From: Stefano Tondo <stondo@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: stefano.tondo.ext@siemens.com, adrian.freihofer@siemens.com,
Peter.Marko@siemens.com, jpewhacker@gmail.com,
Ross.Burton@arm.com, mathieu.dubois-briand@bootlin.com
Subject: [PATCH v3 00/11] spdx30: SBOM enrichment and documentation
Date: Tue, 24 Feb 2026 17:29:35 +0100 [thread overview]
Message-ID: <20260224162946.4000445-1-stondo@gmail.com> (raw)
From: Stefano Tondo <stefano.tondo.ext@siemens.com>
This v3 addresses Joshua Watt's feedback by dropping patches that
conflict with his planned upstream changes and fixing test failures
reported on the autobuilder.
Changes since v2:
- Dropped 7 patches based on reviewer feedback and autobuilder
test results (18 -> 11 patches)
- Fixed supplier agent creation to use direct variable pattern
instead of broken indirection (02/11)
- Fixed test to handle ListProxy type for ExternalRef.locator
instead of assuming plain list (08/11)
- Fixed test to use correct SPDX 3.0 attribute name
software_packageVersion instead of version (09/11)
Dropped patches (with rationale):
- sbom30: Fix object deduplication (v2 06/18)
Joshua: elements should have unique spdxid in single document;
if not, it's a bug to fix differently
- spdx30: Add image root metadata package (v2 09/18)
Joshua: his recipe SPDX changes will eliminate the need;
primaryPurpose=container is wrong regardless
- spdx30_tasks: Fix non-deterministic BUILDNAME (v2 10/18)
Depended on the dropped image root metadata patch
- spdx30: Add rootfs version and dependency scope (v2 11/18)
test_lifecycle_scope_dependencies failed on autobuilder
- spdx-common: Declare SPDX_FORCE_*_SCOPE variables (v2 15/18)
Depended on the dropped lifecycle scope infrastructure
- oeqa/selftest: Test for lifecycle scope (v2 16/18)
Tests the dropped lifecycle scope feature
- spdx-common: Make SPDX_LICENSES extensible (v2 18/18)
Joshua: license list is specified by SPDX spec, not us;
custom licenses should use LicenseRef
Remaining patches focus on PURL coverage, source metadata enrichment,
CPE escaping, and variable documentation.
All oe-selftest SPDX tests pass locally:
- test_base_files: PASSED
- test_extra_opts: PASSED
- test_download_location_defensive_handling: PASSED
- test_version_extraction_patterns: PASSEDJoshua Watt's feedback by dropping patches that
conflict with his planned upstream changes and fixing test failures
reported on the autobuilder.
Changes since v2:
- Dropped 7 patches based on reviewer feedback and autobuilder
test results (18 -> 11 patches)
- Fixed supplier agent creation to use direct variable pattern
instead of broken indirection (02/11)
- Fixed test to handle ListProxy type for ExternalRef.locator
instead of assuming plain list (08/11)
- Fixed test to use correct SPDX 3.0 attribute name
software_packageVersion instead of version (09/11)
Dropped patches (with rationale):
- sbom30: Fix object deduplication (v2 06/18)
Joshua: elements should have unique spdxid in single document;
if not, it's a bug to fix differently
- spdx30: Add image root metadata package (v2 09/18)
Joshua: his recipe SPDX changes will eliminate the need;
primaryPurpose=container is wrong regardless
- spdx30_tasks: Fix non-deterministic BUILDNAME (v2 10/18)
Depended on the dropped image root metadata patch
- spdx30: Add rootfs version and dependency scope (v2 11/18)
test_lifecycle_scope_dependencies failed on autobuilder
- spdx-common: Declare SPDX_FORCE_*_SCOPE variables (v2 15/18)
Depended on the dropped lifecycle scope infrastructure
- oeqa/selftest: Test for lifecycle scope (v2 16/18)
Tests the dropped lifecycle scope feature
- spdx-common: Make SPDX_LICENSES extensible (v2 18/18)
Joshua: license list is specified by SPDX spec, not us;
custom licenses should use LicenseRef
Remaining patches focus on PURL coverage, source metadata enrichment,
CPE escaping, and variable documentation.
All oe-selftest SPDX tests pass locally:
- test_base_files: PASSED
- test_extra_opts: PASSED
- test_download_location_defensive_handling: PASSED
- test_version_extraction_patterns: PASSED
Stefano Tondo (11):
spdx30: Add configurable file filtering support
spdx30: Add supplier support for image and SDK SBOMs
spdx30: Add ecosystem-specific PURL generation
spdx30: Add version extraction from SRCREV for Git source components
spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting
spdx30: Enrich source downloads with external refs and PURLs
spdx30: Include recipe base PURL in package external identifiers
oeqa/selftest: Add test for download_location defensive handling
spdx.py: Add test for version extraction patterns
cve_check: Escape special characters in CPE 2.3 formatted strings
spdx-common: Add documentation for undocumented SPDX variables
meta/classes/create-spdx-3.0.bbclass | 20 ++
meta/classes/spdx-common.bbclass | 63 +++++
meta/lib/oe/cve_check.py | 37 ++-
meta/lib/oe/spdx30_tasks.py | 339 ++++++++++++++++++++++++++-
meta/lib/oeqa/selftest/cases/spdx.py | 75 ++++++
5 files changed, 527 insertions(+), 7 deletions(-)
--
2.53.0
next reply other threads:[~2026-02-24 16:30 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-24 16:29 Stefano Tondo [this message]
2026-02-24 16:29 ` [PATCH v3 01/11] spdx30: Add configurable file filtering support Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 02/11] spdx30: Add supplier support for image and SDK SBOMs Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 03/11] spdx30: Add ecosystem-specific PURL generation Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 04/11] spdx30: Add version extraction from SRCREV for Git source components Stefano Tondo
2026-02-26 8:28 ` Mathieu Dubois-Briand
2026-02-24 16:29 ` [PATCH v3 05/11] spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 06/11] spdx30: Enrich source downloads with external refs and PURLs Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 07/11] spdx30: Include recipe base PURL in package external identifiers Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 08/11] oeqa/selftest: Add test for download_location defensive handling Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 09/11] spdx.py: Add test for version extraction patterns Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 10/11] cve_check: Escape special characters in CPE 2.3 formatted strings Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 11/11] spdx-common: Add documentation for undocumented SPDX variables Stefano Tondo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260224162946.4000445-1-stondo@gmail.com \
--to=stondo@gmail.com \
--cc=Peter.Marko@siemens.com \
--cc=Ross.Burton@arm.com \
--cc=adrian.freihofer@siemens.com \
--cc=jpewhacker@gmail.com \
--cc=mathieu.dubois-briand@bootlin.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=stefano.tondo.ext@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.