[PATCH 00/14] spdx30: SBOM enrichment for PURL, metadata, and compliance

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stefano Tondo <stondo@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: stefano.tondo.ext@siemens.com, adrian.freihofer@siemens.com,
	Peter.Marko@siemens.com, jpewhacker@gmail.com,
	Ross.Burton@arm.com
Subject: [PATCH 00/14] spdx30: SBOM enrichment for PURL, metadata, and compliance
Date: Sat, 21 Feb 2026 05:24:04 +0100	[thread overview]
Message-ID: <20260221042418.317535-1-stondo@gmail.com> (raw)

From: Stefano Tondo <stefano.tondo.ext@siemens.com>

This series enhances the SPDX 3.0 SBOM generation with improvements
focused on Package URL (PURL) coverage, source metadata enrichment,
and compliance tooling integration.

Key changes:

  - Configurable file filtering to reduce SBOM size
  - Supplier metadata support for image and SDK SBOMs
  - Ecosystem-specific PURL generation (Cargo, Go, PyPI, NPM, etc.)
  - Git source version extraction and GitHub PURL generation
  - External references (VCS, distribution, homepage) for source packages
  - Image root metadata package with describes/contains relationships
  - Rootfs version and dependency scope classification (runtime/build/test)
  - Object deduplication fix preserving complete metadata
  - CPE 2.3 special character escaping for SBOM validators
  - Two selftest cases for download_location and version extraction

Total: 6 files changed, 687 insertions(+), 12 deletions(-)

Stefano Tondo (14):
  spdx30: Add configurable file filtering support
  spdx30: Add supplier support for image and SDK SBOMs
  spdx30: Add ecosystem-specific PURL generation
  spdx30: Add version extraction from SRCREV for Git source components
  spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting
  sbom30: Fix object deduplication to preserve complete data
  spdx30: Enrich source downloads with external refs and PURLs
  spdx30: Include recipe base PURL in package external identifiers
  spdx30: Add image root metadata package with describes relationship
  spdx30_tasks: Fix non-deterministic BUILDNAME in image package version
  spdx30: Add rootfs version and dependency scope classification
  oeqa/selftest: Add test for download_location defensive handling
  spdx.py: Add test for version extraction patterns
  cve_check: Escape special characters in CPE 2.3 formatted strings

 meta/classes/create-spdx-3.0.bbclass |  20 ++
 meta/classes/spdx-common.bbclass     |  37 ++
 meta/lib/oe/cve_check.py             |  37 +-
 meta/lib/oe/sbom30.py                |  47 ++-
 meta/lib/oe/spdx30_tasks.py          | 483 ++++++++++++++++++++++++++-
 meta/lib/oeqa/selftest/cases/spdx.py |  75 +++++
 6 files changed, 687 insertions(+), 12 deletions(-)

-- 
2.53.0

next             reply	other threads:[~2026-02-21  4:24 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-21  4:24 Stefano Tondo [this message]
2026-02-21  4:24 ` [PATCH 01/14] spdx30: Add configurable file filtering support Stefano Tondo
2026-02-21  4:24 ` [PATCH 02/14] spdx30: Add supplier support for image and SDK SBOMs Stefano Tondo
2026-02-21  4:24 ` [PATCH 03/14] spdx30: Add ecosystem-specific PURL generation Stefano Tondo
2026-02-21  4:24 ` [PATCH 04/14] spdx30: Add version extraction from SRCREV for Git source components Stefano Tondo
2026-02-21  4:24 ` [PATCH 05/14] spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting Stefano Tondo
2026-02-21  4:24 ` [PATCH 06/14] sbom30: Fix object deduplication to preserve complete data Stefano Tondo
2026-02-21  4:24 ` [PATCH 07/14] spdx30: Enrich source downloads with external refs and PURLs Stefano Tondo
2026-02-21  4:24 ` [PATCH 08/14] spdx30: Include recipe base PURL in package external identifiers Stefano Tondo
2026-02-21  4:24 ` [PATCH 09/14] spdx30: Add image root metadata package with describes relationship Stefano Tondo
2026-02-21  4:24 ` [PATCH 10/14] spdx30_tasks: Fix non-deterministic BUILDNAME in image package version Stefano Tondo
2026-02-21  4:24 ` [PATCH 11/14] spdx30: Add rootfs version and dependency scope classification Stefano Tondo
2026-02-21  4:24 ` [PATCH 12/14] oeqa/selftest: Add test for download_location defensive handling Stefano Tondo
2026-02-21  4:24 ` [PATCH 13/14] spdx.py: Add test for version extraction patterns Stefano Tondo
2026-02-21  4:24 ` [PATCH 14/14] cve_check: Escape special characters in CPE 2.3 formatted strings Stefano Tondo
  -- strict thread matches above, loose matches on Subject: below --
2026-02-21  5:16 [PATCH 00/14] spdx30: SBOM enrichment for PURL, metadata, and compliance Stefano Tondo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260221042418.317535-1-stondo@gmail.com \
    --to=stondo@gmail.com \
    --cc=Peter.Marko@siemens.com \
    --cc=Ross.Burton@arm.com \
    --cc=adrian.freihofer@siemens.com \
    --cc=jpewhacker@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=stefano.tondo.ext@siemens.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.