not None:
407 recipe.packageFileName = str(recipe_archive.name)
408
409 dep_recipes = collect_dep_recipes(d, doc, recipe)
410
411 doc_sha1 = oe.sbom.write_doc(d, doc, "recipes")
412 dep_recipes.append(oe.sbom.DepRecipe(doc, doc_sha1, recipe))
413
414 sources = collect_dep_sources(d, dep_recipes)
415
416 pkgdest = Path(d.getVar("PKGDEST"))
417 for package in d.getVar("PACKAGES").split():
418 if not oe.packagedata.packaged(package, d):
419 continue
420
421 package_doc = oe.spdx.SPDXDocument()
422 pkg_name = d.getVar("PKG:%s" % package) or package
423 package_doc.name = pkg_name
424 package_doc.documentNamespace = get_doc_namespace(d, package_doc)
425 package_doc.creationInfo.created = creation_time
426 package_doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build."
427 package_doc.creationInfo.creators.append("Tool: meta-doubleopen")
428 package_doc.creationInfo.creators.append("Organization: Double Open Project ()")
429 package_doc.creationInfo.creators.append("Person: N/A ()")
430
431 recipe_ref = oe.spdx.SPDXExternalDocumentRef()
432 recipe_ref.externalDocumentId = "DocumentRef-recipe"
433 recipe_ref.spdxDocument = doc.documentNamespace
434 recipe_ref.checksum.algorithm = "SHA1"
435 recipe_ref.checksum.checksumValue = doc_sha1
436
437 package_doc.externalDocumentRefs.append(recipe_ref)
438
439 package_license = d.getVar("LICENSE:%s" % package) or d.getVar("LICENSE")
440
441 spdx_package = oe.spdx.SPDXPackage()
442
443 spdx_package.SPDXID = oe.sbom.get_package_spdxid(pkg_name)
444 spdx_package.name = pkg_name
445 spdx_package.versionInfo = d.getVar("PV")
446 spdx_package.licenseDeclared = convert_license_to_spdx(package_license, d)
447
448 package_doc.packages.append(spdx_package)
449
450 package_doc.add_relationship(spdx_package, "GENERATED_FROM", "%s:%s" % (recipe_ref.externalDocumentId, recipe.SPDXID))
451 package_doc.add_relationship(package_doc, "DESCRIBES", spdx_package)
452
453 package_archive = deploy_dir_spdx / "packages" / (package_doc.name + ".tar.zst")
454 with optional_tarfile(package_archive, archive_packaged) as archive:
455 package_files = add_package_files(
456 d,
457 package_doc,
458 spdx_package,
459 pkgdest / package,
460 lambda file_counter: oe.sbom.get_packaged_file_spdxid(pkg_name, file_counter),
461 lambda filepath: ["BINARY"],
462 archive=archive,
463 )
464
465 if archive is not None:
466 spdx_package.packageFileName = str(package_archive.name)
467
468 add_package_sources_from_debug(d, package_doc, spdx_package, package, package_files, sources)
469
470 oe.sbom.write_doc(d, package_doc, "packages")
471}
472# NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
473addtask do_create_spdx after do_package do_packagedata do_unpack before do_build do_rm_work
474
475SSTATETASKS += "do_create_spdx"
476do_create_spdx[sstate-inputdirs] = "${SPDXDEPLOY}"
477do_create_spdx[sstate-outputdirs] = "${DEPLOY_DIR_SPDX}"
478
479python do_create_spdx_setscene () {
480 sstate_setscene(d)
481}
482addtask do_create_spdx_setscene
483
484do_create_spdx[dirs] = "${SPDXDEPLOY} ${SPDXWORK}"
485do_create_spdx[cleandirs] = "${SPDXDEPLOY} ${SPDXWORK}"
486do_create_spdx[depends] += "${PATCHDEPENDENCY}"
487do_create_spdx[deptask] = "do_create_spdx"
488
489def spdx_get_src(d):
490 """
491 save patched source of the recipe in SPDX_WORKDIR.
492 """
493 import shutil
494 spdx_workdir = d.getVar('SPDXWORK')
495 spdx_sysroot_native = d.getVar('STAGING_DIR_NATIVE')
496 pn = d.getVar('PN')
497
498 workdir = d.getVar("WORKDIR")
499
500 try:
501 # The kernel class functions require it to be on work-shared, so we dont change WORKDIR
502 if not is_work_shared(d):
503 # Change the WORKDIR to make do_unpack do_patch run in another dir.
504 d.setVar('WORKDIR', spdx_workdir)
505 # Restore the original path to recipe's native sysroot (it's relative to WORKDIR).
506 d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
507
508 # The changed 'WORKDIR' also caused 'B' changed, create dir 'B' for the
509 # possibly requiring of the following tasks (such as some recipes's
510 # do_patch required 'B' existed).
511 bb.utils.mkdirhier(d.getVar('B'))
512
513 bb.build.exec_func('do_unpack', d)
514 # Copy source of kernel to spdx_workdir
515 if is_work_shared(d):
516 d.setVar('WORKDIR', spdx_workdir)
517 d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
518 src_dir = spdx_workdir + "/" + d.getVar('PN')+ "-" + d.getVar('PV') + "-" + d.getVar('PR')
519 bb.utils.mkdirhier(src_dir)
520 if bb.data.inherits_class('kernel',d):
521 share_src = d.getVar('STAGING_KERNEL_DIR')
522 cmd_copy_share = "cp -rf " + share_src + "/* " + src_dir + "/"
523 cmd_copy_kernel_result = os.popen(cmd_copy_share).read()
524 bb.note("cmd_copy_kernel_result = " + cmd_copy_kernel_result)
525
526 git_path = src_dir + "/.git"
527 if os.path.exists(git_path):
528 shutils.rmtree(git_path)
529
530 # Make sure gcc and kernel sources are patched only once
531 if not (d.getVar('SRC_URI') == "" or is_work_shared(d)):
532 bb.build.exec_func('do_patch', d)
533
534 # Some userland has no source.
535 if not os.path.exists( spdx_workdir ):
536 bb.utils.mkdirhier(spdx_workdir)
537 finally:
538 d.setVar("WORKDIR", workdir)
539
540do_rootfs[recrdeptask] += "do_create_spdx"
541
542ROOTFS_POSTUNINSTALL_COMMAND =+ "image_combine_spdx ; "
543python image_combine_spdx() {
544 import os
545 import oe.spdx
546 import oe.sbom
547 import io
548 import json
549 from oe.rootfs import image_list_installed_packages
550 from datetime import timezone, datetime
551 from pathlib import Path
552 import tarfile
553 import bb.compress.zstd
554
555 creation_time = datetime.now(tz=timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
556 image_name = d.getVar("IMAGE_NAME")
557 image_link_name = d.getVar("IMAGE_LINK_NAME")
558
559 deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX"))
560 imgdeploydir = Path(d.getVar("IMGDEPLOYDIR"))
561 source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
562
563 doc = oe.spdx.SPDXDocument()
564 doc.name = image_name
565 doc.documentNamespace = get_doc_namespace(d, doc)
566 doc.creationInfo.created = creation_time
567 doc.creationInfo.comment = "This document was created by analyzing the source of the Yocto recipe during the build."
568 doc.creationInfo.creators.append("Tool: meta-doubleopen")
569 doc.creationInfo.creators.append("Organization: Double Open Project ()")
570 doc.creationInfo.creators.append("Person: N/A ()")
571
572 image = oe.spdx.SPDXPackage()
573 image.name = d.getVar("PN")
574 image.versionInfo = d.getVar("PV")
575 image.SPDXID = oe.sbom.get_image_spdxid(image_name)
576
577 doc.packages.append(image)
578
579 spdx_package = oe.spdx.SPDXPackage()
580
581 packages = image_list_installed_packages(d)
582
583 for name in sorted(packages.keys()):
584 pkg_spdx_path = deploy_dir_spdx / "packages" / (name + ".spdx.json")
585 pkg_doc, pkg_doc_sha1 = oe.sbom.read_doc(pkg_spdx_path)
586
587 for p in pkg_doc.packages:
588 if p.name == name:
589 pkg_ref = oe.spdx.SPDXExternalDocumentRef()
590 pkg_ref.externalDocumentId = "DocumentRef-%s" % pkg_doc.name
591 pkg_ref.spdxDocument = pkg_doc.documentNamespace
592 pkg_ref.checksum.algorithm = "SHA1"
593 pkg_ref.checksum.checksumValue = pkg_doc_sha1
594
595 doc.externalDocumentRefs.append(pkg_ref)
596 doc.add_relationship(image, "CONTAINS", "%s:%s" % (pkg_ref.externalDocumentId, p.SPDXID))
597 break
598 else:
599 bb.fatal("Unable to find package with name '%s' in SPDX file %s" % (name, pkg_spdx_path))
600
601 image_spdx_path = imgdeploydir / (image_name + ".spdx.json")
602
603 with image_spdx_path.open("wb") as f:
604 doc.to_json(f, sort_keys=True)
605
606 image_spdx_link = imgdeploydir / (image_link_name + ".spdx.json")
607 image_spdx_link.symlink_to(os.path.relpath(image_spdx_path, image_spdx_link.parent))
608
609 num_threads = int(d.getVar("BB_NUMBER_THREADS"))
610
611 visited_docs = set()
612
613 index = {"documents": []}
614
615 spdx_tar_path = imgdeploydir / (image_name + ".spdx.tar.zst")
616 with bb.compress.zstd.open(spdx_tar_path, "w", num_threads=num_threads) as f:
617 with tarfile.open(fileobj=f, mode="w|") as tar:
618 def collect_spdx_document(path):
619 nonlocal tar
620 nonlocal deploy_dir_spdx
621 nonlocal source_date_epoch
622 nonlocal index
623
624 if path in visited_docs:
625 return
626
627 visited_docs.add(path)
628
629 with path.open("rb") as f:
630 doc = oe.spdx.SPDXDocument.from_json(f)
631 f.seek(0)
632
633 if doc.documentNamespace in visited_docs:
634 return
635
636 bb.note("Adding SPDX document %s" % path)
637 visited_docs.add(doc.documentNamespace)
638 info = tar.gettarinfo(fileobj=f)
639
640 info.name = doc.name + ".spdx.json"
641 info.uid = 0
642 info.gid = 0
643 info.uname = "root"
644 info.gname = "root"
645
646 if source_date_epoch is not None and info.mtime > int(source_date_epoch):
647 info.mtime = int(source_date_epoch)
648
649 tar.addfile(info, f)
650
651 index["documents"].append({
652 "filename": info.name,
653 "documentNamespace": doc.documentNamespace,
654 })
655
656 for ref in doc.externalDocumentRefs:
657 ref_path = deploy_dir_spdx / "by-namespace" / ref.spdxDocument.replace("/", "_")
658 collect_spdx_document(ref_path)
659
660 collect_spdx_document(image_spdx_path)
661
662 index["documents"].sort(key=lambda x: x["filename"])
663
664 index_str = io.BytesIO(json.dumps(index, sort_keys=True).encode("utf-8"))
665
666 info = tarfile.TarInfo()
667 info.name = "index.json"
668 info.size = len(index_str.getvalue())
669 info.uid = 0
670 info.gid = 0
671 info.uname = "root"
672 info.gname = "root"
673
674 tar.addfile(info, fileobj=index_str)
675
676 spdx_tar_link = imgdeploydir / (image_link_name + ".spdx.tar.zst")
677 spdx_tar_link.symlink_to(os.path.relpath(spdx_tar_path, spdx_tar_link.parent))
678}
679
diff --git a/meta/lib/oe/sbom.py b/meta/lib/oe/sbom.py
new file mode 100644
index 0000000000..d40e5b792f
--- /dev/null
+++ b/meta/lib/oe/sbom.py
@@ -0,0 +1,63 @@
1#
2# SPDX-License-Identifier: GPL-2.0-only
3#
4
5import collections
6
7DepRecipe = collections.namedtuple("DepRecipe", ("doc", "doc_sha1", "recipe"))
8DepSource = collections.namedtuple("DepSource", ("doc", "doc_sha1", "recipe", "file"))
9
10
11def get_recipe_spdxid(d):
12 return "SPDXRef-%s-%s" % ("Recipe", d.getVar("PN"))
13
14
15def get_package_spdxid(pkg):
16 return "SPDXRef-Package-%s" % pkg
17
18
19def get_source_file_spdxid(d, idx):
20 return "SPDXRef-SourceFile-%s-%d" % (d.getVar("PN"), idx)
21
22
23def get_packaged_file_spdxid(pkg, idx):
24 return "SPDXRef-PackagedFile-%s-%d" % (pkg, idx)
25
26
27def get_image_spdxid(img):
28 return "SPDXRef-Image-%s" % img
29
30
31def write_doc(d, spdx_doc, subdir):
32 from pathlib import Path
33
34 spdx_deploy = Path(d.getVar("SPDXDEPLOY"))
35
36 dest = spdx_deploy / subdir / (spdx_doc.name + ".spdx.json")
37 dest.parent.mkdir(exist_ok=True, parents=True)
38 with dest.open("wb") as f:
39 doc_sha1 = spdx_doc.to_json(f, sort_keys=True)
40
41 l = spdx_deploy / "by-namespace" / spdx_doc.documentNamespace.replace("/", "_")
42 l.parent.mkdir(exist_ok=True, parents=True)
43 l.symlink_to(os.path.relpath(dest, l.parent))
44
45 return doc_sha1
46
47
48def read_doc(filename):
49 import hashlib
50 import oe.spdx
51
52 with filename.open("rb") as f:
53 sha1 = hashlib.sha1()
54 while True:
55 chunk = f.read(4096)
56 if not chunk:
57 break
58 sha1.update(chunk)
59
60 f.seek(0)
61 doc = oe.spdx.SPDXDocument.from_json(f)
62
63 return (doc, sha1.hexdigest())
diff --git a/meta/lib/oe/spdx.py b/meta/lib/oe/spdx.py
new file mode 100644
index 0000000000..3f569c6862
--- /dev/null
+++ b/meta/lib/oe/spdx.py
@@ -0,0 +1,263 @@
1#
2# SPDX-License-Identifier: GPL-2.0-only
3#
4
5import hashlib
6import itertools
7import json
8
9SPDX_VERSION = "2.2"
10
11
12class _Property(object):
13 def __init__(self, *, default=None):
14 self.default = default
15
16 def setdefault(self, dest, name):
17 if self.default is not None:
18 dest.setdefault(name, self.default)
19
20
21class _String(_Property):
22 def __init__(self, **kwargs):
23 super().__init__(**kwargs)
24
25 def set_property(self, attrs, name):
26 def get_helper(obj):
27 return obj._spdx[name]
28
29 def set_helper(obj, value):
30 obj._spdx[name] = value
31
32 def del_helper(obj):
33 del obj._spdx[name]
34
35 attrs[name] = property(get_helper, set_helper, del_helper)
36
37 def init(self, source):
38 return source
39
40
41class _Object(_Property):
42 def __init__(self, cls, **kwargs):
43 super().__init__(**kwargs)
44 self.cls = cls
45
46 def set_property(self, attrs, name):
47 def get_helper(obj):
48 if not name in obj._spdx:
49 obj._spdx[name] = self.cls()
50 return obj._spdx[name]
51
52 def set_helper(obj, value):
53 obj._spdx[name] = value
54
55 def del_helper(obj):
56 del obj._spdx[name]
57
58 attrs[name] = property(get_helper, set_helper)
59
60 def init(self, source):
61 return self.cls(**source)
62
63
64class _ListProperty(_Property):
65 def __init__(self, prop, **kwargs):
66 super().__init__(**kwargs)
67 self.prop = prop
68
69 def set_property(self, attrs, name):
70 def get_helper(obj):
71 if not name in obj._spdx:
72 obj._spdx[name] = []
73 return obj._spdx[name]
74
75 def del_helper(obj):
76 del obj._spdx[name]
77
78 attrs[name] = property(get_helper, None, del_helper)
79
80 def init(self, source):
81 return [self.prop.init(o) for o in source]
82
83
84class _StringList(_ListProperty):
85 def __init__(self, **kwargs):
86 super().__init__(_String(), **kwargs)
87
88
89class _ObjectList(_ListProperty):
90 def __init__(self, cls, **kwargs):
91 super().__init__(_Object(cls), **kwargs)
92
93
94class MetaSPDXObject(type):
95 def __new__(mcls, name, bases, attrs):
96 attrs["_properties"] = {}
97
98 for key in attrs.keys():
99 if isinstance(attrs[key], _Property):
100 prop = attrs[key]
101 attrs["_properties"][key] = prop
102 prop.set_property(attrs, key)
103
104 return super().__new__(mcls, name, bases, attrs)
105
106
107class SPDXObject(metaclass=MetaSPDXObject):
108 def __init__(self, **d):
109 self._spdx = {}
110
111 for name, prop in self._properties.items():
112 prop.setdefault(self._spdx, name)
113 if name in d:
114 self._spdx[name] = prop.init(d[name])
115
116 def serializer(self):
117 return self._spdx
118
119 def __setattr__(self, name, value):
120 if name in self._properties or name == "_spdx":
121 super().__setattr__(name, value)
122 return
123 raise KeyError("%r is not a valid SPDX property" % name)
124
125
126class SPDXChecksum(SPDXObject):
127 algorithm = _String()
128 checksumValue = _String()
129
130
131class SPDXRelationship(SPDXObject):
132 spdxElementId = _String()
133 relatedSpdxElement = _String()
134 relationshipType = _String()
135 comment = _String()
136
137
138class SPDXExternalReference(SPDXObject):
139 referenceCategory = _String()
140 referenceType = _String()
141 referenceLocator = _String()
142
143
144class SPDXPackageVerificationCode(SPDXObject):
145 packageVerificationCodeValue = _String()
146 packageVerificationCodeExcludedFiles = _StringList()
147
148
149class SPDXPackage(SPDXObject):
150 name = _String()
151 SPDXID = _String()
152 versionInfo = _String()
153 downloadLocation = _String(default="NOASSERTION")
154 packageSupplier = _String(default="NOASSERTION")
155 homepage = _String()
156 licenseConcluded = _String(default="NOASSERTION")
157 licenseDeclared = _String(default="NOASSERTION")
158 summary = _String()
159 description = _String()
160 sourceInfo = _String()
161 copyrightText = _String(default="NOASSERTION")
162 licenseInfoFromFiles = _StringList(default=["NOASSERTION"])
163 externalRefs = _ObjectList(SPDXExternalReference)
164 packageVerificationCode = _Object(SPDXPackageVerificationCode)
165 hasFiles = _StringList()
166 packageFileName = _String()
167
168
169class SPDXFile(SPDXObject):
170 SPDXID = _String()
171 fileName = _String()
172 licenseConcluded = _String(default="NOASSERTION")
173 copyrightText = _String(default="NOASSERTION")
174 licenseInfoInFiles = _StringList(default=["NOASSERTION"])
175 checksums = _ObjectList(SPDXChecksum)
176 fileTypes = _StringList()
177
178
179class SPDXCreationInfo(SPDXObject):
180 created = _String()
181 licenseListVersion = _String()
182 comment = _String()
183 creators = _StringList()
184
185
186class SPDXExternalDocumentRef(SPDXObject):
187 externalDocumentId = _String()
188 spdxDocument = _String()
189 checksum = _Object(SPDXChecksum)
190
191
192class SPDXDocument(SPDXObject):
193 spdxVersion = _String(default="SPDX-" + SPDX_VERSION)
194 dataLicense = _String(default="CC0-1.0")
195 SPDXID = _String(default="SPDXRef-DOCUMENT")
196 name = _String()
197 documentNamespace = _String()
198 creationInfo = _Object(SPDXCreationInfo)
199 packages = _ObjectList(SPDXPackage)
200 files = _ObjectList(SPDXFile)
201 relationships = _ObjectList(SPDXRelationship)
202 externalDocumentRefs = _ObjectList(SPDXExternalDocumentRef)
203
204 def __init__(self, **d):
205 super().__init__(**d)
206
207 def to_json(self, f, *, sort_keys=False, indent=None, separators=None):
208 class Encoder(json.JSONEncoder):
209 def default(self, o):
210 if isinstance(o, SPDXObject):
211 return o.serializer()
212
213 return super().default(o)
214
215 sha1 = hashlib.sha1()
216 for chunk in Encoder(
217 sort_keys=sort_keys,
218 indent=indent,
219 separators=separators,
220 ).iterencode(self):
221 chunk = chunk.encode("utf-8")
222 f.write(chunk)
223 sha1.update(chunk)
224
225 return sha1.hexdigest()
226
227 @classmethod
228 def from_json(cls, f):
229 return cls(**json.load(f))
230
231 def add_relationship(self, _from, relationship, _to, *, comment=None):
232 if isinstance(_from, SPDXObject):
233 from_spdxid = _from.SPDXID
234 else:
235 from_spdxid = _from
236
237 if isinstance(_to, SPDXObject):
238 to_spdxid = _to.SPDXID
239 else:
240 to_spdxid = _to
241
242 r = SPDXRelationship(
243 spdxElementId=from_spdxid,
244 relatedSpdxElement=to_spdxid,
245 relationshipType=relationship,
246 )
247
248 if comment is not None:
249 r.comment = comment
250
251 self.relationships.append(r)
252
253 def find_by_spdxid(self, spdxid):
254 for o in itertools.chain(self.packages, self.files):
255 if o.SPDXID == spdxid:
256 return o
257 return None
258
259 def find_external_document_ref(self, namespace):
260 for r in self.externalDocumentRefs:
261 if r.spdxDocument == namespace:
262 return r
263 return None
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-01-23 10:46:55 +0000