From: Stefano Tondo <stondo@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: stefano.tondo.ext@siemens.com, adrian.freihofer@siemens.com,
Peter.Marko@siemens.com, jpewhacker@gmail.com,
Ross.Burton@arm.com, mathieu.dubois-briand@bootlin.com
Subject: [PATCH v3 03/11] spdx30: Add ecosystem-specific PURL generation
Date: Tue, 24 Feb 2026 17:29:38 +0100 [thread overview]
Message-ID: <20260224162946.4000445-4-stondo@gmail.com> (raw)
In-Reply-To: <20260224162946.4000445-1-stondo@gmail.com>
From: Stefano Tondo <stefano.tondo.ext@siemens.com>
Add a function that identifies ecosystem-specific PURLs (cargo, golang,
pypi, npm, cpan, nuget, maven) for dependency packages, working alongside
oe.purl.get_base_purl() which provides pkg:yocto PURLs.
Key design decision: Does NOT return pkg:generic fallback. This ensures:
- No overlap with the base pkg:yocto generation
- Packages get BOTH purls: pkg:yocto/layer/pkg@ver AND pkg:cargo/pkg@ver
- Maximum traceability for compliance tools
Detects ecosystems via:
- Unambiguous file extensions (.crate for Rust)
- Recipe inheritance (pypi, npm, cpan, nuget, maven classes)
- BitBake variables (GO_IMPORT, PYPI_PACKAGE, MAVEN_GROUP_ID)
Signed-off-by: Stefano Tondo <stefano.tondo.ext@siemens.com>
---
meta/lib/oe/spdx30_tasks.py | 113 ++++++++++++++++++++++++++++++++++++
1 file changed, 113 insertions(+)
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 0888d9d7e4..11945a622d 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -13,12 +13,125 @@ import oe.spdx30
import oe.spdx_common
import oe.sdk
import os
+import re
from contextlib import contextmanager
from datetime import datetime, timezone
from pathlib import Path
+
+def extract_dependency_metadata(d, file_name):
+ """Extract ecosystem-specific PURL for dependency packages.
+
+ Uses recipe metadata to identify ecosystem PURLs (cargo, golang, pypi,
+ npm, cpan, nuget, maven). Returns (version, purl) or (None, None).
+ Does NOT return pkg:generic; base pkg:yocto is handled by get_base_purl().
+ """
+
+ pv = d.getVar("PV")
+ version = pv if pv else None
+ purl = None
+
+ # Rust crate (.crate extension is unambiguous)
+ if file_name.endswith('.crate'):
+ crate_match = re.match(r'^(.+?)-(\d+\.\d+\.\d+(?:\.\d+)?(?:[-+][\w.]+)?)\.crate$', file_name)
+ if crate_match:
+ name = crate_match.group(1)
+ version = crate_match.group(2)
+ purl = f"pkg:cargo/{name}@{version}"
+ return (version, purl)
+
+ # Go module via GO_IMPORT variable
+ go_import = d.getVar("GO_IMPORT")
+ if go_import and version:
+ purl = f"pkg:golang/{go_import}@{version}"
+ return (version, purl)
+
+ # Go module from filename with explicit hosting domain
+ go_match = re.match(
+ r'^((?:github|gitlab|gopkg|golang|go\.googlesource)\.com\.[\w.]+(?:\.[\w-]+)*?)-(v?\d+\.\d+\.\d+(?:[-+][\w.]+)?)\.',
+ file_name
+ )
+ if go_match:
+ module_path = go_match.group(1).replace('.', '/', 1)
+ parts = module_path.split('/', 1)
+ if len(parts) == 2:
+ domain = parts[0]
+ path = parts[1].replace('.', '/')
+ module_path = f"{domain}/{path}"
+
+ version = go_match.group(2)
+ purl = f"pkg:golang/{module_path}@{version}"
+ return (version, purl)
+
+ # PyPI package
+ if bb.data.inherits_class("pypi", d) and version:
+ pypi_package = d.getVar("PYPI_PACKAGE")
+ if pypi_package:
+ # Normalize per PEP 503
+ name = re.sub(r"[-_.]+", "-", pypi_package).lower()
+ purl = f"pkg:pypi/{name}@{version}"
+ return (version, purl)
+
+ # NPM package
+ if bb.data.inherits_class("npm", d) and version:
+ bpn = d.getVar("BPN")
+ if bpn:
+ name = bpn[4:] if bpn.startswith('npm-') else bpn
+ purl = f"pkg:npm/{name}@{version}"
+ return (version, purl)
+
+ # CPAN package
+ if bb.data.inherits_class("cpan", d) and version:
+ bpn = d.getVar("BPN")
+ if bpn:
+ if bpn.startswith('perl-'):
+ name = bpn[5:]
+ elif bpn.startswith('libperl-'):
+ name = bpn[8:]
+ else:
+ name = bpn
+ purl = f"pkg:cpan/{name}@{version}"
+ return (version, purl)
+
+ # NuGet package
+ if (bb.data.inherits_class("nuget", d) or bb.data.inherits_class("dotnet", d)) and version:
+ bpn = d.getVar("BPN")
+ if bpn:
+ if bpn.startswith('dotnet-'):
+ name = bpn[7:]
+ elif bpn.startswith('nuget-'):
+ name = bpn[6:]
+ else:
+ name = bpn
+ purl = f"pkg:nuget/{name}@{version}"
+ return (version, purl)
+
+ # Maven package
+ if bb.data.inherits_class("maven", d) and version:
+ group_id = d.getVar("MAVEN_GROUP_ID")
+ artifact_id = d.getVar("MAVEN_ARTIFACT_ID")
+
+ if group_id and artifact_id:
+ purl = f"pkg:maven/{group_id}/{artifact_id}@{version}"
+ return (version, purl)
+ else:
+ bpn = d.getVar("BPN")
+ if bpn:
+ if bpn.startswith('maven-'):
+ name = bpn[6:]
+ elif bpn.startswith('java-'):
+ name = bpn[5:]
+ else:
+ name = bpn
+ purl = f"pkg:maven/{name}@{version}"
+ return (version, purl)
+
+ # Base pkg:yocto PURL is handled by oe.purl.get_base_purl()
+ return (version, None)
+
+
def walk_error(err):
bb.error(f"ERROR walking {err.filename}: {err}")
--
2.53.0
next prev parent reply other threads:[~2026-02-24 16:30 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-24 16:29 [PATCH v3 00/11] spdx30: SBOM enrichment and documentation Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 01/11] spdx30: Add configurable file filtering support Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 02/11] spdx30: Add supplier support for image and SDK SBOMs Stefano Tondo
2026-02-24 16:29 ` Stefano Tondo [this message]
2026-02-24 16:29 ` [PATCH v3 04/11] spdx30: Add version extraction from SRCREV for Git source components Stefano Tondo
2026-02-26 8:28 ` Mathieu Dubois-Briand
2026-02-24 16:29 ` [PATCH v3 05/11] spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 06/11] spdx30: Enrich source downloads with external refs and PURLs Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 07/11] spdx30: Include recipe base PURL in package external identifiers Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 08/11] oeqa/selftest: Add test for download_location defensive handling Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 09/11] spdx.py: Add test for version extraction patterns Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 10/11] cve_check: Escape special characters in CPE 2.3 formatted strings Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 11/11] spdx-common: Add documentation for undocumented SPDX variables Stefano Tondo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260224162946.4000445-4-stondo@gmail.com \
--to=stondo@gmail.com \
--cc=Peter.Marko@siemens.com \
--cc=Ross.Burton@arm.com \
--cc=adrian.freihofer@siemens.com \
--cc=jpewhacker@gmail.com \
--cc=mathieu.dubois-briand@bootlin.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=stefano.tondo.ext@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.