summaryrefslogtreecommitdiffstats
path: root/meta/lib/oe
Commit message (Collapse)AuthorAgeFilesLines
* spdx30: Allow VEX Justification to be configurableJoshua Watt9 days1-17/+16
| | | | | | | | | | | | | | | Instead of hard coding the VEX justifications for "Ignored" CVE status, add a map that configures what justification should be used for each status. This allows other justifications to be easily added, and also ensures that status fields added externally (by downstream) can set an appropriate justification if necessary. (From OE-Core rev: c0fa3d92cefa74fa57c6c48c94acc64aa454e781) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sanity/utils: Directly use gcc, not BUILD_CCRichard Purdie9 days1-11/+6
| | | | | | | | | The test/helper is written assuming gcc, so just call that and stop accessing BUILD_CC which may be set to clang. (From OE-Core rev: 0a165a93693a293f08cb0d7e2dfa1016803a917a) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* uninative/utils: Drop workarounds for gcc 4.8/4.9Richard Purdie9 days1-26/+0
| | | | | | | | | We require at least gcc 8.0 in sanity.bbclass so drop the 4.8/4.9 special case handling in uninative. (From OE-Core rev: 552e037bf598ac523f35b69d2dafc99e5ba59c5f) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* oe/licenses: move tidy_licenses from recipetoolRoss Burton11 days1-0/+15
| | | | | | | | | | This function, to tidy a license string, is useful outside of recipetool so move it to oe.license. (From OE-Core rev: 9d57b53169bc60b281510c49e54123941a17a8f5) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* spdx30_tasks: Change recipe license to declaredJoshua Watt2025-06-261-1/+1
| | | | | | | | | | | Per discussion with the SPDX licensing group, recipe LICENSE statements classify as a declared license, not a concluded license. (From OE-Core rev: 561447c7cc1485366dbf41cfbf8dcc1cbf29d043) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib/oe/go: document map_arch, and raise an error on unknown architectureRoss Burton2025-06-231-1/+5
| | | | | | | | | | | | | Add a comment explaining what this function does and where the values come from. If the architecture isn't know, instead of returning an empty string which could fail mysteriously, raise a KeyError so it fails quickly. (From OE-Core rev: 025414c16319b068df1cd757ad9a3c987a6b871d) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: remove S in recipes that fetch from git via setting ↵Alexander Kanavin2025-06-201-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | BB_GIT_DEFAULT_DESTSUFFIX Removing all the S = ${WORKDIR}/git assignments works because BB_GIT_DEFAULT_DESTSUFFIX is set to match S from bitbake.conf (which itself is set to match typical tarball releases). A few recipes are setting S to a sub-directory of the git tree and need to be adjusted accordingly. bzip2 recipe is fetching a tarball and separately cloning tests; adjust the recipe to put the latter into 'bzip2-tests', instead of 'git'. devupstream.bbclass no longer needs to rewrite S, and is adjusted accordingly. Adjust scripts/lib/recipetool/append.py to not hardcode 'git' as unpack destination. Adjust kernel-yocto.bbclass to use the git unpack variable instead of hardcoding 'git' (there's also removal of repetition of string constants and a correction of workdir/unpackdir mismatch in one of the if-else branches). Ensure build-appliance-image recipe does not use 'git' as checkout directory for poky repo, but rather explicitly name it 'poky'. Ensure reproducible.py code that looks for git repositories does not hardcode 'git' but uses the destination set by BB_GIT_DEFAULT_DESTSUFFIX. Ensure recipetool does not write out unneeded S settings into newly created recipes that fetch from git. Adjust selftest to not hardcode 'git' as unpack directory. (From OE-Core rev: f80c07019ddadaf9c5fb890faabfda7920ecd15e) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* rust-target-config.bbclass: Update for new riscv TUNE_FEATURESMark Hatle2025-06-201-2/+0
| | | | | | | | | | | | | | | | Add the new TUNE_FEATURES to the 'features:' list, based on matching output with: rustc --target=riscv32i-unknown-none-elf -Ctarget-feature=help Use the TUNE_RISCV_ABI instead of guessing for the ABI. Pass the arch "as-is", since it should now be riscv32 or riscv64. (From OE-Core rev: 88b59db87d2c65e5be0f3fee1ebf4ee64ef05f18) Signed-off-by: Mark Hatle <mark.hatle@amd.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* riscv tunes: ISA Implementation of RISC-V tune featuresMark Hatle2025-06-202-1/+82
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This implements the following base ISAs: * rv32i, rv64i * rv32e, rv64i The following ABIs: * ilp32, ilp32e, ilp32f, ilp32d * lp64, lp64e, lp64f, lp64d The following ISA extension are also implemented: * M - Integer Multiplication and Division Extension * A - Atomic Memory Extension * F - Single-Precision Floating-Point Extension * D - Double-Precision Floating-Point Extension * C - Compressed Extension * B - Bit Manipulation Extension (implies Zba, Zbb, Zbs) * V - Vector Operations Extension * Zicsr - Control and Status Register Access Extension * Zifencei - Instruction-Fetch Fence Extension * Zba - Address bit manipulation extension * Zbb - Basic bit manipulation extension * Zbc - Carry-less multiplication extension * Zbs - Single-bit manipulation extension * Zicbom - Cache-block management extension The existing processors tunes are preserved: * riscv64 (rv64gc) * riscv32 (rv32gc) * riscv64nf (rv64imac_zicsr_zifencei) * riscv32nf (rv32imac_zicsr_zifencei) * riscv64nc (rv64imafd_zicsr_zifencei) Previously defined feature 'big-endian' has been removed as it was not used. (From OE-Core rev: bcaf298a146dfd10e4c8f44223ea083bc4baf45c) Signed-off-by: Mark Hatle <mark.hatle@amd.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* spdx: add option to include only compiled sourcesDaniel Turull2025-06-172-0/+51
| | | | | | | | | | | | | | | | | | | | | | | | When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the source code files that are used during compilation. It uses debugsource information generated during do_package. This enables an external tool to use the SPDX information to disregard vulnerabilities that are not compiled. As example, when used with the default config with linux-yocto, the spdx size is reduced from 156MB to 61MB. Tested with bitbake world on oe-core. CC: Quentin Schulz <quentin.schulz@cherry.de> CC: Joshua Watt <JPEWhacker@gmail.com> CC: Peter Marko <peter.marko@siemens.com> (From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968) Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* wic: Update after plugin name changesRichard Purdie2025-06-161-1/+1
| | | | | | | | Update the plugin names to account for the "-" to "_" plugin name change. (From OE-Core rev: afa1b5c9f6ed17c021e37a54d0d6abee50a60bf9) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* oe/license_finder: support extra hashes being passed to find_licensesRoss Burton2025-06-161-3/+4
| | | | | | | | | | | | | When using the license finder the caller might know some more license hashes, for example if it is updating existing metadata. Allow the caller to pass more hashes that can be used when identifying licenses. (From OE-Core rev: 9011bc307fcdccb144b75d77b36bbc5c8d4bd96d) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* oe/license_finder: rewrite license checksum loading, scan more licensesRoss Burton2025-06-161-36/+29
| | | | | | | | | | | | | Rewrite the license checksum generation and loading of CSV files to be clearer. This also expands the scan of COMMON_LICENSE_DIR to include LICENSE_PATH, which can be extended by layers to provide more license texts. (From OE-Core rev: 417240ba7a9b3985530988940a222b079b503b64) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* oe/license_finder: don't return the "crunched" license text in crunch_licenseRoss Burton2025-06-161-7/+6
| | | | | | | | | | | | | | crunch_license() will perform some basic text manipulation to try and canonicalise the license texts. It also returns the new license text but none of the callers use this, and as a slightly mangled version of the original it has no real purpose. Remove this return value and clean up the callers. (From OE-Core rev: 34603ed3b4919dcfba19ef57db11a6d3bb2704f1) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* oe/license_finder: remove unused arguments in get_license_md5sumsRoss Burton2025-06-161-14/+9
| | | | | | | | | | | | | | | get_license_md5sums() has two optional arguments: - static_only: if set, don't checksum the licenses in COMMON_LICENSE_DIR - linenumbers: if set, the CSV file can contain begin/end/md5 values as used in LIC_FILES_CHKSUM. Neither of these are used and complicate the logic, so remove them. (From OE-Core rev: 148e501bd4fe65e7bed68d086ba98180a9b2483c) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* oe/license_finder: consolidate hash->license mapsRoss Burton2025-06-161-59/+0
| | | | | | | | | | | | | | There are two locations where mappings of checksums to license names are: the license-hashes.csv file and a hard-coded set of assignments in the code. There's no need for two, so remove the assignments and move the hashes into the CSV file. (From OE-Core rev: a775c6cb5a2bf1f30a94ba3b88af9aa491e98b1a) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* oe/license_finder: add first_only argument to find_licenses()Ross Burton2025-06-161-4/+12
| | | | | | | | | | | | It may be desired to find only the "top-level" license file instead of every potential candidate, so add a first_only argument (defaulting to False to preserve existing behaviour) to return just the first license found. (From OE-Core rev: 995936ffda02a1def1863490ec315783a7470c72) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* oe/license_finder: skip .sh files when looking for licensesRoss Burton2025-06-161-1/+1
| | | | | | | | | Shell scripts are not licenses, so skip them. (From OE-Core rev: 0ce9ad80d3b90edc1d1e690763e8f3d9f0cd523d) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib/oe/license_finder: extract license finding code from recipetoolRoss Burton2025-06-161-0/+242
| | | | | | | | | | | | This code is 99% identical to the original code in recipetool/create.py, but with two minor changes: - The implicit recipetool logger is changed to an explicit logger - The CSV of license hashes is moved to meta/files/ (From OE-Core rev: b132652c6e520121c6b0e7e873b0d33ede0309b5) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib/oe: Move vardepexclude entries alongside functionsRichard Purdie2025-06-165-1/+15
| | | | | | | | | Now we have decorators that can do this, move the variable dependencies exclusions alongside the code that needs them for maintainability. (From OE-Core rev: e522169c5f95de6fc74b43672573700d8eb8e082) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* package: export debugsources in PKGDESTWORK as jsonDaniel Turull2025-06-121-0/+46
| | | | | | | | | | | | | | | | | | | | | | | The source information used during packaging can be use from other tasks to have more detailed information on the files used during the compilation and improve SPDX accuracy. Source files used during compilation are store as compressed zstd json in pkgdata/debugsources/$PN-debugsources.json.zstd Format: { binary1: [src1, src2, ...], binary2: [src1, src2, ...] } I checked the sstate size, and it slightly increases using core-image-full-cmdline: without patch: 2456792 KB sstate-cache/ with patch: 2460028 KB sstate-cache/ (4236 KB or 0.17%) CC: Richard Purdie <richard.purdie@linuxfoundation.org> (From OE-Core rev: c507dcb8a8780a42bfe68b1ebaff0909b4236e6b) Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* kernel-fit-image.bbclass: add a new FIT image implementationAdrian Freihofer2025-06-051-0/+547
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The new recipe linux-yocto-fitimage.bb and the new kernel-fit-image.bbclass are intended to become successors of the kernel-fitimage.bbclass. Instead of injecting the FIT image related build steps into the kernel recipe, the new recipe takes the kernel artifacts from the kernel recipe and creates the FIT image as an independent task. This solves some basic problems: * sstate does not work well when a fitImage contains an initramfs. The kernel is rebuilt from scratch if the build runs from an empty TMPDIR. * A fitImage kernel is not available as a package, but all other kernel image types are. * The task dependencies in the kernel are very complex and difficult to debug if something goes wrong. As a separate, downstream recipe, this is now much easier. The recipe takes the kernel artifacts from the deploy folder. There was also a test implementation passing the kernel artifacts via sysroot directory. This requires changes on the kernel.bbclass to make it copying the artifacts also to the sysroot directory while the same artifacts are already in the sstate-cached deploy directory. The new class kernel-fit-extra-artifacts.bbclass generates and deploys the kernel binary intended for inclusion in a FIT image. Note that the kernel used in a FIT image is a stripped (and optionally compressed) vmlinux ELF binary - not a self-extracting format like zImage, which is already available in the deploy directory if needed separately. The kernel-fit-extra-artifacts.bbclass can be used like this: KERNEL_CLASSES += "kernel-fit-extra-artifacts" (if uImage support is not needed, or with :append otherwise) The long story about this issue is here: [YOCTO #12912] (From OE-Core rev: 05d0c7342d7638dbe8a9f2fd3d1c709ee87d6579) Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* rootfs.py: Don't create modules directory for all kernelsMike Crowe2025-05-271-5/+6
| | | | | | | | | | | | | | | | | | | | | efa88e1c227d695319197f511701e0230d301f39 arranged for the versioned modules directory to be created and depmod to run for every kernel package. Unfortunately this happens for every _built_ kernel package, even if that package and/or its modules aren't installed in the rootfs. Let's assume that there's no point in running depmod if the modules directory did not already exist. (This problem was observed in Scarthgap and this fix was tested there. It doesn't look like any of the subsequent changes will have affected this behaviour.) (From OE-Core rev: 80c218462c6e4a2deb73803a5d36e8b1f7ed5ed7) Signed-off-by: Mike Crowe <mac@mcrowe.com> Reviewed-by: Jack Mitchell <jack@embed.me.uk> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* oe/sdk: fix empty SDK manifestsRoss Burton2025-05-121-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The SDK manifests are generated by listing the sstate was that used, but it hardcodes that the sstate data filenames end in .tgz. This has not been the case since sstate switched to Zstd[1] in 2021, which meant that all of the tests which checked for packages existing were being skipped as the manifests were empty. For example, see a representative core-image-sato eSDK test run[2]: RESULTS - cmake.CMakeTest.test_assimp: SKIPPED (0.00s) RESULTS - gtk3.GTK3Test.test_galculator: SKIPPED (0.00s) RESULTS - kmod.KernelModuleTest.test_cryptodev: SKIPPED (0.00s) RESULTS - maturin.MaturinDevelopTest.test_maturin_develop: SKIPPED (0.00s) RESULTS - maturin.MaturinTest.test_maturin_list_python: SKIPPED (0.00s) RESULTS - meson.MesonTest.test_epoxy: SKIPPED (0.00s) RESULTS - perl.PerlTest.test_perl: SKIPPED (0.00s) RESULTS - python.Python3Test.test_python3: SKIPPED (0.00s) All of those tests should have been ran. Solve this by generalising the filename check so that it doesn't care what specfic compression algorithm is used. [1] oe-core 0710e98f40e ("sstate: Switch to ZStandard compressor support") [2] https://autobuilder.yoctoproject.org/valkyrie/#/builders/16/builds/1517/steps/15/logs/stdio (From OE-Core rev: b293c44f87b6a52e4239ce14066514e87d9b08d0) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* spdx30: Provide software_packageUrl field in SPDX 3.0 SBOMHongxu Jia2025-05-081-0/+8
| | | | | | | | | | | | | | | | | | | Define var-SPDX_PACKAGE_URL to provide software_packageUrl field [1][2] in SPDX 3.0 SBOM, support to override with package name SPDX_PACKAGE_URL:<pkgname> Currently, the format of purl is not defined in Yocto, set empty for now until we have a comprehensive plan for what Yocto purls look like. But users could customize their own purl by setting var-SPDX_PACKAGE_URL [1] https://spdx.github.io/spdx-spec/v3.0.1/model/Software/Properties/packageUrl/ [2] https://spdx.github.io/spdx-spec/v3.0.1/annexes/pkg-url-specification/ (From OE-Core rev: c8e6953a0b6f59ffca994c440069db39e60b12d2) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib/classes/conf: refactor qemu.bbclass functions into library functionsChen Qi2025-05-012-1/+55
| | | | | | | | | | | | | | | | | Move the functions in qemu.bbclass to meta/lib/oe/qemu.py as they are generally useful. The qemu.bbclass is still kept, and recipes can continue to use functions from it, though they have become wrapper functions on qemu.py functions. Note that the QEMU_OPTIONS settings are still kept in qemu.bbclass. This sets a clear barrier for people to use qemu user mode. (From OE-Core rev: 7b3563b3b3901c96c3e498799a83ab8cabcf84b4) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sstatesig: Handle special case of llvm-project-source shared-workdirKhem Raj2025-05-011-0/+3
| | | | | | | | | | | | | | | | | bitbake-dumpsig or bitbake-diffsig tools do not work on any of tasks exposed by llvm-project-source recipe. This is due to it being a shared-workdir recipe. Fixes bitbake-diffsigs -t llvm-project-source-20.1.2 do_preconfigure NOTE: Starting bitbake server... ERROR: No sigdata files found matching llvm-project-source-20.1.2 do_preconfigure (From OE-Core rev: a6d46935939a94b8ea2b83c024aa86f05efbd7ce) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: extract extending CVE_STATUS to library functionPeter Marko2025-04-241-0/+22
| | | | | | | | | | | | The same code for extending CVE_STATUS by CVE_CHECK_IGNORE and CVE_STATUS_GROUPS is used on multiple places. Create a library funtion to have the code on single place and ready for reuse by additional classes. (From OE-Core rev: 45e18f4270d084d81c21b1e5a4a601ce975d8a77) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* buildstats.py: Add tracking of network I/O per interfaceOlga Denisova2025-04-241-2/+41
| | | | | | | | | | | | | | This patch extends SystemStats to collect and store data from /proc/net/dev. It extracts per-interface received and transmitted bytes, calculates deltas between samples, and stores them for further analysis. Useful for identifying network bottlenecks during long-running builds. (From OE-Core rev: 09cbe17e43783fc6b8e3a341d564956452a04c0a) Signed-off-by: denisova-ok <denisova.olga.k@yandex.ru> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* buildstats.py: extend diskstats support for NVMe and flexible token countdenisova-ok2025-04-241-2/+2
| | | | | | | | | | | | Added support for NVMe devices in the diskstats regex pattern to ensure stats are properly collected from devices like nvme0n1. Relaxed the check for the number of fields in /proc/diskstats from an exact match (14) to a minimum check (at least 14), to handle kernel variations and additional fields gracefully. (From OE-Core rev: 87a31bc4ca3661aae94cf43f3f579b02f4fb4923) Signed-off-by: denisova-ok <denisova.olga.k@yandex.ru> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* buildcfg: get_metadata_git_*: catch also bb.process.NotFoundErrorMartin Jansa2025-04-241-6/+6
| | | | | | | | | | * bb.process.NotFoundError is triggered when e.g. oe.buildcfg.get_metadata_git_branch is called on non-existent directory (From OE-Core rev: 34c1f66c4c689b26a4c3129eb62f4ff9b6ec14be) Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bitbake.conf: Switch prefix mapping to use -ffile-prefix-mapKhem Raj2025-04-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | -ffile-prefix map is more comprehensive when it comes to reproducible builds and its superset of all prefix-mapping options in compilers This makes is cleaner and workable across gcc and clang, clang does not support -fcanon-prefix-map and it has to be explicitly omitted when using clang. There are lambdas generated in templates by clang which still get the absolute paths despite -fdebug-prefix-map, this helps with that as well. nasm is an outlier and we have fixed it by adding -fdebug-prefix-map option luckily we do not pass DEBUG_PREFIX_MAP to nasm, in all recipes which use nasm either pass -fdebug-prefix-map explicitly to nasm or they rewrite it to use nasm flags syntax. We have discussed this in past [1] [1] https://patchwork.yoctoproject.org/project/oe-core/patch/20230428032030.2047920-1-raj.khem@gmail.com/#10281 (From OE-Core rev: ff73fa7ef7666a6dbe34f15515bc3ab6e574c5b0) Signed-off-by: Khem Raj <raj.khem@gmail.com> Cc: Jacob Kroon <jacob.kroon@gmail.com> Cc: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib/oe/cve_check: Mark variable flag dependenciesJoshua Watt2025-04-161-0/+2
| | | | | | | | | | | Marks CVE check functions which depend on non-constant variable flags as depending on the variables. This allows changes in the flags to correctly trigger a rebuild (From OE-Core rev: 2cc43c72ff28aa39a417dd8d57cd7c8741c0e541) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib: oe: Add cve_check to BBIMPORTSJoshua Watt2025-04-101-1/+2
| | | | | | | | | | | Adds cve_check.py to BBIMPORTS so the functions it exposes will be correctly scanned for dependencies in the dependency scanner (From OE-Core rev: 52ead33c6b6e2532c57b7b28b862ba38b575f9e3) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* spdx30: handle Unknown CVE_STATUSPeter Marko2025-04-081-0/+2
| | | | | | | | | | | | | | | | | | | CVE_STATUS can be also "Unknown" since oe-core commit d25f1817752bc8a84c40dcbef75f7559801ce15e When this status type is used, build fails with e.g. ERROR: openssl-3.4.1-r0 do_create_spdx: Unknown CVE-2025-0001 status 'Unknown' Since this is now a valid status, it needs to be handled. It cannot be mapped to any VEX status (see below), so just skip it. Possible VEX statuses are: NOT AFFECTED, AFFECTED, FIXED, and UNDER INVESTIGATION. (From OE-Core rev: 2d3081ef63c8a54df62a2a08bd36008c20eed65a) Signed-off-by: Peter Marko <peter.marko@siemens.com> cc: Marta Rybczynska <rybczynska@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib/oe: remove redundant __name__ == "__main__" checksRoss Burton2025-04-033-16/+0
| | | | | | | | | | There's no point in checking if __name__ == "__main__" (i.e., is this module being invoked) and then doing nothing. (From OE-Core rev: 020b6b1411c9fd3adb208808c0d56623190873f8) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* patch.py: set commituser and commitemail for addNoteChangqing Li2025-04-031-6/+8
| | | | | | | | | | | | | | | | | When PATCHTOOL is set to 'git', and user don't setup user.name and user.email for git, do_patch fail with the following error, fix by passing -c options. CmdError("git notes --ref refs/notes/devtool append -m 'original patch: 0001-PATCH-increase-to-cpp17-version.patch' HEAD", 0, 'stdout: stderr: Author identity unknown *** Please tell me who you are. Run git config --global user.email "you@example.com" git config --global user.name "Your Name" (From OE-Core rev: a3c6706d31ae1345b571ca10b290a4e1f5a9384b) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* spdx3: support to override the version of a package in SBOM 3Hongxu Jia2025-03-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | By default, still use ${PV} as the the version of a package in SBOM 3 $ bitbake acl $ jq . tmp/deploy/spdx/3.0.1/core2-64/packages/package-acl.spdx.json ... { "type": "software_Package", ... "name": "acl", "software_packageVersion": "2.3.2" }, ... Support to override it by setting SPDX_PACKAGE_VERSION, such as set SPDX_PACKAGE_VERSION = "${EXTENDPKGV}" in local.conf to append PR to software_packageVersion in SBOM 3 $ echo 'SPDX_PACKAGE_VERSION = "${EXTENDPKGV}"' >> conf/local.conf $ bitbake acl $ jq . tmp/deploy/spdx/3.0.1/core2-64/packages/package-acl.spdx.json ... { "type": "software_Package", ... "name": "acl", "software_packageVersion": "2.3.2-r0" }, ... (From OE-Core rev: e6ff5f4d870624795bd36572f5c2bfeec90d83ce) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* spdx30: handle links to inaccessible locationsPeter Marko2025-03-201-1/+1
| | | | | | | | | | | | | | This is the same as e105befbe4ee0d85e94c2048a744f0373e2dbcdf on additional place in the code. When a link is pointing to location inaccessible to build user (e.g. "/root/something"), filepath.is_file() throws "PermissionError: [Errno 13] Permission denied". Fix this by first checking if it is a link. (From OE-Core rev: 26f35f866cf7888431963cf4fc5d2019cd28de74) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* spdx: Update for bitbake changesRichard Purdie2025-03-202-64/+63
| | | | | | | | | Bitbake is dropping the need for fetcher name iteration and multiple revisions per url. Update the code to match (removal of the for loop). (From OE-Core rev: 4859cdf97fd9a260036e148e25f0b78eb393df1e) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* spdx30: test the existence of directory before walkinghongxu2025-03-191-0/+4
| | | | | | | | | | | | | | | | | | | | | | | Due to commit [spdx30: Improve os.walk() handling][1] applied, it reported an error if walk directory failed While SPDX_INCLUDE_SOURCES = "1", if recipe does not provide sysroots, the walk in function add_package_files is broken $ echo 'SPDX_INCLUDE_SOURCES = "1"' >> conf/local.conf $ bitbake packagegroup-core-boot |DEBUG: Adding sysroot files to SPDX |ERROR: packagegroup-core-boot-1.0-r0 do_create_spdx: ERROR walking tmp/sysroots-components/intel_x86_64/packagegroup-core-boot: [Errno 2] | No such file or directory: 'tmp/sysroots-components/intel_x86_64/packagegroup-core-boot' Test the existence of directory before walking [1] https://git.openembedded.org/openembedded-core/commit/?id=86b581e80637cd8136ce7a7e95db94d9553d2f60 (From OE-Core rev: cb1792e4950d5075be9bbe4c5337a5215db9669e) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta/lib/oe/recipeutils.py: handle fetcher errors when checking for new commitsAlexander Kanavin2025-03-191-4/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | Recent freedesktop instabilities are causing 'devtool check-upgrade-status' to fail with: bb.fetch2.FetchError: Fetcher failure: Fetch command export PSEUDO_DISABLED=1; git -c gc.autoDetach=false -c core.pager=cat -c safe.bareRepository=all -c clone.defaultRemoteName=origin ls-remote https://gitlab.> fatal: unable to access 'https://gitlab.freedesktop.org/mesa/kmscube/': The requested URL returned error: 502 and not print any results for this one or any unrelated recipes included in the check. This change handles the error, so that if some upstream server isn't working properly, latest upstream revision for that is marked as unknown, a warning is printed and upstream version check for other recipes isn't thwarted: WARNING: Unable to obtain latest revision: Fetcher failure: Fetch command export PSEUDO_DISABLED=1; git -c gc.autoDetach=false -c core.pager=cat -c safe.bareRepository=all -c clone.defaultRemoteName=origin ls-remote https://gitlab.freedesktop.org/mesa/piglit.git failed with exit code 128, output: remote: GitLab is not responding fatal: unable to access 'https://gitlab.freedesktop.org/mesa/piglit.git/': The requested URL returned error: 502 piglit 1.0 UNKNOWN_BROKEN Ross Burton <ross.burton@arm.com> (From OE-Core rev: c1056293f7cb32ee2bdf31441cc0b59d9ccfe556) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib: spdx30_tasks: remove duplicated patched CVEsHongxu Jia2025-03-121-12/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Due to commit [lib: spdx30_tasks: Handle patched CVEs][1] applied, duplicated CVE identifier for each CVE which increased +25% build time (image task: do_create_image_sbom_spdx) $ bitbake binutils-cross-x86_64 $ jq . tmp/deploy/spdx/3.0.1/x86_64/recipes/recipe-binutils-cross-x86_64.spdx.json | grep CVE-2023-25584 "spdxId": "http://spdx.org/spdxdocs/binutils-cross-x86_64-5de92009-80e6-55c5-8b1f-cc37f04fbe09/962efd5da447b81b017db54d3077be796d2e5b6e770a6b050467b24339c0995f/vulnerability/CVE-2023-25584", "https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/594f521fb7a3a4e9a2d3905303ffb04b016c3ce7693a775cca08be5af4d06658/binutils-cross-x86_64/UNIHASH/vulnerability/CVE-2023-25584" "identifier": "CVE-2023-25584", "https://cveawg.mitre.org/api/cve/CVE-2023-25584", "https://www.cve.org/CVERecord?id=CVE-2023-25584" "spdxId": "http://spdx.org/spdxdocs/binutils-cross-x86_64-5de92009-80e6-55c5-8b1f-cc37f04fbe09/962efd5da447b81b017db54d3077be796d2e5b6e770a6b050467b24339c0995f/vulnerability/CVE-2023-25584", "https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/594f521fb7a3a4e9a2d3905303ffb04b016c3ce7693a775cca08be5af4d06658/binutils-cross-x86_64/UNIHASH/vulnerability/CVE-2023-25584" "identifier": "CVE-2023-25584", "https://cveawg.mitre.org/api/cve/CVE-2023-25584", "https://www.cve.org/CVERecord?id=CVE-2023-25584" Since the commit [cve-check: annotate CVEs during analysis][2] improved function get_patched_cves to: - Check each patch file; - Search for additional patched CVEs from CVE_STATUS; And return dictionary patched_cve for each cve: { "abbrev-status": "xxx", "status": "xxx", "justification": "xxx", "resource": "xxx", "affected-vendor": "xxx", "affected-product": "xxx", } But while adding CVE in meta/lib/oe/spdx30_tasks.py, the cve_by_status requires decoded_status { "mapping": "xxx", "detail": "xxx", "description": "xxx", } This commit converts patched_cve to decoded_status patched_cve["abbrev-status"] --> decoded_status["mapping"] patched_cve["status"] --> decoded_status["detail"] patched_cve["justification"] --> decoded_status["description"] And remove duplicated search for additional patched CVEs from CVE_STATUS (calling oe.cve_check.decode_cve_status) After applying this commit $ bitbake binutils-cross-x86_64 $ jq . tmp/deploy/spdx/3.0.1/x86_64/recipes/recipe-binutils-cross-x86_64.spdx.json | grep CVE-2023-25584 "spdxId": "http://spdx.org/spdxdocs/binutils-cross-x86_64-5de92009-80e6-55c5-8b1f-cc37f04fbe09/381bf593d99c005ecd2c2e0815b86bca2b9ff4cc2db59587aaddd3db95c67470/vulnerability/CVE-2023-25584", "https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/594f521fb7a3a4e9a2d3905303ffb04b016c3ce7693a775cca08be5af4d06658/binutils-cross-x86_64/UNIHASH/vulnerability/CVE-2023-25584" "identifier": "CVE-2023-25584", "https://cveawg.mitre.org/api/cve/CVE-2023-25584", "https://www.cve.org/CVERecord?id=CVE-2023-25584" [1] https://git.openembedded.org/openembedded-core/commit/?id=1ff496546279d8a97df5ec475007cfb095c2a0bc [2] https://git.openembedded.org/openembedded-core/commit/?id=452e605b55ad61c08f4af7089a5a9c576ca28f7d (From OE-Core rev: 08595b39b46ef2bf3a928d4528292ee31a990c98) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib: Fix dependencies on SPDX codeJoshua Watt2025-03-112-3/+7
| | | | | | | | | | | | | | | | | | | | The SPDX library code was being ignored from taskhash calculations due to accidentally being omitted from BBIMPORTS. This meant that changes in the code or dependent variables would not cause the task to rebuild correctly. In order to add spdx_common, convert the `Dep` object from a named tuple to a frozen dataclass. These function more or less equivalently, but the bitbake code parser cannot handle named tuples. Finally, the vardepsexclude that used to be present on the recipe tasks needs to be moved to the python code in order for the variables to be correctly ignored. Several unused exclusions were removed (From OE-Core rev: eb597bf61cbcb0a4d43149404c93eec0894fb4c7) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib: spdx30_tasks: Handle patched CVEsJoshua Watt2025-03-081-0/+10
| | | | | | | | | | | | | The code to iterate over patched CVEs (e.g. those patched by a .patch file in SRC_URI) was accidentally omitted when writing the SPDX 3 handling. Add it in now [YOCTO #15789] (From OE-Core rev: 1ff496546279d8a97df5ec475007cfb095c2a0bc) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib/oe/elf.py: Add loongarch64 architecture definition for muslXiaotian Wu2025-03-071-0/+1
| | | | | | | | | | Add the ELF definition for the loongarch64 architecture when building with musl as libc. (From OE-Core rev: c6498e4ca43dc2f8bc326bc6b6dbc8fd7f0bef79) Signed-off-by: Xiaotian Wu <wuxiaotian@loongson.cn> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib: sbom30: Add action statement for affected VEX statementsJoshua Watt2025-03-061-0/+1
| | | | | | | | | | | VEX Affected relationships have a mandatory action statement that indicates the mitigation for a vulnerability. Since we don't track this add a statement indicating that no mitigation is known. (From OE-Core rev: 39545c955474a43d11a45d74a88a5999b02cb8b3) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lib/package/utils: Improve multiprocess_launch argument passingRichard Purdie2025-02-282-10/+5
| | | | | | | | | | The current code for multiple argument passing is horrible. Tweak the multiprocess_launch function to only convert to a tuple if it isn't already one, which means we can then use function arguments in a standard way. (From OE-Core rev: 7c99f90079e722764ebdc30e8d0e781454b3a51a) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* spdx30: Improve os.walk() handlingJoshua Watt2025-02-181-4/+16
| | | | | | | | | | | | | | | | | | There have been errors seen when assembling root file system SPDX documents where they will references files that don't exist in the package SPDX. The speculation is that this is caused by os.walk() ignoring errors when walking, causing files to be omitted. Improve the code by adding an error handler to os.walk() to report errors when they occur. In addition, sort the files and directories while walking to ensure consistent ordering of the file SPDX IDs. (From OE-Core rev: 86b581e80637cd8136ce7a7e95db94d9553d2f60) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* spdx30: Include files in rootfsJoshua Watt2025-02-051-3/+43
| | | | | | | | | | | | Adds a "contains" relationship that relates the root file system package to the files contained in it. If a package provides a file with a matching hash and path, it will be linked, otherwise a new File element will be created (From OE-Core rev: e6fe754aef93e834e5226c8b13fdf75e03080ba2) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>