* [PATCH 1/2] create-spdx-2.2: fix collect dep recipes failed
@ 2025-03-24 6:54 Hongxu Jia
2025-03-24 6:54 ` [PATCH 2/2] spdx3: support to override the version of a package in SBOM 3 Hongxu Jia
2025-03-24 9:52 ` [PATCH 1/2] create-spdx-2.2: fix collect dep recipes failed hongxu
0 siblings, 2 replies; 4+ messages in thread
From: Hongxu Jia @ 2025-03-24 6:54 UTC (permalink / raw)
To: openembedded-core, JPEWhacker
$ echo 'INHERIT:remove = "create-spdx"' >> conf/local.conf
$ echo 'INHERIT += "create-spdx-2.2"' >> conf/local.conf
$ bitbake pigz-native -ccreate_spdx -f
...
*** 0282: for dep_pn, dep_hashfn, in_taskhash in deps:
0283: # If this dependency is not calculated in the taskhash skip it.
0284: # Otherwise, it can result in broken links since this task won't
0285: # rebuild and see the new SPDX ID if the dependency changes
0286: if not in_taskhash:
Exception: TypeError: cannot unpack non-iterable Dep object
...
Due to commit [classes/spdx-common: Move to library] applied, function
oe.spdx_common.get_spdx_deps returns a list of class Dep, other than
original a list of (pn, hashfn, in_taskhash)
[1] https://github.com/openembedded/openembedded-core/commit/3f9b7c7f6b15493b6890031190ca8d1a10f2f384
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
meta/classes/create-spdx-2.2.bbclass | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
index 8f988de8681..de62379c503 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -279,21 +279,21 @@ def collect_dep_recipes(d, doc, spdx_recipe):
deps = oe.spdx_common.get_spdx_deps(d)
- for dep_pn, dep_hashfn, in_taskhash in deps:
+ for dep in deps:
# If this dependency is not calculated in the taskhash skip it.
# Otherwise, it can result in broken links since this task won't
# rebuild and see the new SPDX ID if the dependency changes
- if not in_taskhash:
+ if not dep.in_taskhash:
continue
- dep_recipe_path = oe.sbom.doc_find_by_hashfn(deploy_dir_spdx, package_archs, "recipe-" + dep_pn, dep_hashfn)
+ dep_recipe_path = oe.sbom.doc_find_by_hashfn(deploy_dir_spdx, package_archs, "recipe-" + dep.pn, dep.hashfn)
if not dep_recipe_path:
- bb.fatal("Cannot find any SPDX file for recipe %s, %s" % (dep_pn, dep_hashfn))
+ bb.fatal("Cannot find any SPDX file for recipe %s, %s" % (dep.pn, dep.hashfn))
spdx_dep_doc, spdx_dep_sha1 = oe.sbom.read_doc(dep_recipe_path)
for pkg in spdx_dep_doc.packages:
- if pkg.name == dep_pn:
+ if pkg.name == dep.pn:
spdx_dep_recipe = pkg
break
else:
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] spdx3: support to override the version of a package in SBOM 3
2025-03-24 6:54 [PATCH 1/2] create-spdx-2.2: fix collect dep recipes failed Hongxu Jia
@ 2025-03-24 6:54 ` Hongxu Jia
2025-03-24 14:56 ` Joshua Watt
2025-03-24 9:52 ` [PATCH 1/2] create-spdx-2.2: fix collect dep recipes failed hongxu
1 sibling, 1 reply; 4+ messages in thread
From: Hongxu Jia @ 2025-03-24 6:54 UTC (permalink / raw)
To: openembedded-core, JPEWhacker
By default, still use ${PV} as the the version of a package in SBOM 3
$ bitbake acl
$ jq . tmp/deploy/spdx/3.0.1/core2-64/packages/package-acl.spdx.json
...
{
"type": "software_Package",
...
"name": "acl",
"software_packageVersion": "2.3.2"
},
...
Support to override it by setting SPDX_PACKAGE_VERSION, such as
set SPDX_PACKAGE_VERSION = "${EXTENDPKGV}" in local.conf to append
PR to software_packageVersion in SBOM 3
$ echo 'SPDX_PACKAGE_VERSION = "${EXTENDPKGV}"' >> conf/local.conf
$ bitbake acl
$ jq . tmp/deploy/spdx/3.0.1/core2-64/packages/package-acl.spdx.json
...
{
"type": "software_Package",
...
"name": "acl",
"software_packageVersion": "2.3.2-r0"
},
...
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
meta/classes/create-spdx-3.0.bbclass | 3 +++
meta/lib/oe/spdx30_tasks.py | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
index b4a5156e709..044517d9f72 100644
--- a/meta/classes/create-spdx-3.0.bbclass
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -113,6 +113,9 @@ SPDX_ON_BEHALF_OF[doc] = "The base variable name to describe the Agent on who's
SPDX_PACKAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who \
is supplying artifacts produced by the build"
+SPDX_PACKAGE_VERSION ??= "${PV}"
+SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \
+ in software_Package"
IMAGE_CLASSES:append = " create-spdx-image-3.0"
SDK_CLASSES += "create-spdx-sdk-3.0"
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 1629ed69cee..52329760b6a 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -606,7 +606,7 @@ def create_spdx(d):
_id=pkg_objset.new_spdxid("package", pkg_name),
creationInfo=pkg_objset.doc.creationInfo,
name=pkg_name,
- software_packageVersion=d.getVar("PV"),
+ software_packageVersion=d.getVar("SPDX_PACKAGE_VERSION"),
)
)
set_timestamp_now(d, spdx_package, "builtTime")
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] create-spdx-2.2: fix collect dep recipes failed
2025-03-24 6:54 [PATCH 1/2] create-spdx-2.2: fix collect dep recipes failed Hongxu Jia
2025-03-24 6:54 ` [PATCH 2/2] spdx3: support to override the version of a package in SBOM 3 Hongxu Jia
@ 2025-03-24 9:52 ` hongxu
1 sibling, 0 replies; 4+ messages in thread
From: hongxu @ 2025-03-24 9:52 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 251 bytes --]
It seems duplicated with [PATCH 1/2] classes: create-spdx-2.2: Fix dependency handling [1]
[1] https://lists.openembedded.org/g/openembedded-core/message/213481?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3ACreated%2C%2Cspdx%2C20%2C2%2C0%2C111829735
//Hongxu
[-- Attachment #2: Type: text/html, Size: 541 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] spdx3: support to override the version of a package in SBOM 3
2025-03-24 6:54 ` [PATCH 2/2] spdx3: support to override the version of a package in SBOM 3 Hongxu Jia
@ 2025-03-24 14:56 ` Joshua Watt
0 siblings, 0 replies; 4+ messages in thread
From: Joshua Watt @ 2025-03-24 14:56 UTC (permalink / raw)
To: Hongxu Jia; +Cc: openembedded-core
LGTM, Thanks
Reviewed-by: Joshua Watt <JPEWhacker@gmail.com>
On Mon, Mar 24, 2025 at 12:54 AM Hongxu Jia <hongxu.jia@windriver.com> wrote:
>
> By default, still use ${PV} as the the version of a package in SBOM 3
> $ bitbake acl
> $ jq . tmp/deploy/spdx/3.0.1/core2-64/packages/package-acl.spdx.json
> ...
> {
> "type": "software_Package",
> ...
> "name": "acl",
> "software_packageVersion": "2.3.2"
> },
> ...
>
> Support to override it by setting SPDX_PACKAGE_VERSION, such as
> set SPDX_PACKAGE_VERSION = "${EXTENDPKGV}" in local.conf to append
> PR to software_packageVersion in SBOM 3
> $ echo 'SPDX_PACKAGE_VERSION = "${EXTENDPKGV}"' >> conf/local.conf
> $ bitbake acl
> $ jq . tmp/deploy/spdx/3.0.1/core2-64/packages/package-acl.spdx.json
> ...
> {
> "type": "software_Package",
> ...
> "name": "acl",
> "software_packageVersion": "2.3.2-r0"
> },
> ...
>
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> ---
> meta/classes/create-spdx-3.0.bbclass | 3 +++
> meta/lib/oe/spdx30_tasks.py | 2 +-
> 2 files changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
> index b4a5156e709..044517d9f72 100644
> --- a/meta/classes/create-spdx-3.0.bbclass
> +++ b/meta/classes/create-spdx-3.0.bbclass
> @@ -113,6 +113,9 @@ SPDX_ON_BEHALF_OF[doc] = "The base variable name to describe the Agent on who's
> SPDX_PACKAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who \
> is supplying artifacts produced by the build"
>
> +SPDX_PACKAGE_VERSION ??= "${PV}"
> +SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \
> + in software_Package"
>
> IMAGE_CLASSES:append = " create-spdx-image-3.0"
> SDK_CLASSES += "create-spdx-sdk-3.0"
> diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
> index 1629ed69cee..52329760b6a 100644
> --- a/meta/lib/oe/spdx30_tasks.py
> +++ b/meta/lib/oe/spdx30_tasks.py
> @@ -606,7 +606,7 @@ def create_spdx(d):
> _id=pkg_objset.new_spdxid("package", pkg_name),
> creationInfo=pkg_objset.doc.creationInfo,
> name=pkg_name,
> - software_packageVersion=d.getVar("PV"),
> + software_packageVersion=d.getVar("SPDX_PACKAGE_VERSION"),
> )
> )
> set_timestamp_now(d, spdx_package, "builtTime")
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-03-24 14:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-03-24 6:54 [PATCH 1/2] create-spdx-2.2: fix collect dep recipes failed Hongxu Jia
2025-03-24 6:54 ` [PATCH 2/2] spdx3: support to override the version of a package in SBOM 3 Hongxu Jia
2025-03-24 14:56 ` Joshua Watt
2025-03-24 9:52 ` [PATCH 1/2] create-spdx-2.2: fix collect dep recipes failed hongxu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox