From: Stefano Tondo <stondo@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: stefano.tondo.ext@siemens.com, peter.marko@siemens.com,
adrian.freihofer@siemens.com
Subject: [OE-core 2/2] spdx30_tasks: Add concluded license support with SPDX_CONCLUDED_LICENSE
Date: Thu, 18 Dec 2025 13:01:39 +0100 [thread overview]
Message-ID: <20251218120139.104155-3-stondo@gmail.com> (raw)
In-Reply-To: <20251218120139.104155-1-stondo@gmail.com>
From: Stefano Tondo <stefano.tondo.ext@siemens.com>
Add hasConcludedLicense relationship to SBOM packages with support for
manual license conclusion override via SPDX_CONCLUDED_LICENSE variable.
The concluded license represents the license determination after manual
or external license analysis. This should be set manually in recipes or
layers when:
1. Manual license review identifies differences from the declared LICENSE
2. External license scanning tools detect additional license information
3. Legal review concludes a different license applies
By default, concluded license equals declared license (indicating no
separate license analysis was performed). When differences are found,
users should:
1. Preferably: Correct the LICENSE field in the recipe and contribute
the fix upstream to OpenEmbedded
2. Alternatively: Set SPDX_CONCLUDED_LICENSE locally in your layer when
upstream contribution is not immediately possible or when the license
conclusion is environment-specific
This variable allows tracking license analysis results in the SBOM while
maintaining the recipe LICENSE field for build system compatibility.
The variable is initialized in spdx-common.bbclass with comprehensive
documentation explaining its purpose, usage guidelines, and examples.
Example usage in recipe or layer:
SPDX_CONCLUDED_LICENSE = "MIT & Apache-2.0"
Signed-off-by: Stefano Tondo <stefano.tondo.ext@siemens.com>
---
meta/classes/spdx-common.bbclass | 13 +++++++++++++
meta/lib/oe/spdx30_tasks.py | 21 +++++++++++++++++++++
2 files changed, 34 insertions(+)
diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass
index ca0416d1c7..3ca4c70cc0 100644
--- a/meta/classes/spdx-common.bbclass
+++ b/meta/classes/spdx-common.bbclass
@@ -36,6 +36,19 @@ SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
SPDX_CUSTOM_ANNOTATION_VARS ??= ""
+SPDX_CONCLUDED_LICENSE ??= ""
+SPDX_CONCLUDED_LICENSE[doc] = "The license concluded by manual or external \
+ license analysis. This should only be set when license analysis (manual review \
+ or external scanning tools) identifies differences from the declared LICENSE. \
+ When unset or empty, the concluded license defaults to the declared license, \
+ indicating no separate analysis was performed. When differences are found, the \
+ preferred approach is to correct the LICENSE field in the recipe and contribute \
+ the fix upstream to OpenEmbedded. Use this variable locally only when upstream \
+ contribution is not immediately possible or when the license conclusion is \
+ environment-specific. This allows tracking license analysis results in SBOM \
+ while maintaining recipe LICENSE field for build compatibility. \
+ Example: SPDX_CONCLUDED_LICENSE = 'MIT & Apache-2.0'"
+
SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
python () {
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 286a08ed9b..84d70f6f72 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -712,6 +712,27 @@ def create_spdx(d):
oe.spdx30.RelationshipType.hasDeclaredLicense,
[oe.sbom30.get_element_link_id(package_spdx_license)],
)
+
+ # Add concluded license relationship
+ # Use SPDX_CONCLUDED_LICENSE if set, otherwise default to declared license
+ concluded_license_str = d.getVar("SPDX_CONCLUDED_LICENSE")
+ if concluded_license_str:
+ # Use explicitly set concluded license
+ if concluded_license_str != package_license and concluded_license_str != d.getVar("LICENSE"):
+ concluded_spdx_license = add_license_expression(
+ d, build_objset, concluded_license_str, license_data
+ )
+ else:
+ concluded_spdx_license = package_spdx_license
+ else:
+ # Default: concluded = declared (no analysis performed)
+ concluded_spdx_license = package_spdx_license
+
+ pkg_objset.new_relationship(
+ [spdx_package],
+ oe.spdx30.RelationshipType.hasConcludedLicense,
+ [oe.sbom30.get_element_link_id(concluded_spdx_license)],
+ )
# NOTE: CVE Elements live in the recipe collection
all_cves = set()
--
2.52.0
next prev parent reply other threads:[~2025-12-18 12:02 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-18 12:01 [OE-core][PATCH 0/2] spdx30: Add summary field and concluded license support Stefano Tondo
2025-12-18 12:01 ` [OE-core 1/2] spdx30_tasks: Add summary field with fallback chain Stefano Tondo
2026-01-05 19:10 ` [OE-core] " Joshua Watt
2025-12-18 12:01 ` Stefano Tondo [this message]
2026-01-05 19:25 ` [OE-core] [OE-core 2/2] spdx30_tasks: Add concluded license support with SPDX_CONCLUDED_LICENSE Joshua Watt
2026-01-05 19:28 ` Joshua Watt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251218120139.104155-3-stondo@gmail.com \
--to=stondo@gmail.com \
--cc=adrian.freihofer@siemens.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=peter.marko@siemens.com \
--cc=stefano.tondo.ext@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox