From: stondo@gmail.com
To: openembedded-core@lists.openembedded.org
Cc: stefano.tondo.ext@siemens.com, peter.marko@siemens.com,
adrian.freihofer@siemens.com, JPEWhacker@gmail.com
Subject: [PATCH v2] spdx30_tasks: Add concluded license support with SPDX_CONCLUDED_LICENSE
Date: Tue, 6 Jan 2026 12:25:51 +0100 [thread overview]
Message-ID: <20260106112557.53709-1-stondo@gmail.com> (raw)
From: Stefano Tondo <stefano.tondo.ext@siemens.com>
Add hasConcludedLicense relationship to SBOM packages with support for
manual license conclusion override via SPDX_CONCLUDED_LICENSE variable.
The concluded license represents the license determination after manual
or external license analysis. This should be set manually in recipes or
layers when:
1. Manual license review identifies differences from the declared LICENSE
2. External license scanning tools detect additional license information
3. Legal review concludes a different license applies
The hasConcludedLicense relationship is ONLY added to the SBOM when
SPDX_CONCLUDED_LICENSE is explicitly set. When unset or empty, no
concluded license is included in the SBOM, correctly indicating that
no license analysis was performed (per SPDX semantics).
When differences from the declared LICENSE are found, users should:
1. Preferably: Correct the LICENSE field in the recipe and contribute
the fix upstream to OpenEmbedded
2. Alternatively: Set SPDX_CONCLUDED_LICENSE locally in your layer when
upstream contribution is not immediately possible or when the license
conclusion is environment-specific
This variable allows tracking license analysis results in the SBOM while
maintaining the recipe LICENSE field for build system compatibility.
The variable is initialized in spdx-common.bbclass with comprehensive
documentation explaining its purpose, usage guidelines, and examples.
Example usage in recipe or layer:
SPDX_CONCLUDED_LICENSE = "MIT & Apache-2.0"
Signed-off-by: Stefano Tondo <stefano.tondo.ext@siemens.com>
---
meta/classes/spdx-common.bbclass | 14 ++++++++++++++
meta/lib/oe/spdx30_tasks.py | 18 ++++++++++++++++++
2 files changed, 32 insertions(+)
diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass
index ca0416d1c7..504e6fba45 100644
--- a/meta/classes/spdx-common.bbclass
+++ b/meta/classes/spdx-common.bbclass
@@ -36,6 +36,20 @@ SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json"
SPDX_CUSTOM_ANNOTATION_VARS ??= ""
+SPDX_CONCLUDED_LICENSE ??= ""
+SPDX_CONCLUDED_LICENSE[doc] = "The license concluded by manual or external \
+ license analysis. This should only be set when explicit license analysis \
+ (manual review or external scanning tools) has been performed and a license \
+ conclusion has been reached. When unset or empty, no concluded license is \
+ included in the SBOM, indicating that no license analysis was performed. \
+ When differences from the declared LICENSE are found, the preferred approach \
+ is to correct the LICENSE field in the recipe and contribute the fix upstream \
+ to OpenEmbedded. Use this variable locally only when upstream contribution is \
+ not immediately possible or when the license conclusion is environment-specific. \
+ This allows tracking license analysis results in SBOM while maintaining recipe \
+ LICENSE field for build compatibility. \
+ Example: SPDX_CONCLUDED_LICENSE = 'MIT & Apache-2.0'"
+
SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
python () {
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 286a08ed9b..885b9c5549 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -712,6 +712,24 @@ def create_spdx(d):
oe.spdx30.RelationshipType.hasDeclaredLicense,
[oe.sbom30.get_element_link_id(package_spdx_license)],
)
+
+ # Add concluded license relationship if manually set
+ # Only add when license analysis has been explicitly performed
+ concluded_license_str = d.getVar("SPDX_CONCLUDED_LICENSE")
+ if concluded_license_str:
+ # Use explicitly set concluded license
+ if concluded_license_str != package_license and concluded_license_str != d.getVar("LICENSE"):
+ concluded_spdx_license = add_license_expression(
+ d, build_objset, concluded_license_str, license_data
+ )
+ else:
+ concluded_spdx_license = package_spdx_license
+
+ pkg_objset.new_relationship(
+ [spdx_package],
+ oe.spdx30.RelationshipType.hasConcludedLicense,
+ [oe.sbom30.get_element_link_id(concluded_spdx_license)],
+ )
# NOTE: CVE Elements live in the recipe collection
all_cves = set()
--
2.52.0
next reply other threads:[~2026-01-06 11:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-06 11:25 stondo [this message]
2026-01-06 22:03 ` [PATCH v2] spdx30_tasks: Add concluded license support with SPDX_CONCLUDED_LICENSE Joshua Watt
2026-01-07 9:17 ` [PATCH v3] " stondo
2026-01-07 18:15 ` [PATCH v4] " stondo
2026-01-07 19:40 ` Joshua Watt
2026-02-10 12:19 ` [OE-core] " Ross Burton
2026-02-16 20:51 ` Tondo, Stefano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260106112557.53709-1-stondo@gmail.com \
--to=stondo@gmail.com \
--cc=JPEWhacker@gmail.com \
--cc=adrian.freihofer@siemens.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=peter.marko@siemens.com \
--cc=stefano.tondo.ext@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox