[PATCH v2 0/2] spdx30: Lifecycle scope variable declarations and test

[PATCH v2 0/2] spdx30: Lifecycle scope variable declarations and test

[Stefano Tondo]

From: Stefano Tondo <stefano.tondo.ext@siemens.com>

This series adds bbclass variable declarations and a selftest for the
lifecycle scope dependency classification feature.

Depends on: [PATCH 00/14] spdx30: Enhance PURL generation and SBOM
metadata for SPDX 3.0.1

Changes since v1:
- Rebased on top of the PURL enhancement series (Series 1)
- Removed duplicate get_dependencies_by_scope() (already in Series 1)
- Fixed SPDX_CONCLUDED_LICENSE deletion (must not remove upstream code)
- Simplified test to use LifecycleScopedRelationship type directly

Stefano Tondo (2):
  spdx-common: Declare SPDX_FORCE_*_SCOPE override variables
  oeqa/selftest: Add test for lifecycle scope classification

 meta/classes/spdx-common.bbclass     | 13 ++++++++++
 meta/lib/oeqa/selftest/cases/spdx.py | 39 ++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)

-- 
2.53.0

[PATCH v2 1/2] spdx-common: Declare SPDX_FORCE_*_SCOPE override variables

[Stefano Tondo]

From: Stefano Tondo <stefano.tondo.ext@siemens.com>

Add bbclass variable declarations for SPDX_FORCE_BUILD_SCOPE,
SPDX_FORCE_TEST_SCOPE, and SPDX_FORCE_RUNTIME_SCOPE. These optional
variables allow recipes to override the automatic lifecycle scope
classification for dependency relationships.

The scope classification code in spdx30_tasks.py already handles these
variables gracefully when unset. These declarations provide discoverability
and documentation for users who need to correct edge cases in automatic
scope detection.

Signed-off-by: Stefano Tondo <stefano.tondo.ext@siemens.com>
---
 meta/classes/spdx-common.bbclass | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass
index 81c61e10dc..99f0704caf 100644
--- a/meta/classes/spdx-common.bbclass
+++ b/meta/classes/spdx-common.bbclass
@@ -52,6 +52,19 @@ SPDX_CONCLUDED_LICENSE[doc] = "The license concluded by manual or external \
     Example: SPDX_CONCLUDED_LICENSE = 'MIT & Apache-2.0' or \
     SPDX_CONCLUDED_LICENSE:${PN} = 'MIT & Apache-2.0'"
 
+# Lifecycle scope override variables for dependency classification
+SPDX_FORCE_BUILD_SCOPE ??= ""
+SPDX_FORCE_BUILD_SCOPE[doc] = "Space-separated list of recipe names to force \
+    into build scope, overriding automatic dependency classification."
+
+SPDX_FORCE_TEST_SCOPE ??= ""
+SPDX_FORCE_TEST_SCOPE[doc] = "Space-separated list of recipe names to force \
+    into test scope. By default, test dependencies are classified as build."
+
+SPDX_FORCE_RUNTIME_SCOPE ??= ""
+SPDX_FORCE_RUNTIME_SCOPE[doc] = "Space-separated list of recipe names to force \
+    into runtime scope, overriding automatic dependency classification."
+
 SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
 
 SPDX_FILES_INCLUDED ??= "all"
-- 
2.53.0

[PATCH v2 2/2] oeqa/selftest: Add test for lifecycle scope classification

[Stefano Tondo]

From: Stefano Tondo <stefano.tondo.ext@siemens.com>

Add a selftest that verifies lifecycle scope classification correctly
assigns runtime scope to dependency relationships. The test builds
'acl' and checks that its SPDX package data contains
LifecycleScopedRelationship objects with runtime scope, verifying
that implicit shared library dependencies (e.g., glibc) are captured.

Signed-off-by: Stefano Tondo <stefano.tondo.ext@siemens.com>
---
 meta/lib/oeqa/selftest/cases/spdx.py | 39 ++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/meta/lib/oeqa/selftest/cases/spdx.py b/meta/lib/oeqa/selftest/cases/spdx.py
index 9a0ef526d2..a01d8d567f 100644
--- a/meta/lib/oeqa/selftest/cases/spdx.py
+++ b/meta/lib/oeqa/selftest/cases/spdx.py
@@ -489,3 +489,42 @@ class SPDX30Check(SPDX3CheckBase, OESelftestTestCase):
                 r'\d',
                 f"Version '{version}' for package '{name}' should contain digits"
             )
+
+    def test_lifecycle_scope_dependencies(self):
+        """Test that lifecycle scope classification assigns runtime scope."""
+        objset = self.check_recipe_spdx(
+            "acl",
+            "{DEPLOY_DIR_SPDX}/{SSTATE_PKGARCH}/packages/package-acl.spdx.json",
+        )
+
+        # Find runtime-scoped dependency relationships
+        runtime_rels = []
+        for rel in objset.foreach_type(oe.spdx30.LifecycleScopedRelationship):
+            if (rel.relationshipType == oe.spdx30.RelationshipType.dependsOn and
+                    rel.scope == oe.spdx30.LifecycleScopeType.runtime):
+                runtime_rels.append(rel)
+
+        self.assertGreater(
+            len(runtime_rels), 0,
+            "Expected runtime-scoped dependency relationships for acl"
+        )
+
+        # Verify dependencies reference other packages via link IDs
+        all_dep_ids = []
+        for rel in runtime_rels:
+            for to_elem in rel.to:
+                dep_id = to_elem._id if hasattr(to_elem, '_id') else str(to_elem)
+                all_dep_ids.append(dep_id)
+
+        self.assertGreater(
+            len(all_dep_ids), 0,
+            "Runtime dependency relationships should reference target packages"
+        )
+
+        # Verify implicit glibc dependency is captured (auto-detected
+        # shared library dependency)
+        has_glibc = any('glibc' in dep_id for dep_id in all_dep_ids)
+        self.assertTrue(
+            has_glibc,
+            f"Expected glibc in runtime dependencies. Found IDs: {all_dep_ids}"
+        )
-- 
2.53.0