[Buildroot] [PATCH v3 1/5] utils/generate-cyclonedx: update package filtering

* [Buildroot] [PATCH v3 1/5] utils/generate-cyclonedx: update package filtering
@ 2025-08-07  6:23 Fabien Lehoussel via buildroot
  2025-08-07  6:23 ` [Buildroot] [PATCH 2/5] utils/generate-cyclonedx: sort dependencies Fabien Lehoussel via buildroot
                   ` (4 more replies)
  0 siblings, 5 replies; 8+ messages in thread
From: Fabien Lehoussel via buildroot @ 2025-08-07  6:23 UTC (permalink / raw)
  To: buildroot; +Cc: Thomas Perale, Fabien Lehoussel

Keep only "real" packages, i.e., those for which XX_SITE is set

v1: https://lists.buildroot.org/pipermail/buildroot/2025-June/781118.html
v2: https://lists.buildroot.org/pipermail/buildroot/2025-July/782803.html

Signed-off-by: Fabien Lehoussel <fabien.lehoussel@smile.fr>
---
 utils/generate-cyclonedx | 37 +++++++++++++++++++------------------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
index 34e5672a43..3ff318f11a 100755
--- a/utils/generate-cyclonedx
+++ b/utils/generate-cyclonedx
@@ -178,10 +178,8 @@ def cyclonedx_component(name, comp):
         **({
             "name": comp["name"],
         } if "name" in comp else {}),
-        **({
-            "version": comp["version"],
-            **(cyclonedx_licenses(comp["licenses"]) if "licenses" in comp else {}),
-        } if not comp["virtual"] else {}),
+        "version": comp["version"],
+        **(cyclonedx_licenses(comp["licenses"]) if "licenses" in comp else {}),
         **({
             "cpe": comp["cpe-id"],
         } if "cpe-id" in comp else {}),
@@ -238,12 +236,10 @@ def cyclonedx_vulnerabilities(show_info_dict):
     } for cve, components in cves.items()]
 
 
-def br2_parse_deps_recursively(ref, show_info_dict, virtual=False, deps=[]):
+def br2_parse_deps_recursively(ref, show_info_dict, deps=[]):
     """Parse dependencies from the show-info output. This function will
     recursively collect all dependencies, and return a list where each dependency
     is stated at most once.
-    The dependency on virtual package will collect the final dependency without
-    including the virtual one.
 
     Args:
         ref (str): The identifier of the package for which the dependencies have
@@ -259,10 +255,11 @@ def br2_parse_deps_recursively(ref, show_info_dict, virtual=False, deps=[]):
         list: A list of dependencies of the 'ref' package.
     """
     for dep in show_info_dict.get(ref, {}).get("dependencies", []):
-        if dep not in deps:
-            if virtual or show_info_dict.get(dep, {}).get("virtual") is False:
+        # Only add "real" package dependency
+        if show_info_dict.get(dep, {}).get("real", True):
+            if dep not in deps:
                 deps.append(dep)
-            br2_parse_deps_recursively(dep, show_info_dict, virtual, deps)
+                br2_parse_deps_recursively(dep, show_info_dict, deps)
 
     return deps
 
@@ -277,8 +274,6 @@ def main():
                         default=(None if sys.stdin.isatty() else sys.stdin))
     parser.add_argument("-o", "--out-file", nargs="?", type=argparse.FileType("w"),
                         default=sys.stdout)
-    parser.add_argument("--virtual", default=False, action='store_true',
-                        help="This option includes virtual packages to the CycloneDX output")
     parser.add_argument("--project-name", type=str, default="buildroot",
                         help="Specify the project name to use in the SBOM metadata (default:'buildroot')")
     parser.add_argument("--project-version", type=str, default=f"{BR2_VERSION_FULL}",
@@ -292,10 +287,16 @@ def main():
 
     show_info_dict = json.load(args.in_file)
 
-    # Remove rootfs and virtual packages if not explicitly included
-    # from the cli arguments
-    filtered_show_info_dict = {k: v for k, v in show_info_dict.items()
-                               if ("rootfs" not in v["type"]) and (args.virtual or v["virtual"] is False)}
+    # add flag for "real" packages E.G. packages not bundled inside Buildroot.
+    # non-real package examples:  skeletons, rootfs-xx, virtual-packages...
+    for k, v in show_info_dict.items():
+        if v.get("downloads") and len(v["downloads"]) > 0:
+            v["real"] = True
+        else:
+            v["real"] = False
+
+    # Filter only "real" packages for SBOM generation
+    filtered_show_info_dict = {k: v for k, v in show_info_dict.items() if v["real"]}
 
     cyclonedx_dict = {
         "bomFormat": "CycloneDX",
@@ -330,10 +331,10 @@ def main():
         ],
         "dependencies": [
             cyclonedx_dependency("buildroot", list(filtered_show_info_dict)),
-            *[cyclonedx_dependency(ref, br2_parse_deps_recursively(ref, show_info_dict, args.virtual))
+            *[cyclonedx_dependency(ref, br2_parse_deps_recursively(ref, show_info_dict))
               for ref in filtered_show_info_dict],
         ],
-        "vulnerabilities": cyclonedx_vulnerabilities(show_info_dict),
+        "vulnerabilities": cyclonedx_vulnerabilities(filtered_show_info_dict),
     }
 
     args.out_file.write(json.dumps(cyclonedx_dict, indent=2))
-- 
2.43.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 8+ messages in thread