From: "Mathieu Dubois-Briand" <mathieu.dubois-briand@bootlin.com>
To: <stondo@gmail.com>, <openembedded-core@lists.openembedded.org>
Cc: <stefano.tondo.ext@siemens.com>, <adrian.freihofer@siemens.com>,
<Peter.Marko@siemens.com>, <jpewhacker@gmail.com>,
<Ross.Burton@arm.com>
Subject: Re: [OE-core] [PATCH 1/1] spdx30: Read runtime dependencies from package manifests
Date: Sun, 22 Feb 2026 14:23:28 +0100 [thread overview]
Message-ID: <DGLIUFB3U88J.RMGWBUVVCWOY@bootlin.com> (raw)
In-Reply-To: <20260221042521.318013-2-stondo@gmail.com>
On Sat Feb 21, 2026 at 5:25 AM CET, Stefano Tondo via lists.openembedded.org wrote:
> From: Stefano Tondo <stefano.tondo.ext@siemens.com>
>
> Previous implementation only captured explicit RDEPENDS from recipe
> variables, missing implicit runtime dependencies auto-detected by
> Yocto's packaging system (shared libraries like libc6, libssl3, libz1).
>
> This commit updates get_dependencies_by_scope() to:
> - Accept package parameter to read package-specific manifests
> - Read package manifests (PKGDATA) after packaging completes
> - Parse RDEPENDS including auto-detected shared library dependencies
> - Handle split packages correctly (multiple packages per recipe)
> - Fall back to recipe-level RDEPENDS if manifest unavailable
>
> Also clarifies that recursive dependency expansion is unnecessary:
> - Each package is processed separately in create_package_spdx()
> - Each package's direct dependencies are added as SPDX relationships
> - The resulting SBOM contains the complete dependency graph
> - SBOM consumers can traverse the graph for transitive dependencies
>
> Fixes lifecycle scope classification to capture ALL runtime dependencies
> (explicit + implicit).
>
> Signed-off-by: Stefano Tondo <stefano.tondo.ext@siemens.com>
> Cc: "Ross Burton" <Ross.Burton@arm.com>
> ---
Hi Stefano,
Thanks for your patch.
It looks like the added
spdx.SPDX30Check.test_lifecycle_scope_dependencies test is failing:
2026-02-22 10:51:36,579 - oe-selftest - INFO - spdx.SPDX30Check.test_lifecycle_scope_dependencies (subunit.RemotedTestCase)
2026-02-22 10:51:36,583 - oe-selftest - INFO - ... FAIL
...
026-02-22 10:22:36,898 - oe-selftest - INFO - Found ANNOTATION2: ANNOTATION2=TestAnnotation2
2026-02-22 10:22:36,899 - oe-selftest - INFO - Found ANNOTATION1: ANNOTATION1=TestAnnotation1
2026-02-22 10:51:01,398 - oe-selftest - INFO - The spdxId of gcc-15.2.0/README in recipe-gcc.spdx.json is http://spdx.org/spdxdocs/gcc-f2eaeb0d-b54b-53ba-899a-8c36c21139bf/77722cdb050cf950f66e3b9cb87574fcb0bf404cd0c167d12d2b2060e65cb176/sourcefile/21
2026-02-22 10:51:36,583 - oe-selftest - INFO - 4: 41/51 658/670 (8.81s) (0 failed) (spdx.SPDX30Check.test_lifecycle_scope_dependencies)
2026-02-22 10:51:36,583 - oe-selftest - INFO - testtools.testresult.real._StringException: Traceback (most recent call last):
File "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/layers/openembedded-core/meta/lib/oeqa/selftest/cases/spdx.py", line 474, in test_lifecycle_scope_dependencies
self.assertTrue(
~~~~~~~~~~~~~~~^
len(runtime_deps) > 0,
^^^^^^^^^^^^^^^^^^^^^^
"No runtime dependencies found - lifecycle scope may not be working"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/usr/lib/python3.13/unittest/case.py", line 744, in assertTrue
raise self.failureException(msg)
AssertionError: False is not true : No runtime dependencies found - lifecycle scope may not be working
https://autobuilder.yoctoproject.org/valkyrie/#/builders/23/builds/3371
https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/3253
https://autobuilder.yoctoproject.org/valkyrie/#/builders/48/builds/3131
Can you have a look at the issue?
Thanks,
Mathieu
--
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
prev parent reply other threads:[~2026-02-22 13:23 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-21 4:25 [PATCH 0/1] spdx30: Runtime dependency detection from package manifests Stefano Tondo
2026-02-21 4:25 ` [PATCH 1/1] spdx30: Read runtime dependencies " Stefano Tondo
2026-02-22 13:23 ` Mathieu Dubois-Briand [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DGLIUFB3U88J.RMGWBUVVCWOY@bootlin.com \
--to=mathieu.dubois-briand@bootlin.com \
--cc=Peter.Marko@siemens.com \
--cc=Ross.Burton@arm.com \
--cc=adrian.freihofer@siemens.com \
--cc=jpewhacker@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=stefano.tondo.ext@siemens.com \
--cc=stondo@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.