From: Stefano Tondo <stondo@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: stefano.tondo.ext@siemens.com, adrian.freihofer@siemens.com,
Peter.Marko@siemens.com, jpewhacker@gmail.com,
Ross.Burton@arm.com
Subject: [PATCH 09/14] spdx30: Add image root metadata package with describes relationship
Date: Sat, 21 Feb 2026 05:24:13 +0100 [thread overview]
Message-ID: <20260221042418.317535-10-stondo@gmail.com> (raw)
In-Reply-To: <20260221042418.317535-1-stondo@gmail.com>
From: Stefano Tondo <stefano.tondo.ext@siemens.com>
Create a root metadata software_Package for the image that describes
what the SBOM represents:
- Package name: {image_basename}-{machine}
- Version from BUILDNAME (with '1.0' fallback)
- Primary purpose: container
- Description from IMAGE_DESCRIPTION (with generated fallback)
- Supplier from SPDX_SUPPLIER if available
Add structural relationships:
- Document 'describes' the image package
- Image package 'contains' each recipe's artifacts
This fixes sbom-lint warnings about missing root elements and
provides proper SBOM structure for compliance tools.
Signed-off-by: Stefano Tondo <stefano.tondo.ext@siemens.com>
---
meta/lib/oe/spdx30_tasks.py | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index ef47bd4205..0d62de61a3 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -1498,6 +1498,31 @@ def create_image_spdx(d):
d, "%s-%s-image" % (image_basename, machine)
)
+ # Create root metadata package for the image
+ # This describes what the SBOM represents and fixes sbom-lint warning
+ image_package = objset.add_root(
+ oe.spdx30.software_Package(
+ _id=objset.new_spdxid("image", "root"),
+ creationInfo=objset.doc.creationInfo,
+ name=f"{image_basename}-{machine}",
+ software_packageVersion=d.getVar("BUILDNAME") or "1.0",
+ software_primaryPurpose=oe.spdx30.software_SoftwarePurpose.container,
+ description=d.getVar("IMAGE_DESCRIPTION") or f"{image_basename} image for {machine}",
+ )
+ )
+
+ # Set supplier if available
+ supplier = d.getVar("SPDX_SUPPLIER")
+ if supplier:
+ image_package.suppliedBy = supplier
+
+ # Create describes relationship from document to image
+ objset.new_relationship(
+ [objset.doc],
+ oe.spdx30.RelationshipType.describes,
+ [image_package],
+ )
+
with manifest_path.open("r") as f:
manifest = json.load(f)
@@ -1565,6 +1590,13 @@ def create_image_spdx(d):
artifacts,
)
+ # Link artifacts to the image package
+ objset.new_relationship(
+ [image_package],
+ oe.spdx30.RelationshipType.contains,
+ artifacts,
+ )
+
if builds:
rootfs_image, _ = oe.sbom30.find_root_obj_in_jsonld(
d,
--
2.53.0
next prev parent reply other threads:[~2026-02-21 4:24 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-21 4:24 [PATCH 00/14] spdx30: SBOM enrichment for PURL, metadata, and compliance Stefano Tondo
2026-02-21 4:24 ` [PATCH 01/14] spdx30: Add configurable file filtering support Stefano Tondo
2026-02-21 4:24 ` [PATCH 02/14] spdx30: Add supplier support for image and SDK SBOMs Stefano Tondo
2026-02-21 4:24 ` [PATCH 03/14] spdx30: Add ecosystem-specific PURL generation Stefano Tondo
2026-02-21 4:24 ` [PATCH 04/14] spdx30: Add version extraction from SRCREV for Git source components Stefano Tondo
2026-02-21 4:24 ` [PATCH 05/14] spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting Stefano Tondo
2026-02-21 4:24 ` [PATCH 06/14] sbom30: Fix object deduplication to preserve complete data Stefano Tondo
2026-02-21 4:24 ` [PATCH 07/14] spdx30: Enrich source downloads with external refs and PURLs Stefano Tondo
2026-02-21 4:24 ` [PATCH 08/14] spdx30: Include recipe base PURL in package external identifiers Stefano Tondo
2026-02-21 4:24 ` Stefano Tondo [this message]
2026-02-21 4:24 ` [PATCH 10/14] spdx30_tasks: Fix non-deterministic BUILDNAME in image package version Stefano Tondo
2026-02-21 4:24 ` [PATCH 11/14] spdx30: Add rootfs version and dependency scope classification Stefano Tondo
2026-02-21 4:24 ` [PATCH 12/14] oeqa/selftest: Add test for download_location defensive handling Stefano Tondo
2026-02-21 4:24 ` [PATCH 13/14] spdx.py: Add test for version extraction patterns Stefano Tondo
2026-02-21 4:24 ` [PATCH 14/14] cve_check: Escape special characters in CPE 2.3 formatted strings Stefano Tondo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260221042418.317535-10-stondo@gmail.com \
--to=stondo@gmail.com \
--cc=Peter.Marko@siemens.com \
--cc=Ross.Burton@arm.com \
--cc=adrian.freihofer@siemens.com \
--cc=jpewhacker@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=stefano.tondo.ext@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.