From: stondo@gmail.com
To: openembedded-core@lists.openembedded.org
Cc: stondo@gmail.com, stefano.tondo.ext@siemens.com,
peter.marko@siemens.com, adrian.freihofer@siemens.com
Subject: [PATCH] spdx30: Add SBOM metadata component and supplier support
Date: Wed, 7 Jan 2026 19:09:51 +0100 [thread overview]
Message-ID: <20260107180951.140895-5-stondo@gmail.com> (raw)
In-Reply-To: <20260107180951.140895-1-stondo@gmail.com>
From: Stefano Tondo <stefano.tondo.ext@siemens.com>
This commit adds support for including image/product metadata and
supplier information in SPDX 3.0 SBOMs to meet compliance requirements.
New configuration variables (in spdx-common.bbclass):
SBOM_COMPONENT_NAME (optional):
- Name of the product/image being documented
- Creates a software_Package element with metadata
- Typically set to IMAGE_BASENAME or product name
SBOM_COMPONENT_VERSION (optional):
- Version of the product/image
- Falls back to DISTRO_VERSION if not set
SBOM_COMPONENT_SUMMARY (optional):
- Description of the product/image
- Falls back to IMAGE_SUMMARY if not set
SBOM_SUPPLIER_NAME (optional):
- Name of the organization supplying the SBOM
- Creates an Organization element
SBOM_SUPPLIER_URL (optional):
- URL of the supplier organization
- Added as externalIdentifier
Implementation (in sbom30.py):
- create_sbom(): Add metadata component and supplier after SBOM
creation but before collection expansion
- Create relationships:
* SBOM --describes--> metadata component
* SBOM --availableFrom--> supplier Organization
SPDX 3.0 elements created:
- software_Package (primaryPurpose: operatingSystem) for product
- Organization with optional URL externalIdentifier
- Appropriate relationships per SPDX 3.0 spec
Usage example in local.conf:
SBOM_COMPONENT_NAME = ""
SBOM_COMPONENT_VERSION = "1.0.0"
SBOM_COMPONENT_SUMMARY = "Production image for Device X"
SBOM_SUPPLIER_NAME = "Acme Corporation"
SBOM_SUPPLIER_URL = "https://acme.com"
This enables profile-specific SBOM workflows and compliance validation
tools that require product and supplier metadata.
Signed-off-by: Stefano Tondo <stefano.tondo.ext@siemens.com>
---
meta/lib/oe/sbom30.py | 52 +++++++++++++++++++++++++++++++++++++
meta/lib/oe/spdx30_tasks.py | 10 +++----
2 files changed, 57 insertions(+), 5 deletions(-)
diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py
index 227ac51877..197361db4f 100644
--- a/meta/lib/oe/sbom30.py
+++ b/meta/lib/oe/sbom30.py
@@ -1045,6 +1045,58 @@ def create_sbom(d, name, root_elements, add_objectsets=[]):
)
)
+ # Add SBOM metadata component (image/product information)
+ sbom_component_name = d.getVar("SBOM_COMPONENT_NAME")
+ if sbom_component_name:
+ sbom_component_version = d.getVar("SBOM_COMPONENT_VERSION") or d.getVar("DISTRO_VERSION") or "unknown"
+ sbom_component_summary = d.getVar("SBOM_COMPONENT_SUMMARY") or d.getVar("IMAGE_SUMMARY") or f"{name} image"
+
+ metadata_component = objset.add(
+ oe.spdx30.software_Package(
+ _id=objset.new_spdxid("metadata", "component"),
+ creationInfo=objset.doc.creationInfo,
+ name=sbom_component_name,
+ software_packageVersion=sbom_component_version,
+ summary=sbom_component_summary,
+ software_primaryPurpose=oe.spdx30.software_SoftwarePurpose.operatingSystem,
+ )
+ )
+
+ # Link SBOM to metadata component
+ objset.new_relationship(
+ [sbom],
+ oe.spdx30.RelationshipType.describes,
+ [metadata_component],
+ )
+
+ # Add supplier information if provided
+ sbom_supplier_name = d.getVar("SBOM_SUPPLIER_NAME")
+ if sbom_supplier_name:
+ sbom_supplier_url = d.getVar("SBOM_SUPPLIER_URL")
+
+ supplier = objset.add(
+ oe.spdx30.Organization(
+ _id=objset.new_spdxid("supplier", sbom_supplier_name.replace(" ", "-").lower()),
+ creationInfo=objset.doc.creationInfo,
+ name=sbom_supplier_name,
+ )
+ )
+
+ if sbom_supplier_url:
+ supplier.externalIdentifier = [
+ oe.spdx30.ExternalIdentifier(
+ externalIdentifierType=oe.spdx30.ExternalIdentifierType.urlScheme,
+ identifier=sbom_supplier_url,
+ )
+ ]
+
+ # Link supplier to SBOM (SBOM is available from supplier)
+ objset.new_relationship(
+ [sbom],
+ oe.spdx30.RelationshipType.availableFrom,
+ [supplier],
+ )
+
missing_spdxids = objset.expand_collection(add_objectsets=add_objectsets)
if missing_spdxids:
bb.warn(
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index c86b088b61..757503cd6b 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -179,17 +179,17 @@ def add_package_files(
continue
filename = str(filepath.relative_to(topdir))
-
+
# Apply file filtering if enabled
if spdx_file_filter == "essential":
file_upper = file.upper()
filename_lower = filename.lower()
-
+
# Skip if matches exclude patterns
skip_file = any(pattern in filename_lower for pattern in exclude_patterns)
if skip_file:
continue
-
+
# Keep only essential files (license/readme/etc)
is_essential = any(pattern in file_upper for pattern in essential_patterns)
if not is_essential:
@@ -198,7 +198,7 @@ def add_package_files(
# Skip all files
continue
# else: spdx_file_filter == "all" or any other value - include all files
-
+
file_purposes = get_purposes(filepath)
# Check if file is compiled
@@ -245,7 +245,7 @@ def get_package_sources_from_debug(
d, package, package_files, sources, source_hash_cache
):
spdx_file_filter = (d.getVar("SPDX_FILE_FILTER") or "all").lower()
-
+
def file_path_match(file_path, pkg_file):
if file_path.lstrip("/") == pkg_file.name.lstrip("/"):
return True
--
2.52.0
next prev parent reply other threads:[~2026-01-07 18:10 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-07 18:09 [PATCH] spdx-common: Clarify documentation and make SPDX_LICENSES extensible stondo
2026-01-07 18:09 ` [PATCH 2/4] spdx30_tasks: Add PURL generation for package identification stondo
2026-01-07 20:14 ` [OE-core] " Joshua Watt
2026-01-08 11:14 ` Tondo, Stefano
2026-01-07 18:09 ` [PATCH 3/4] spdx30_tasks: Use recipe metadata for dependency PURL generation stondo
2026-01-07 18:09 ` [PATCH 4/4] spdx30_tasks: Add source package PURL support stondo
2026-01-07 18:09 ` stondo [this message]
2026-01-07 20:05 ` [OE-core] [PATCH] spdx30: Add SBOM metadata component and supplier support Joshua Watt
2026-01-08 10:34 ` [PATCH] spdx30: Add supplier support for image and SDK SBOMs stondo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260107180951.140895-5-stondo@gmail.com \
--to=stondo@gmail.com \
--cc=adrian.freihofer@siemens.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=peter.marko@siemens.com \
--cc=stefano.tondo.ext@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox