[PATCH 00/14] spdx30: SBOM enrichment for PURL, metadata, and compliance

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: Stefano Tondo <stondo@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: stefano.tondo.ext@siemens.com, adrian.freihofer@siemens.com,
	Peter.Marko@siemens.com, jpewhacker@gmail.com,
	Ross.Burton@arm.com
Subject: [PATCH 00/14] spdx30: SBOM enrichment for PURL, metadata, and compliance
Date: Sat, 21 Feb 2026 05:24:04 +0100	[thread overview]
Message-ID: <20260221042418.317535-1-stondo@gmail.com> (raw)

From: Stefano Tondo <stefano.tondo.ext@siemens.com>

This series enhances the SPDX 3.0 SBOM generation with improvements
focused on Package URL (PURL) coverage, source metadata enrichment,
and compliance tooling integration.

Key changes:

  - Configurable file filtering to reduce SBOM size
  - Supplier metadata support for image and SDK SBOMs
  - Ecosystem-specific PURL generation (Cargo, Go, PyPI, NPM, etc.)
  - Git source version extraction and GitHub PURL generation
  - External references (VCS, distribution, homepage) for source packages
  - Image root metadata package with describes/contains relationships
  - Rootfs version and dependency scope classification (runtime/build/test)
  - Object deduplication fix preserving complete metadata
  - CPE 2.3 special character escaping for SBOM validators
  - Two selftest cases for download_location and version extraction

Total: 6 files changed, 687 insertions(+), 12 deletions(-)

Stefano Tondo (14):
  spdx30: Add configurable file filtering support
  spdx30: Add supplier support for image and SDK SBOMs
  spdx30: Add ecosystem-specific PURL generation
  spdx30: Add version extraction from SRCREV for Git source components
  spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting
  sbom30: Fix object deduplication to preserve complete data
  spdx30: Enrich source downloads with external refs and PURLs
  spdx30: Include recipe base PURL in package external identifiers
  spdx30: Add image root metadata package with describes relationship
  spdx30_tasks: Fix non-deterministic BUILDNAME in image package version
  spdx30: Add rootfs version and dependency scope classification
  oeqa/selftest: Add test for download_location defensive handling
  spdx.py: Add test for version extraction patterns
  cve_check: Escape special characters in CPE 2.3 formatted strings

 meta/classes/create-spdx-3.0.bbclass |  20 ++
 meta/classes/spdx-common.bbclass     |  37 ++
 meta/lib/oe/cve_check.py             |  37 +-
 meta/lib/oe/sbom30.py                |  47 ++-
 meta/lib/oe/spdx30_tasks.py          | 483 ++++++++++++++++++++++++++-
 meta/lib/oeqa/selftest/cases/spdx.py |  75 +++++
 6 files changed, 687 insertions(+), 12 deletions(-)

-- 
2.53.0

next             reply	other threads:[~2026-02-21  4:24 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-21  4:24 Stefano Tondo [this message]
2026-02-21  4:24 ` [PATCH 01/14] spdx30: Add configurable file filtering support Stefano Tondo
2026-02-21  4:24 ` [PATCH 02/14] spdx30: Add supplier support for image and SDK SBOMs Stefano Tondo
2026-02-21  4:24 ` [PATCH 03/14] spdx30: Add ecosystem-specific PURL generation Stefano Tondo
2026-02-21  4:24 ` [PATCH 04/14] spdx30: Add version extraction from SRCREV for Git source components Stefano Tondo
2026-02-21  4:24 ` [PATCH 05/14] spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting Stefano Tondo
2026-02-21  4:24 ` [PATCH 06/14] sbom30: Fix object deduplication to preserve complete data Stefano Tondo
2026-02-21  4:24 ` [PATCH 07/14] spdx30: Enrich source downloads with external refs and PURLs Stefano Tondo
2026-02-21  4:24 ` [PATCH 08/14] spdx30: Include recipe base PURL in package external identifiers Stefano Tondo
2026-02-21  4:24 ` [PATCH 09/14] spdx30: Add image root metadata package with describes relationship Stefano Tondo
2026-02-21  4:24 ` [PATCH 10/14] spdx30_tasks: Fix non-deterministic BUILDNAME in image package version Stefano Tondo
2026-02-21  4:24 ` [PATCH 11/14] spdx30: Add rootfs version and dependency scope classification Stefano Tondo
2026-02-21  4:24 ` [PATCH 12/14] oeqa/selftest: Add test for download_location defensive handling Stefano Tondo
2026-02-21  4:24 ` [PATCH 13/14] spdx.py: Add test for version extraction patterns Stefano Tondo
2026-02-21  4:24 ` [PATCH 14/14] cve_check: Escape special characters in CPE 2.3 formatted strings Stefano Tondo
  -- strict thread matches above, loose matches on Subject: below --
2026-02-21  5:16 [PATCH 00/14] spdx30: SBOM enrichment for PURL, metadata, and compliance Stefano Tondo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260221042418.317535-1-stondo@gmail.com \
    --to=stondo@gmail.com \
    --cc=Peter.Marko@siemens.com \
    --cc=Ross.Burton@arm.com \
    --cc=adrian.freihofer@siemens.com \
    --cc=jpewhacker@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=stefano.tondo.ext@siemens.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox