From: stondo@gmail.com
To: openembedded-core@lists.openembedded.org
Cc: stefano.tondo.ext@siemens.com, Peter.Marko@siemens.com,
adrian.freihofer@siemens.com, jpewhacker@gmail.com,
mathieu@bootlin.com, Ross.Burton@arm.com
Subject: [PATCH v4 00/11] spdx30: SBOM enrichment and documentation
Date: Thu, 26 Feb 2026 13:18:12 +0100 [thread overview]
Message-ID: <20260226121823.149327-1-stondo@gmail.com> (raw)
From: Stefano Tondo <stefano.tondo.ext@siemens.com>
This v4 fixes the recipetool/devtool selftest failures reported by
Mathieu Dubois-Briand (Bootlin) on the v3 autobuilder run.
Changes since v3:
- Fixed "AUTOREV/SRCPV set too late for the fetcher to work properly"
errors that caused ~17 recipetool/devtool selftest failures (04/11)
- Removed d.getVar('SRCREV') fallback in version extraction code;
this reference caused bitbake's signature generator to trace the
SRCREV -> AUTOREV dependency chain during recipe finalization,
triggering fatal errors for non-git temp recipes used by
recipetool/devtool with HTTP sources
- fd.revision is always available for git sources after fetch, so
the fallback was unnecessary
Root cause details:
spdx30_tasks.py is registered via BBIMPORTS (oe/__init__.py), which
means bb.codeparser.add_module_functions() parses all its public
functions for variable references. The d.getVar('SRCREV') call caused
SRCREV to be tracked as a dependency. During siggen.finalise(),
expanding SRCREV -> ${AUTOREV} -> ${@bb.fetch2.get_autorev(d)} set
__BBAUTOREV_SEEN. Combined with __BBSRCREV_SEEN (from
fetcher_hashes_dummyfunc), the sanity check at ast.py:550-551 fired
for non-git recipes where __BBAUTOREV_ACTED_UPON was never set.
Verified locally:
- recipetool create (HTTP tarball): PASSED
- recipetool create (git URL): PASSED
- oe-selftest recipetool.RecipetoolCreateTests.test_recipetool_create_simple: PASSED
- oe-selftest recipetool.RecipetoolCreateTests.test_recipetool_create_cmake: PASSED
- oe-selftest devtool.DevtoolAddTests.test_devtool_add_fetch_simple: PASSED
- All SPDX selftests: PASSED
Stefano Tondo (11):
spdx30: Add configurable file filtering support
spdx30: Add supplier support for image and SDK SBOMs
spdx30: Add ecosystem-specific PURL generation
spdx30: Add version extraction from SRCREV for Git source components
spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting
spdx30: Enrich source downloads with external refs and PURLs
spdx30: Include recipe base PURL in package external identifiers
oeqa/selftest: Add test for download_location defensive handling
spdx.py: Add test for version extraction patterns
cve_check: Escape special characters in CPE 2.3 formatted strings
spdx-common: Add documentation for undocumented SPDX variables
meta/classes/create-spdx-3.0.bbclass | 20 ++
meta/classes/spdx-common.bbclass | 63 +++++
meta/lib/oe/cve_check.py | 37 ++-
meta/lib/oe/spdx30_tasks.py | 341 ++++++++++++++++++++++++++-
meta/lib/oeqa/selftest/cases/spdx.py | 75 ++++++
5 files changed, 529 insertions(+), 7 deletions(-)
--
2.53.0
next reply other threads:[~2026-02-26 12:18 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-26 12:18 stondo [this message]
2026-02-26 12:18 ` [PATCH v4 01/11] spdx30: Add configurable file filtering support stondo
2026-02-26 12:18 ` [PATCH v4 02/11] spdx30: Add supplier support for image and SDK SBOMs stondo
2026-02-26 12:18 ` [PATCH v4 03/11] spdx30: Add ecosystem-specific PURL generation stondo
2026-02-26 12:18 ` [PATCH v4 04/11] spdx30: Add version extraction from SRCREV for Git source components stondo
2026-02-26 12:18 ` [PATCH v4 05/11] spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting stondo
2026-02-26 12:18 ` [PATCH v4 06/11] spdx30: Enrich source downloads with external refs and PURLs stondo
2026-02-26 12:18 ` [PATCH v4 07/11] spdx30: Include recipe base PURL in package external identifiers stondo
2026-02-26 12:18 ` [PATCH v4 08/11] oeqa/selftest: Add test for download_location defensive handling stondo
2026-02-26 12:18 ` [PATCH v4 09/11] spdx.py: Add test for version extraction patterns stondo
2026-02-26 12:18 ` [PATCH v4 10/11] cve_check: Escape special characters in CPE 2.3 formatted strings stondo
2026-02-26 12:18 ` [PATCH v4 11/11] spdx-common: Add documentation for undocumented SPDX variables stondo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260226121823.149327-1-stondo@gmail.com \
--to=stondo@gmail.com \
--cc=Peter.Marko@siemens.com \
--cc=Ross.Burton@arm.com \
--cc=adrian.freihofer@siemens.com \
--cc=jpewhacker@gmail.com \
--cc=mathieu@bootlin.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=stefano.tondo.ext@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox