1 files changed, 43 insertions, 3 deletions
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 658e533d75..6a39246fe1 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -964,7 +964,7 @@ def write_bitbake_spdx(d):
    oe.sbom30.write_jsonld_doc(d, objset, deploy_dir_spdx / "bitbake.spdx.json")
-def collect_build_package_inputs(d, objset, build, packages):
+def collect_build_package_inputs(d, objset, build, packages, files_by_hash=None):
    import oe.sbom30
    providers = oe.spdx_common.collect_package_providers(d)
@@ -980,7 +980,7 @@ def collect_build_package_inputs(d, objset, build, packages):
        pkg_name, pkg_hashfn = providers[name]
        # Copy all of the package SPDX files into the Sbom elements
-        pkg_spdx, _ = oe.sbom30.find_root_obj_in_jsonld(
+        pkg_spdx, pkg_objset = oe.sbom30.find_root_obj_in_jsonld(
            d,
            "packages",
            "package-" + pkg_name,
@@ -989,6 +989,10 @@ def collect_build_package_inputs(d, objset, build, packages):
        )
        build_deps.add(oe.sbom30.get_element_link_id(pkg_spdx))
+        if files_by_hash is not None:
+            for h, f in pkg_objset.by_sha256_hash.items():
+                files_by_hash.setdefault(h, set()).update(f)
    if missing_providers:
        bb.fatal(
            f"Unable to find SPDX provider(s) for: {', '.join(sorted(missing_providers))}"
@@ -1008,6 +1012,7 @@ def create_rootfs_spdx(d):
    deploydir = Path(d.getVar("SPDXROOTFSDEPLOY"))
    root_packages_file = Path(d.getVar("SPDX_ROOTFS_PACKAGES"))
    image_basename = d.getVar("IMAGE_BASENAME")
+    image_rootfs = d.getVar("IMAGE_ROOTFS")
    machine = d.getVar("MACHINE")
    with root_packages_file.open("r") as f:
@@ -1037,7 +1042,42 @@ def create_rootfs_spdx(d):
        [rootfs],
    )
-    collect_build_package_inputs(d, objset, rootfs_build, packages)
+    files_by_hash = {}
+    collect_build_package_inputs(d, objset, rootfs_build, packages, files_by_hash)
+    files = set()
+    for dirpath, dirnames, filenames in os.walk(image_rootfs):
+        for fn in filenames:
+            fpath = Path(dirpath) / fn
+            if not fpath.is_file() or fpath.is_symlink():
+                continue
+            relpath = str(fpath.relative_to(image_rootfs))
+            h = bb.utils.sha256_file(fpath)
+            found = False
+            if h in files_by_hash:
+                for f in files_by_hash[h]:
+                    if isinstance(f, oe.spdx30.software_File) and f.name == relpath:
+                        files.add(oe.sbom30.get_element_link_id(f))
+                        found = True
+                        break
+            if not found:
+                files.add(
+                    objset.new_file(
+                        objset.new_spdxid("rootfs-file", relpath),
+                        relpath,
+                        fpath,
+                    )
+                )
+    if files:
+        objset.new_relationship(
+            [rootfs],
+            oe.spdx30.RelationshipType.contains,
+            sorted(list(files)),
+        )
    oe.sbom30.write_recipe_jsonld_doc(d, objset, "rootfs", deploydir)

diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 658e533d75..6a39246fe1 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py
@@ -964,7 +964,7 @@ def write_bitbake_spdx(d):
964	oe.sbom30.write_jsonld_doc(d, objset, deploy_dir_spdx / "bitbake.spdx.json")	964	oe.sbom30.write_jsonld_doc(d, objset, deploy_dir_spdx / "bitbake.spdx.json")
965		965
966		966
967	def collect_build_package_inputs(d, objset, build, packages):	967	def collect_build_package_inputs(d, objset, build, packages, files_by_hash=None):
968	import oe.sbom30	968	import oe.sbom30
969		969
970	providers = oe.spdx_common.collect_package_providers(d)	970	providers = oe.spdx_common.collect_package_providers(d)
@@ -980,7 +980,7 @@ def collect_build_package_inputs(d, objset, build, packages):
980	pkg_name, pkg_hashfn = providers[name]	980	pkg_name, pkg_hashfn = providers[name]
981		981
982	# Copy all of the package SPDX files into the Sbom elements	982	# Copy all of the package SPDX files into the Sbom elements
983	pkg_spdx, _ = oe.sbom30.find_root_obj_in_jsonld(	983	pkg_spdx, pkg_objset = oe.sbom30.find_root_obj_in_jsonld(
984	d,	984	d,
985	"packages",	985	"packages",
986	"package-" + pkg_name,	986	"package-" + pkg_name,
@@ -989,6 +989,10 @@ def collect_build_package_inputs(d, objset, build, packages):
989	)	989	)
990	build_deps.add(oe.sbom30.get_element_link_id(pkg_spdx))	990	build_deps.add(oe.sbom30.get_element_link_id(pkg_spdx))
991		991
		992	if files_by_hash is not None:
		993	for h, f in pkg_objset.by_sha256_hash.items():
		994	files_by_hash.setdefault(h, set()).update(f)
		995
992	if missing_providers:	996	if missing_providers:
993	bb.fatal(	997	bb.fatal(
994	f"Unable to find SPDX provider(s) for: {', '.join(sorted(missing_providers))}"	998	f"Unable to find SPDX provider(s) for: {', '.join(sorted(missing_providers))}"
@@ -1008,6 +1012,7 @@ def create_rootfs_spdx(d):
1008	deploydir = Path(d.getVar("SPDXROOTFSDEPLOY"))	1012	deploydir = Path(d.getVar("SPDXROOTFSDEPLOY"))
1009	root_packages_file = Path(d.getVar("SPDX_ROOTFS_PACKAGES"))	1013	root_packages_file = Path(d.getVar("SPDX_ROOTFS_PACKAGES"))
1010	image_basename = d.getVar("IMAGE_BASENAME")	1014	image_basename = d.getVar("IMAGE_BASENAME")
		1015	image_rootfs = d.getVar("IMAGE_ROOTFS")
1011	machine = d.getVar("MACHINE")	1016	machine = d.getVar("MACHINE")
1012		1017
1013	with root_packages_file.open("r") as f:	1018	with root_packages_file.open("r") as f:
@@ -1037,7 +1042,42 @@ def create_rootfs_spdx(d):
1037	[rootfs],	1042	[rootfs],
1038	)	1043	)
1039		1044
1040	collect_build_package_inputs(d, objset, rootfs_build, packages)	1045	files_by_hash = {}
		1046	collect_build_package_inputs(d, objset, rootfs_build, packages, files_by_hash)
		1047
		1048	files = set()
		1049	for dirpath, dirnames, filenames in os.walk(image_rootfs):
		1050	for fn in filenames:
		1051	fpath = Path(dirpath) / fn
		1052	if not fpath.is_file() or fpath.is_symlink():
		1053	continue
		1054
		1055	relpath = str(fpath.relative_to(image_rootfs))
		1056	h = bb.utils.sha256_file(fpath)
		1057
		1058	found = False
		1059	if h in files_by_hash:
		1060	for f in files_by_hash[h]:
		1061	if isinstance(f, oe.spdx30.software_File) and f.name == relpath:
		1062	files.add(oe.sbom30.get_element_link_id(f))
		1063	found = True
		1064	break
		1065
		1066	if not found:
		1067	files.add(
		1068	objset.new_file(
		1069	objset.new_spdxid("rootfs-file", relpath),
		1070	relpath,
		1071	fpath,
		1072	)
		1073	)
		1074
		1075	if files:
		1076	objset.new_relationship(
		1077	[rootfs],
		1078	oe.spdx30.RelationshipType.contains,
		1079	sorted(list(files)),
		1080	)
1041		1081
1042	oe.sbom30.write_recipe_jsonld_doc(d, objset, "rootfs", deploydir)	1082	oe.sbom30.write_recipe_jsonld_doc(d, objset, "rootfs", deploydir)
1043		1083