public inbox for buildroot@busybox.net
 help / color / mirror / Atom feed
From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Martin Willi <martin@strongswan.org>
Cc: Thomas Perale <thomas.perale@mind.be>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH v4 3/6] utils/generate-cyclonedx: generate externalReferences with source-distribution
Date: Thu,  9 Apr 2026 10:43:10 +0200	[thread overview]
Message-ID: <20260409084310.27382-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260409081401.2060709-4-martin@strongswan.org>

Thanks !

Acked-by: Thomas Perale <thomas.perale@mind.be>

In reply of:
> BSI TR-03183-2 5.4.2 [1] lists source code URIs under "Additional data fields
> for each component", and as such "MUST additionally be provided, if it exists".
> 
> If a http or https source download URI is available from show-info, extract
> it and include it as an externalReference of type "source-distribution" in the
> CycloneDX output.
> 
> [1] https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2_v2_1_0.pdf?__blob=publicationFile&v=5
> 
> Signed-off-by: Martin Willi <martin@strongswan.org>

> ---
>  .../tests/utils/test_generate_cyclonedx.py    | 26 ++++++++++
>  utils/generate-cyclonedx                      | 47 +++++++++++++++++++
>  2 files changed, 73 insertions(+)
> 
> diff --git a/support/testing/tests/utils/test_generate_cyclonedx.py b/support/testing/tests/utils/test_generate_cyclonedx.py
> index bf1b8e099bf9..a071ff867923 100644
> --- a/support/testing/tests/utils/test_generate_cyclonedx.py
> +++ b/support/testing/tests/utils/test_generate_cyclonedx.py
> @@ -140,3 +140,29 @@ class TestGenerateCycloneDX(unittest.TestCase):
>  
>          foo_deps = next(d for d in result["dependencies"] if d["ref"] == "package-foo")
>          self.assertEqual(foo_deps["dependsOn"], ["package-bar", "skeleton-baz"])
> +
> +    def test_external_references(self):
> +        info = self._make_show_info()
> +        info["package-foo"]["downloads"] = [
> +            {
> +                "source": "foo-1.2.tar.gz",
> +                "uris": [
> +                    "https+https://sources.buildroot.net/foo",
> +                    "http|https+https://mirror.example.org/foo",
> +                ],
> +            },
> +        ]
> +
> +        result = self._run_script(show_info=info)
> +        foo = self._find_component(result, "package-foo")
> +
> +        self.assertIn("externalReferences", foo)
> +        self.assertEqual(
> +            foo["externalReferences"],
> +            [
> +                {
> +                    "type": "source-distribution",
> +                    "url": "https://mirror.example.org/foo/foo-1.2.tar.gz",
> +                },
> +            ],
> +        )
> diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
> index f4d5afd847e5..a3b7293f9a5e 100755
> --- a/utils/generate-cyclonedx
> +++ b/utils/generate-cyclonedx
> @@ -14,6 +14,8 @@ import gzip
>  import json
>  import os
>  from pathlib import Path
> +from typing import Iterator
> +import urllib.parse
>  import urllib.request
>  import subprocess
>  import sys
> @@ -261,6 +263,50 @@ def cyclonedx_patches(patch_list: list[str]):
>      }
>  
>  
> +def parse_uris(uris: list[str]) -> Iterator[tuple[list[str], str]]:
> +    """Parse download URIs into (schemes, url) tuples.
> +
> +    Splits the Buildroot URI format "scheme[|scheme]+url" and yields all
> +    Buildroot schemes with the stripped URL, excluding
> +    sources.buildroot.net mirrors.
> +
> +    Args:
> +        uris (list): Array of URI strings from the show-info output.
> +    Yields:
> +        tuple[list[str], str]: (schemes, url) for each usable URI.
> +    """
> +    for uri in uris:
> +        scheme, _, stripped_uri = uri.partition("+")
> +        if stripped_uri:
> +            parsed = urllib.parse.urlparse(stripped_uri)
> +            if parsed.hostname != "sources.buildroot.net":
> +                yield scheme.split("|"), stripped_uri
> +
> +
> +def cyclonedx_external_refs(comp):
> +    """Create CycloneDX external references for a component.
> +
> +    Args:
> +        comp (dict): The component information from the show-info output.
> +    Returns:
> +        dict: External reference information in CycloneDX format, or empty dict
> +    """
> +    SOURCE_DIST_SCHEMES = {"http", "https"}
> +
> +    refs = []
> +    for download in comp.get("downloads", []):
> +        source = download.get("source")
> +        for schemes, uri in parse_uris(download.get("uris", [])):
> +            if set(schemes) & SOURCE_DIST_SCHEMES and source:
> +                refs.append({
> +                    "type": "source-distribution",
> +                    "url": f"{uri}/{source}",
> +                })
> +    if refs:
> +        return {"externalReferences": refs}
> +    return {}
> +
> +
>  def cyclonedx_component(name, comp):
>      """Translate a component from the show-info output, to a component entry in CycloneDX format.
>  
> @@ -284,6 +330,7 @@ def cyclonedx_component(name, comp):
>          **({
>              "cpe": comp["cpe-id"],
>          } if "cpe-id" in comp else {}),
> +        **cyclonedx_external_refs(comp),
>          **(cyclonedx_patches(comp["patches"]) if comp.get("patches") else {}),
>          "properties": [{
>              "name": "BR_TYPE",
> -- 
> 2.43.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

  reply	other threads:[~2026-04-09  8:43 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-09  8:13 [Buildroot] [PATCH v4 0/6] Extend CycloneDX metadata Martin Willi
2026-04-09  8:13 ` [Buildroot] [PATCH v4 1/6] support/testing/utils: add basic tests for utils/generate-cyclonedx Martin Willi
2026-04-09  8:34   ` Thomas Perale via buildroot
2026-04-09  8:13 ` [Buildroot] [PATCH v4 2/6] utils/generate-cyclonedx: remove indirect dependencies from root component Martin Willi
2026-04-09  8:13 ` [Buildroot] [PATCH v4 3/6] utils/generate-cyclonedx: generate externalReferences with source-distribution Martin Willi
2026-04-09  8:43   ` Thomas Perale via buildroot [this message]
2026-04-09  8:13 ` [Buildroot] [PATCH v4 4/6] package/pkg-utils: add 'hashes' to show-info Martin Willi
2026-04-09  8:14 ` [Buildroot] [PATCH v4 5/6] utils/generate-cyclonedx: add hashes from .hash files to externalReferences Martin Willi
2026-04-09  8:14 ` [Buildroot] [PATCH v4 6/6] utils/generate-cyclonedx: generate vcs externalReferences for source repos Martin Willi
2026-04-09  8:49   ` Thomas Perale via buildroot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260409084310.27382-1-thomas.perale@mind.be \
    --to=buildroot@buildroot.org \
    --cc=martin@strongswan.org \
    --cc=thomas.perale@mind.be \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox