From: Stefano Tondo <stondo@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: stefano.tondo.ext@siemens.com, adrian.freihofer@siemens.com,
Peter.Marko@siemens.com, jpewhacker@gmail.com,
Ross.Burton@arm.com
Subject: [PATCH v2 02/18] spdx30: Add supplier support for image and SDK SBOMs
Date: Sat, 21 Feb 2026 06:09:50 +0100 [thread overview]
Message-ID: <20260221051006.335141-3-stondo@gmail.com> (raw)
In-Reply-To: <20260221051006.335141-1-stondo@gmail.com>
From: Stefano Tondo <stefano.tondo.ext@siemens.com>
This commit adds support for setting supplier information on image and SDK
SBOMs using the suppliedBy property on root elements.
New configuration variables:
SPDX_IMAGE_SUPPLIER (optional):
- Base variable name to describe the Agent supplying the image SBOM
- Follows the same Agent variable pattern as SPDX_PACKAGE_SUPPLIER
- Sets suppliedBy on all root elements of the image SBOM
SPDX_SDK_SUPPLIER (optional):
- Base variable name to describe the Agent supplying the SDK SBOM
- Follows the same Agent variable pattern as SPDX_PACKAGE_SUPPLIER
- Sets suppliedBy on all root elements of the SDK SBOM
Implementation:
- create_image_sbom_spdx(): After create_sbom() returns, uses
objset.new_agent() to create supplier and sets suppliedBy on
sbom.rootElement
- create_sdk_sbom(): After create_sbom() returns, uses objset.new_agent()
to create supplier and sets suppliedBy on sbom.rootElement
- Uses existing agent infrastructure (objset.new_agent()) for proper
de-duplication and metadata handling
- No changes to generic create_sbom() function which is used for recipes,
images, and SDKs
Usage example in local.conf:
SPDX_IMAGE_SUPPLIER = "acme"
SPDX_IMAGE_SUPPLIER_acme_name = "Acme Corporation"
SPDX_IMAGE_SUPPLIER_acme_type = "organization"
SPDX_IMAGE_SUPPLIER_acme_id_email = "sbom@acme.com"
This enables compliance workflows that require supplier metadata on image
and SDK SBOMs while following existing OpenEmbedded SPDX patterns.
Signed-off-by: Stefano Tondo <stefano.tondo.ext@siemens.com>
---
meta/classes/create-spdx-3.0.bbclass | 10 +++++
meta/lib/oe/spdx30_tasks.py | 59 +++++++++++++++++++++++++---
2 files changed, 63 insertions(+), 6 deletions(-)
diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
index d4575d61c4..def2dacbc3 100644
--- a/meta/classes/create-spdx-3.0.bbclass
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -124,6 +124,16 @@ SPDX_ON_BEHALF_OF[doc] = "The base variable name to describe the Agent on who's
SPDX_PACKAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who \
is supplying artifacts produced by the build"
+SPDX_IMAGE_SUPPLIER[doc] = "The base variable name to describe the Agent who \
+ is supplying the image SBOM. The supplier will be set on all root elements \
+ of the image SBOM using the suppliedBy property. If not set, no supplier \
+ information will be added to the image SBOM."
+
+SPDX_SDK_SUPPLIER[doc] = "The base variable name to describe the Agent who \
+ is supplying the SDK SBOM. The supplier will be set on all root elements \
+ of the SDK SBOM using the suppliedBy property. If not set, no supplier \
+ information will be added to the SDK SBOM."
+
SPDX_PACKAGE_VERSION ??= "${PV}"
SPDX_PACKAGE_VERSION[doc] = "The version of a package, software_packageVersion \
in software_Package"
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index bd703b5bec..789b39bd93 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -162,7 +162,7 @@ def add_package_files(
bb.debug(1, f"Total compiled files: {len(compiled_sources)}")
# File filtering configuration
- spdx_file_filter = (d.getVar("SPDX_FILE_FILTER") or "all").lower()
+ spdx_file_filter = (d.getVar("SPDX_FILES_INCLUDED") or "all").lower()
essential_patterns = (d.getVar("SPDX_FILE_ESSENTIAL_PATTERNS") or "").split()
exclude_patterns = (d.getVar("SPDX_FILE_EXCLUDE_PATTERNS") or "").split()
@@ -244,7 +244,7 @@ def add_package_files(
def get_package_sources_from_debug(
d, package, package_files, sources, source_hash_cache
):
- spdx_file_filter = (d.getVar("SPDX_FILE_FILTER") or "all").lower()
+ spdx_file_filter = (d.getVar("SPDX_FILES_INCLUDED") or "all").lower()
def file_path_match(file_path, pkg_file):
if file_path.lstrip("/") == pkg_file.name.lstrip("/"):
@@ -283,7 +283,7 @@ def get_package_sources_from_debug(
if spdx_file_filter in ("none", "essential"):
bb.debug(
1,
- f"Skipping debug source lookup for {file_path} in {package} (filtered by SPDX_FILE_FILTER={spdx_file_filter})",
+ f"Skipping debug source lookup for {file_path} in {package} (filtered by SPDX_FILES_INCLUDED={spdx_file_filter})",
)
continue
else:
@@ -663,7 +663,13 @@ def create_spdx(d):
force_purposes=["install"],
)
- supplier = build_objset.new_agent("SPDX_PACKAGE_SUPPLIER")
+ # Follow the same pattern as SPDX_AUTHORS: get identifier, build varname, then call new_agent
+ supplier_id_val = d.getVar("SPDX_PACKAGE_SUPPLIER")
+ if supplier_id_val:
+ supplier_varname = f"SPDX_PACKAGE_SUPPLIER_{supplier_id_val}"
+ supplier = build_objset.new_agent(supplier_varname)
+ else:
+ supplier = None
if supplier is not None:
spdx_package.suppliedBy = (
supplier if isinstance(supplier, str) else supplier._id
@@ -1006,8 +1012,17 @@ def write_bitbake_spdx(d):
objset = oe.sbom30.ObjectSet.new_objset(d, "bitbake", False)
host_import_key = d.getVar("SPDX_BUILD_HOST")
- invoked_by = objset.new_agent("SPDX_INVOKED_BY", add=False)
- on_behalf_of = objset.new_agent("SPDX_ON_BEHALF_OF", add=False)
+ invoked_by = None
+ invoked_by_id_val = d.getVar("SPDX_INVOKED_BY")
+ if invoked_by_id_val:
+ invoked_by_varname = f"SPDX_INVOKED_BY_{invoked_by_id_val}"
+ invoked_by = objset.new_agent(invoked_by_varname, add=False)
+
+ on_behalf_of = None
+ on_behalf_of_id_val = d.getVar("SPDX_ON_BEHALF_OF")
+ if on_behalf_of_id_val:
+ on_behalf_of_varname = f"SPDX_ON_BEHALF_OF_{on_behalf_of_id_val}"
+ on_behalf_of = objset.new_agent(on_behalf_of_varname, add=False)
if d.getVar("SPDX_INCLUDE_BITBAKE_PARENT_BUILD") == "1":
# Since the Build objects are unique, we may as well set the creation
@@ -1330,6 +1345,22 @@ def create_image_sbom_spdx(d):
objset, sbom = oe.sbom30.create_sbom(d, image_name, root_elements)
+ # Set supplier on root elements if SPDX_IMAGE_SUPPLIER is defined
+ # Follow the same pattern as SPDX_AUTHORS: get identifier, build varname, then call new_agent
+ supplier_id_val = d.getVar("SPDX_IMAGE_SUPPLIER")
+ if supplier_id_val:
+ supplier_varname = f"SPDX_IMAGE_SUPPLIER_{supplier_id_val}"
+ supplier = objset.new_agent(supplier_varname, add=False)
+ if supplier is not None:
+ supplier_id = supplier if isinstance(supplier, str) else supplier._id
+ # Add supplier to objset if it's not already there
+ if not isinstance(supplier, str):
+ objset.add(supplier)
+ # Set suppliedBy on all root elements
+ for elem in sbom.rootElement:
+ if hasattr(elem, "suppliedBy"):
+ elem.suppliedBy = supplier_id
+
oe.sbom30.write_jsonld_doc(d, objset, spdx_path)
def make_image_link(target_path, suffix):
@@ -1441,6 +1472,22 @@ def create_sdk_sbom(d, sdk_deploydir, spdx_work_dir, toolchain_outputname):
d, toolchain_outputname, sorted(list(files)), [rootfs_objset]
)
+ # Set supplier on root elements if SPDX_SDK_SUPPLIER is defined
+ # Follow the same pattern as SPDX_AUTHORS: get identifier, build varname, then call new_agent
+ supplier_id_val = d.getVar("SPDX_SDK_SUPPLIER")
+ if supplier_id_val:
+ supplier_varname = f"SPDX_SDK_SUPPLIER_{supplier_id_val}"
+ supplier = objset.new_agent(supplier_varname, add=False)
+ if supplier is not None:
+ supplier_id = supplier if isinstance(supplier, str) else supplier._id
+ # Add supplier to objset if it's not already there
+ if not isinstance(supplier, str):
+ objset.add(supplier)
+ # Set suppliedBy on all root elements
+ for elem in sbom.rootElement:
+ if hasattr(elem, "suppliedBy"):
+ elem.suppliedBy = supplier_id
+
oe.sbom30.write_jsonld_doc(
d, objset, sdk_deploydir / (toolchain_outputname + ".spdx.json")
)
--
2.53.0
next prev parent reply other threads:[~2026-02-21 5:10 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-21 5:09 [PATCH v2 00/18] spdx30: SBOM enrichment, lifecycle scope, and documentation Stefano Tondo
2026-02-21 5:09 ` [PATCH v2 01/18] spdx30: Add configurable file filtering support Stefano Tondo
2026-02-21 5:09 ` Stefano Tondo [this message]
2026-02-21 5:09 ` [PATCH v2 03/18] spdx30: Add ecosystem-specific PURL generation Stefano Tondo
2026-02-21 5:09 ` [PATCH v2 04/18] spdx30: Add version extraction from SRCREV for Git source components Stefano Tondo
2026-02-22 13:34 ` [OE-core] " Mathieu Dubois-Briand
2026-02-21 5:09 ` [PATCH v2 05/18] spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting Stefano Tondo
2026-02-21 5:09 ` [PATCH v2 06/18] sbom30: Fix object deduplication to preserve complete data Stefano Tondo
2026-02-21 16:45 ` Joshua Watt
2026-02-21 5:09 ` [PATCH v2 07/18] spdx30: Enrich source downloads with external refs and PURLs Stefano Tondo
2026-02-21 5:09 ` [PATCH v2 08/18] spdx30: Include recipe base PURL in package external identifiers Stefano Tondo
2026-02-21 5:09 ` [PATCH v2 09/18] spdx30: Add image root metadata package with describes relationship Stefano Tondo
2026-02-21 16:47 ` Joshua Watt
2026-02-21 5:09 ` [PATCH v2 10/18] spdx30_tasks: Fix non-deterministic BUILDNAME in image package version Stefano Tondo
2026-02-21 5:09 ` [PATCH v2 11/18] spdx30: Add rootfs version and dependency scope classification Stefano Tondo
2026-02-21 5:10 ` [PATCH v2 12/18] oeqa/selftest: Add test for download_location defensive handling Stefano Tondo
2026-02-21 5:10 ` [PATCH v2 13/18] spdx.py: Add test for version extraction patterns Stefano Tondo
2026-02-21 5:10 ` [PATCH v2 14/18] cve_check: Escape special characters in CPE 2.3 formatted strings Stefano Tondo
2026-02-21 5:10 ` [PATCH v2 15/18] spdx-common: Declare SPDX_FORCE_*_SCOPE override variables Stefano Tondo
2026-02-21 5:10 ` [PATCH v2 16/18] oeqa/selftest: Add test for lifecycle scope classification Stefano Tondo
2026-02-21 5:10 ` [PATCH v2 17/18] spdx-common: Add documentation for undocumented SPDX variables Stefano Tondo
2026-02-21 5:10 ` [PATCH v2 18/18] spdx-common: Clarify documentation and make SPDX_LICENSES extensible Stefano Tondo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260221051006.335141-3-stondo@gmail.com \
--to=stondo@gmail.com \
--cc=Peter.Marko@siemens.com \
--cc=Ross.Burton@arm.com \
--cc=adrian.freihofer@siemens.com \
--cc=jpewhacker@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=stefano.tondo.ext@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox