[PATCH v2 00/18] spdx30: SBOM enrichment, lifecycle scope, and documentation

[Stefano Tondo <stondo@gmail.com>]

From: Stefano Tondo <stefano.tondo.ext@siemens.com>

This v2 consolidates three separate patch series I sent earlier into
a single unified series. No functional changes from v1 -- this is
purely a reorganization for easier review.

Changes since v1:
  - Consolidated three separate series into one unified series
  - Rebased documentation patches on top of the full series

This series enhances the SPDX 3.0 SBOM generation with improvements
focused on Package URL (PURL) coverage, source metadata enrichment,
lifecycle scope classification, and variable documentation.

Patches 01-14: SBOM enrichment (PURL, metadata, compliance)

  - Configurable file filtering to reduce SBOM size
  - Supplier metadata support for image and SDK SBOMs
  - Ecosystem-specific PURL generation (Cargo, Go, PyPI, NPM, etc.)
  - Git source version extraction and GitHub PURL generation
  - External references (VCS, distribution, homepage) for sources
  - Image root metadata package with describes/contains relationships
  - Rootfs version and dependency scope classification
  - Object deduplication fix preserving complete metadata
  - CPE 2.3 special character escaping for SBOM validators
  - Two selftest cases for download_location and version extraction

Patches 15-16: Lifecycle scope override variables

  - SPDX_FORCE_BUILD_SCOPE, SPDX_FORCE_TEST_SCOPE,
    SPDX_FORCE_RUNTIME_SCOPE bbclass variable declarations
  - Selftest for lifecycle scope classification

Patches 17-18: SPDX variable documentation

  - Documentation strings for 8 undocumented SPDX variables
  - SPDX_LICENSES made extensible (space-separated file list)

Total: 7 files changed, 797 insertions(+), 16 deletions(-)

Stefano Tondo (18):
  spdx30: Add configurable file filtering support
  spdx30: Add supplier support for image and SDK SBOMs
  spdx30: Add ecosystem-specific PURL generation
  spdx30: Add version extraction from SRCREV for Git source components
  spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting
  sbom30: Fix object deduplication to preserve complete data
  spdx30: Enrich source downloads with external refs and PURLs
  spdx30: Include recipe base PURL in package external identifiers
  spdx30: Add image root metadata package with describes relationship
  spdx30_tasks: Fix non-deterministic BUILDNAME in image package version
  spdx30: Add rootfs version and dependency scope classification
  oeqa/selftest: Add test for download_location defensive handling
  spdx.py: Add test for version extraction patterns
  cve_check: Escape special characters in CPE 2.3 formatted strings
  spdx-common: Declare SPDX_FORCE_*_SCOPE override variables
  oeqa/selftest: Add test for lifecycle scope classification
  spdx-common: Add documentation for undocumented SPDX variables
  spdx-common: Clarify documentation and make SPDX_LICENSES extensible

 meta/classes/create-spdx-3.0.bbclass |  20 ++
 meta/classes/spdx-common.bbclass     |  81 +++++
 meta/lib/oe/cve_check.py             |  37 +-
 meta/lib/oe/sbom30.py                |  47 ++-
 meta/lib/oe/spdx30_tasks.py          | 483 ++++++++++++++++++++++++++-
 meta/lib/oe/spdx_common.py           |  31 +-
 meta/lib/oeqa/selftest/cases/spdx.py | 114 +++++++
 7 files changed, 797 insertions(+), 16 deletions(-)

-- 
2.53.0