3 files changed, 88 insertions, 90 deletions
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
index 494bde117f..8f988de868 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -352,34 +352,33 @@ def add_download_packages(d, doc, recipe):
    for download_idx, src_uri in enumerate(d.getVar('SRC_URI').split()):
        f = bb.fetch2.FetchData(src_uri, d)
-        for name in f.names:
+        package = oe.spdx.SPDXPackage()
-            package = oe.spdx.SPDXPackage()
+        package.name = "%s-source-%d" % (d.getVar("PN"), download_idx + 1)
-            package.name = "%s-source-%d" % (d.getVar("PN"), download_idx + 1)
+        package.SPDXID = oe.sbom.get_download_spdxid(d, download_idx + 1)
-            package.SPDXID = oe.sbom.get_download_spdxid(d, download_idx + 1)
-            if f.type == "file":
+        if f.type == "file":
-                continue
+            continue
+        if f.method.supports_checksum(f):
+            for checksum_id in CHECKSUM_LIST:
+                if checksum_id.upper() not in oe.spdx.SPDXPackage.ALLOWED_CHECKSUMS:
+                    continue
+                expected_checksum = getattr(f, "%s_expected" % checksum_id)
+                if expected_checksum is None:
+                    continue
-            if f.method.supports_checksum(f):
+                c = oe.spdx.SPDXChecksum()
-                for checksum_id in CHECKSUM_LIST:
+                c.algorithm = checksum_id.upper()
-                    if checksum_id.upper() not in oe.spdx.SPDXPackage.ALLOWED_CHECKSUMS:
+                c.checksumValue = expected_checksum
-                        continue
+                package.checksums.append(c)
-                    expected_checksum = getattr(f, "%s_expected" % checksum_id)
+        package.downloadLocation = oe.spdx_common.fetch_data_to_uri(f, f.name)
-                    if expected_checksum is None:
+        doc.packages.append(package)
-                        continue
+        doc.add_relationship(doc, "DESCRIBES", package)
+        # In the future, we might be able to do more fancy dependencies,
-                    c = oe.spdx.SPDXChecksum()
+        # but this should be sufficient for now
-                    c.algorithm = checksum_id.upper()
+        doc.add_relationship(package, "BUILD_DEPENDENCY_OF", recipe)
-                    c.checksumValue = expected_checksum
-                    package.checksums.append(c)
-            package.downloadLocation = oe.spdx_common.fetch_data_to_uri(f, name)
-            doc.packages.append(package)
-            doc.add_relationship(doc, "DESCRIBES", package)
-            # In the future, we might be able to do more fancy dependencies,
-            # but this should be sufficient for now
-            doc.add_relationship(package, "BUILD_DEPENDENCY_OF", recipe)
 def get_license_list_version(license_data, d):
    # Newer versions of the SPDX license list are SemVer ("MAJOR.MINOR.MICRO"),
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 0618f2f139..1841b0de4a 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -356,78 +356,77 @@ def add_download_files(d, objset):
    for download_idx, src_uri in enumerate(urls):
        fd = fetch.ud[src_uri]
-        for name in fd.names:
+        file_name = os.path.basename(fetch.localpath(src_uri))
-            file_name = os.path.basename(fetch.localpath(src_uri))
+        if oe.patch.patch_path(src_uri, fetch, "", expand=False):
-            if oe.patch.patch_path(src_uri, fetch, "", expand=False):
+            primary_purpose = oe.spdx30.software_SoftwarePurpose.patch
-                primary_purpose = oe.spdx30.software_SoftwarePurpose.patch
+        else:
-            else:
+            primary_purpose = oe.spdx30.software_SoftwarePurpose.source
-                primary_purpose = oe.spdx30.software_SoftwarePurpose.source
+        if fd.type == "file":
-            if fd.type == "file":
+            if os.path.isdir(fd.localpath):
-                if os.path.isdir(fd.localpath):
+                walk_idx = 1
-                    walk_idx = 1
+                for root, dirs, files in os.walk(fd.localpath, onerror=walk_error):
-                    for root, dirs, files in os.walk(fd.localpath, onerror=walk_error):
+                    dirs.sort()
-                        dirs.sort()
+                    files.sort()
-                        files.sort()
+                    for f in files:
-                        for f in files:
+                        f_path = os.path.join(root, f)
-                            f_path = os.path.join(root, f)
+                        if os.path.islink(f_path):
-                            if os.path.islink(f_path):
+                            # TODO: SPDX doesn't support symlinks yet
-                                # TODO: SPDX doesn't support symlinks yet
+                            continue
-                                continue
-                            file = objset.new_file(
-                                objset.new_spdxid(
-                                    "source", str(download_idx + 1), str(walk_idx)
-                                ),
-                                os.path.join(
-                                    file_name, os.path.relpath(f_path, fd.localpath)
-                                ),
-                                f_path,
-                                purposes=[primary_purpose],
-                            )
-                            inputs.add(file)
+                        file = objset.new_file(
-                            walk_idx += 1
+                            objset.new_spdxid(
+                                "source", str(download_idx + 1), str(walk_idx)
+                            ),
+                            os.path.join(
+                                file_name, os.path.relpath(f_path, fd.localpath)
+                            ),
+                            f_path,
+                            purposes=[primary_purpose],
+                        )
-                else:
+                        inputs.add(file)
-                    file = objset.new_file(
+                        walk_idx += 1
-                        objset.new_spdxid("source", str(download_idx + 1)),
-                        file_name,
-                        fd.localpath,
-                        purposes=[primary_purpose],
-                    )
-                    inputs.add(file)
            else:
-                dl = objset.add(
+                file = objset.new_file(
-                    oe.spdx30.software_Package(
+                    objset.new_spdxid("source", str(download_idx + 1)),
-                        _id=objset.new_spdxid("source", str(download_idx + 1)),
+                    file_name,
-                        creationInfo=objset.doc.creationInfo,
+                    fd.localpath,
-                        name=file_name,
+                    purposes=[primary_purpose],
-                        software_primaryPurpose=primary_purpose,
-                        software_downloadLocation=oe.spdx_common.fetch_data_to_uri(
-                            fd, name
-                        ),
-                    )
                )
+                inputs.add(file)
-                if fd.method.supports_checksum(fd):
+        else:
-                    # TODO Need something better than hard coding this
+            dl = objset.add(
-                    for checksum_id in ["sha256", "sha1"]:
+                oe.spdx30.software_Package(
-                        expected_checksum = getattr(
+                    _id=objset.new_spdxid("source", str(download_idx + 1)),
-                            fd, "%s_expected" % checksum_id, None
+                    creationInfo=objset.doc.creationInfo,
-                        )
+                    name=file_name,
-                        if expected_checksum is None:
+                    software_primaryPurpose=primary_purpose,
-                            continue
+                    software_downloadLocation=oe.spdx_common.fetch_data_to_uri(
+                        fd, fd.name
+                    ),
+                )
+            )
-                        dl.verifiedUsing.append(
+            if fd.method.supports_checksum(fd):
-                            oe.spdx30.Hash(
+                # TODO Need something better than hard coding this
-                                algorithm=getattr(oe.spdx30.HashAlgorithm, checksum_id),
+                for checksum_id in ["sha256", "sha1"]:
-                                hashValue=expected_checksum,
+                    expected_checksum = getattr(
-                            )
+                        fd, "%s_expected" % checksum_id, None
+                    )
+                    if expected_checksum is None:
+                        continue
+                    dl.verifiedUsing.append(
+                        oe.spdx30.Hash(
+                            algorithm=getattr(oe.spdx30.HashAlgorithm, checksum_id),
+                            hashValue=expected_checksum,
                        )
+                    )
-                inputs.add(dl)
+            inputs.add(dl)
    return inputs
diff --git a/meta/lib/oe/spdx_common.py b/meta/lib/oe/spdx_common.py
index e1b26edaaf..4caefc7673 100644
--- a/meta/lib/oe/spdx_common.py
+++ b/meta/lib/oe/spdx_common.py
@@ -239,6 +239,6 @@ def fetch_data_to_uri(fd, name):
    uri = uri + "://" + fd.host + fd.path
    if fd.method.supports_srcrev():
-        uri = uri + "@" + fd.revisions[name]
+        uri = uri + "@" + fd.revision
    return uri

diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index 494bde117f..8f988de868 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass
@@ -352,34 +352,33 @@ def add_download_packages(d, doc, recipe):
352	for download_idx, src_uri in enumerate(d.getVar('SRC_URI').split()):	352	for download_idx, src_uri in enumerate(d.getVar('SRC_URI').split()):
353	f = bb.fetch2.FetchData(src_uri, d)	353	f = bb.fetch2.FetchData(src_uri, d)
354		354
355	for name in f.names:	355	package = oe.spdx.SPDXPackage()
356	package = oe.spdx.SPDXPackage()	356	package.name = "%s-source-%d" % (d.getVar("PN"), download_idx + 1)
357	package.name = "%s-source-%d" % (d.getVar("PN"), download_idx + 1)	357	package.SPDXID = oe.sbom.get_download_spdxid(d, download_idx + 1)
358	package.SPDXID = oe.sbom.get_download_spdxid(d, download_idx + 1)
359		358
360	if f.type == "file":	359	if f.type == "file":
361	continue	360	continue
		361
		362	if f.method.supports_checksum(f):
		363	for checksum_id in CHECKSUM_LIST:
		364	if checksum_id.upper() not in oe.spdx.SPDXPackage.ALLOWED_CHECKSUMS:
		365	continue
		366
		367	expected_checksum = getattr(f, "%s_expected" % checksum_id)
		368	if expected_checksum is None:
		369	continue
362		370
363	if f.method.supports_checksum(f):	371	c = oe.spdx.SPDXChecksum()
364	for checksum_id in CHECKSUM_LIST:	372	c.algorithm = checksum_id.upper()
365	if checksum_id.upper() not in oe.spdx.SPDXPackage.ALLOWED_CHECKSUMS:	373	c.checksumValue = expected_checksum
366	continue	374	package.checksums.append(c)
367		375
368	expected_checksum = getattr(f, "%s_expected" % checksum_id)	376	package.downloadLocation = oe.spdx_common.fetch_data_to_uri(f, f.name)
369	if expected_checksum is None:	377	doc.packages.append(package)
370	continue	378	doc.add_relationship(doc, "DESCRIBES", package)
371		379	# In the future, we might be able to do more fancy dependencies,
372	c = oe.spdx.SPDXChecksum()	380	# but this should be sufficient for now
373	c.algorithm = checksum_id.upper()	381	doc.add_relationship(package, "BUILD_DEPENDENCY_OF", recipe)
374	c.checksumValue = expected_checksum
375	package.checksums.append(c)
376
377	package.downloadLocation = oe.spdx_common.fetch_data_to_uri(f, name)
378	doc.packages.append(package)
379	doc.add_relationship(doc, "DESCRIBES", package)
380	# In the future, we might be able to do more fancy dependencies,
381	# but this should be sufficient for now
382	doc.add_relationship(package, "BUILD_DEPENDENCY_OF", recipe)
383		382
384	def get_license_list_version(license_data, d):	383	def get_license_list_version(license_data, d):
385	# Newer versions of the SPDX license list are SemVer ("MAJOR.MINOR.MICRO"),	384	# Newer versions of the SPDX license list are SemVer ("MAJOR.MINOR.MICRO"),


diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 0618f2f139..1841b0de4a 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py
@@ -356,78 +356,77 @@ def add_download_files(d, objset):
356	for download_idx, src_uri in enumerate(urls):	356	for download_idx, src_uri in enumerate(urls):
357	fd = fetch.ud[src_uri]	357	fd = fetch.ud[src_uri]
358		358
359	for name in fd.names:	359	file_name = os.path.basename(fetch.localpath(src_uri))
360	file_name = os.path.basename(fetch.localpath(src_uri))	360	if oe.patch.patch_path(src_uri, fetch, "", expand=False):
361	if oe.patch.patch_path(src_uri, fetch, "", expand=False):	361	primary_purpose = oe.spdx30.software_SoftwarePurpose.patch
362	primary_purpose = oe.spdx30.software_SoftwarePurpose.patch	362	else:
363	else:	363	primary_purpose = oe.spdx30.software_SoftwarePurpose.source
364	primary_purpose = oe.spdx30.software_SoftwarePurpose.source	364
365		365	if fd.type == "file":
366	if fd.type == "file":	366	if os.path.isdir(fd.localpath):
367	if os.path.isdir(fd.localpath):	367	walk_idx = 1
368	walk_idx = 1	368	for root, dirs, files in os.walk(fd.localpath, onerror=walk_error):
369	for root, dirs, files in os.walk(fd.localpath, onerror=walk_error):	369	dirs.sort()
370	dirs.sort()	370	files.sort()
371	files.sort()	371	for f in files:
372	for f in files:	372	f_path = os.path.join(root, f)
373	f_path = os.path.join(root, f)	373	if os.path.islink(f_path):
374	if os.path.islink(f_path):	374	# TODO: SPDX doesn't support symlinks yet
375	# TODO: SPDX doesn't support symlinks yet	375	continue
376	continue
377
378	file = objset.new_file(
379	objset.new_spdxid(
380	"source", str(download_idx + 1), str(walk_idx)
381	),
382	os.path.join(
383	file_name, os.path.relpath(f_path, fd.localpath)
384	),
385	f_path,
386	purposes=[primary_purpose],
387	)
388		376
389	inputs.add(file)	377	file = objset.new_file(
390	walk_idx += 1	378	objset.new_spdxid(
		379	"source", str(download_idx + 1), str(walk_idx)
		380	),
		381	os.path.join(
		382	file_name, os.path.relpath(f_path, fd.localpath)
		383	),
		384	f_path,
		385	purposes=[primary_purpose],
		386	)
391		387
392	else:	388	inputs.add(file)
393	file = objset.new_file(	389	walk_idx += 1
394	objset.new_spdxid("source", str(download_idx + 1)),
395	file_name,
396	fd.localpath,
397	purposes=[primary_purpose],
398	)
399	inputs.add(file)
400		390
401	else:	391	else:
402	dl = objset.add(	392	file = objset.new_file(
403	oe.spdx30.software_Package(	393	objset.new_spdxid("source", str(download_idx + 1)),
404	_id=objset.new_spdxid("source", str(download_idx + 1)),	394	file_name,
405	creationInfo=objset.doc.creationInfo,	395	fd.localpath,
406	name=file_name,	396	purposes=[primary_purpose],
407	software_primaryPurpose=primary_purpose,
408	software_downloadLocation=oe.spdx_common.fetch_data_to_uri(
409	fd, name
410	),
411	)
412	)	397	)
		398	inputs.add(file)
413		399
414	if fd.method.supports_checksum(fd):	400	else:
415	# TODO Need something better than hard coding this	401	dl = objset.add(
416	for checksum_id in ["sha256", "sha1"]:	402	oe.spdx30.software_Package(
417	expected_checksum = getattr(	403	_id=objset.new_spdxid("source", str(download_idx + 1)),
418	fd, "%s_expected" % checksum_id, None	404	creationInfo=objset.doc.creationInfo,
419	)	405	name=file_name,
420	if expected_checksum is None:	406	software_primaryPurpose=primary_purpose,
421	continue	407	software_downloadLocation=oe.spdx_common.fetch_data_to_uri(
		408	fd, fd.name
		409	),
		410	)
		411	)
422		412
423	dl.verifiedUsing.append(	413	if fd.method.supports_checksum(fd):
424	oe.spdx30.Hash(	414	# TODO Need something better than hard coding this
425	algorithm=getattr(oe.spdx30.HashAlgorithm, checksum_id),	415	for checksum_id in ["sha256", "sha1"]:
426	hashValue=expected_checksum,	416	expected_checksum = getattr(
427	)	417	fd, "%s_expected" % checksum_id, None
		418	)
		419	if expected_checksum is None:
		420	continue
		421
		422	dl.verifiedUsing.append(
		423	oe.spdx30.Hash(
		424	algorithm=getattr(oe.spdx30.HashAlgorithm, checksum_id),
		425	hashValue=expected_checksum,
428	)	426	)
		427	)
429		428
430	inputs.add(dl)	429	inputs.add(dl)
431		430
432	return inputs	431	return inputs
433		432


diff --git a/meta/lib/oe/spdx_common.py b/meta/lib/oe/spdx_common.py index e1b26edaaf..4caefc7673 100644 --- a/meta/lib/oe/spdx_common.py +++ b/meta/lib/oe/spdx_common.py
@@ -239,6 +239,6 @@ def fetch_data_to_uri(fd, name):
239	uri = uri + "://" + fd.host + fd.path	239	uri = uri + "://" + fd.host + fd.path
240		240
241	if fd.method.supports_srcrev():	241	if fd.method.supports_srcrev():
242	uri = uri + "@" + fd.revisions[name]	242	uri = uri + "@" + fd.revision
243		243
244	return uri	244	return uri