From: "Mathieu Dubois-Briand" <mathieu.dubois-briand@bootlin.com>
To: "Stefano Tondo" <stondo@gmail.com>,
<openembedded-core@lists.openembedded.org>
Cc: <stefano.tondo.ext@siemens.com>, <adrian.freihofer@siemens.com>,
<Peter.Marko@siemens.com>, <jpewhacker@gmail.com>,
<Ross.Burton@arm.com>
Subject: Re: [PATCH v3 04/11] spdx30: Add version extraction from SRCREV for Git source components
Date: Thu, 26 Feb 2026 09:28:41 +0100 [thread overview]
Message-ID: <DGOR2WRMKZON.1HERC4PJ8HFZP@bootlin.com> (raw)
In-Reply-To: <20260224162946.4000445-5-stondo@gmail.com>
On Tue Feb 24, 2026 at 5:29 PM CET, Stefano Tondo wrote:
> From: Stefano Tondo <stefano.tondo.ext@siemens.com>
>
> Extract version information for Git-based source components in SPDX 3.0
> SBOMs to improve SBOM completeness and enable better supply chain tracking.
>
> Problem:
> Git repositories fetched as SRC_URI entries currently appear in SBOMs
> without version information (software_packageVersion is null). This makes
> it difficult to track which specific revision of a dependency was used,
> reducing SBOM usefulness for security and compliance tracking.
>
> Solution:
> - Extract SRCREV for Git sources and use it as packageVersion
> - Use fd.revision attribute (the resolved Git commit)
> - Fallback to SRCREV variable if fd.revision not available
> - Use first 12 characters as version (standard Git short hash)
> - Generate pkg:github PURLs for GitHub repositories (official PURL type)
> - Add comprehensive debug logging for troubleshooting
>
> Impact:
> - Git source components now have version information
> - GitHub repositories get proper PURLs (pkg:github/owner/repo@commit)
> - Enables tracking specific commit dependencies in SBOMs
>
> Signed-off-by: Stefano Tondo <stefano.tondo.ext@siemens.com>
> ---
Hi Stefano,
Thanks for the new version.
It looks like some selftests are failing with this:
2026-02-25 10:19:06,136 - oe-selftest - INFO - recipetool.RecipetoolCreateTests.test_recipetool_create_python3_setuptools (subunit.RemotedTestCase)
2026-02-25 10:19:06,136 - oe-selftest - INFO - ... FAIL
Stderr:
2026-02-25 10:01:07,706 - oe-selftest - INFO - Adding: "include selftest.inc" in /srv/pokybuild/yocto-worker/oe-selftest-armhost/build/build-st-2641922/conf/local.conf
2026-02-25 10:01:07,706 - oe-selftest - INFO - Adding: "include bblayers.inc" in bblayers.conf
2026-02-25 10:19:06,136 - oe-selftest - INFO - 0: 30/38 191/672 (18.93s) (6 failed) (recipetool.RecipetoolCreateTests.test_recipetool_create_python3_setuptools)
2026-02-25 10:19:06,136 - oe-selftest - INFO - testtools.testresult.real._StringException: Traceback (most recent call last):
File "/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/layers/openembedded-core/meta/lib/oeqa/selftest/cases/recipetool.py", line 487, in test_recipetool_create_python3_setuptools
result = runCmd('recipetool create --no-pypi -o %s %s' % (temprecipe, srcuri))
File "/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/layers/openembedded-core/meta/lib/oeqa/utils/commands.py", line 214, in runCmd
raise AssertionError("Command '%s' returned non-zero exit status %d:\n%s" % (command, result.status, exc_output))
AssertionError: Command 'recipetool create --no-pypi -o /tmp/recipetoolqak2seh03s/recipe https://files.pythonhosted.org/packages/84/30/80932401906eaf787f2e9bd86dc458f1d2e75b064b4c187341f29516945c/python-magic-0.4.15.tar.gz' returned non-zero exit status 1:
NOTE: Reconnecting to bitbake server...
INFO: Fetching https://files.pythonhosted.org/packages/84/30/80932401906eaf787f2e9bd86dc458f1d2e75b064b4c187341f29516945c/python-magic-0.4.15.tar.gz...
Loading cache...done.
Loaded 0 entries from dependency cache.
Parsing recipes...ERROR: /tmp/recipetoolqab0ppgbe1/recipes-recipetool/recipetool/tmp-recipetool-rnbr783h.bb: AUTOREV/SRCPV set too late for the fetcher to work properly, please set the variables earlier in parsing. Erroring instead of later obtuse build failures.
ERROR: Parsing halted due to errors, see error messages above
Summary: There were 2 ERROR messages, returning a non-zero exit code.
Traceback (most recent call last):
File "/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/layers/openembedded-core/scripts/recipetool", line 111, in <module>
ret = main()
File "/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/layers/openembedded-core/scripts/recipetool", line 100, in main
ret = args.func(args)
File "/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/layers/openembedded-core/scripts/lib/recipetool/create.py", line 525, in create_recipe
checksums, ftmpdir = scriptutils.fetch_url(tinfoil, fetchuri, srcrev, srctree, logger, preserve_tmp=args.keep_temp)
File "/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/layers/openembedded-core/scripts/lib/scriptutils.py", line 202, in fetch_url
tinfoil.parse_recipes()
File "/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/layers/bitbake/lib/bb/tinfoil.py", line 585, in parse_recipes
self.run_actions(config_params)
File "/srv/pokybuild/yocto-worker/oe-selftest-armhost/build/layers/bitbake/lib/bb/tinfoil.py", line 568, in run_actions
raise TinfoilUIException(ret)
bb.tinfoil.TinfoilUIException: 1
...
2026-02-25 10:19:25,736 - oe-selftest - INFO - recipetool.RecipetoolCreateTests.test_recipetool_create_python3_setuptools_pypi (subunit.RemotedTestCase)
2026-02-25 10:19:25,737 - oe-selftest - INFO - ... FAIL
...
And so on with I believe 17 tests.
https://autobuilder.yoctoproject.org/valkyrie/#/builders/23/builds/3397
https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/3279
Can you have a look at these?
Thanks,
Mathieu
--
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2026-02-26 8:28 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-24 16:29 [PATCH v3 00/11] spdx30: SBOM enrichment and documentation Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 01/11] spdx30: Add configurable file filtering support Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 02/11] spdx30: Add supplier support for image and SDK SBOMs Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 03/11] spdx30: Add ecosystem-specific PURL generation Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 04/11] spdx30: Add version extraction from SRCREV for Git source components Stefano Tondo
2026-02-26 8:28 ` Mathieu Dubois-Briand [this message]
2026-02-24 16:29 ` [PATCH v3 05/11] spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 06/11] spdx30: Enrich source downloads with external refs and PURLs Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 07/11] spdx30: Include recipe base PURL in package external identifiers Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 08/11] oeqa/selftest: Add test for download_location defensive handling Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 09/11] spdx.py: Add test for version extraction patterns Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 10/11] cve_check: Escape special characters in CPE 2.3 formatted strings Stefano Tondo
2026-02-24 16:29 ` [PATCH v3 11/11] spdx-common: Add documentation for undocumented SPDX variables Stefano Tondo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DGOR2WRMKZON.1HERC4PJ8HFZP@bootlin.com \
--to=mathieu.dubois-briand@bootlin.com \
--cc=Peter.Marko@siemens.com \
--cc=Ross.Burton@arm.com \
--cc=adrian.freihofer@siemens.com \
--cc=jpewhacker@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=stefano.tondo.ext@siemens.com \
--cc=stondo@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.