From: stondo@gmail.com
To: openembedded-core@lists.openembedded.org
Cc: Ross.Burton@arm.com, jpewhacker@gmail.com,
stefano.tondo.ext@siemens.com, Peter.Marko@siemens.com,
adrian.freihofer@siemens.com, mathieu.dubois-briand@bootlin.com
Subject: [OE-core][PATCH v8 3/7] spdx30: Add ecosystem-specific PURL generation via bbclasses
Date: Mon, 9 Mar 2026 14:28:50 +0100 [thread overview]
Message-ID: <20260309132854.128375-4-stondo@gmail.com> (raw)
In-Reply-To: <20260309132854.128375-1-stondo@gmail.com>
From: Stefano Tondo <stefano.tondo.ext@siemens.com>
Have each ecosystem bbclass set its own Package URL by prepending to
SPDX_PACKAGE_URLS, rather than detecting inherited classes from the
SPDX code. This follows the principle that each class should know how
to describe itself.
The following bbclasses now generate ecosystem PURLs:
- pypi.bbclass: pkg:pypi/<normalized-name>@PV
- npm.bbclass: pkg:npm/<name>@PV
- cargo_common.bbclass: pkg:cargo/<name>@PV
- go-mod.bbclass: pkg:golang/<GO_IMPORT>@PV
- cpan.bbclass: pkg:cpan/<name>@PV
Additional ecosystems (nuget, maven, dotnet) can follow the same
pattern in their respective layers.
Signed-off-by: Stefano Tondo <stefano.tondo.ext@siemens.com>
---
meta/classes-recipe/cargo_common.bbclass | 3 +++
meta/classes-recipe/cpan.bbclass | 11 +++++++++++
meta/classes-recipe/go-mod.bbclass | 3 +++
meta/classes-recipe/npm.bbclass | 7 +++++++
meta/classes-recipe/pypi.bbclass | 3 +++
5 files changed, 27 insertions(+)
diff --git a/meta/classes-recipe/cargo_common.bbclass b/meta/classes-recipe/cargo_common.bbclass
index bc44ad7918..e884b344ef 100644
--- a/meta/classes-recipe/cargo_common.bbclass
+++ b/meta/classes-recipe/cargo_common.bbclass
@@ -240,3 +240,6 @@ EXPORT_FUNCTIONS do_configure
# https://github.com/rust-lang/libc/issues/3223
# https://github.com/rust-lang/libc/pull/3175
INSANE_SKIP:append = " 32bit-time"
+
+# Generate ecosystem-specific Package URL for SPDX
+SPDX_PACKAGE_URLS:prepend = "pkg:cargo/${BPN}@${PV} "
diff --git a/meta/classes-recipe/cpan.bbclass b/meta/classes-recipe/cpan.bbclass
index bb76a5b326..355e7e6adf 100644
--- a/meta/classes-recipe/cpan.bbclass
+++ b/meta/classes-recipe/cpan.bbclass
@@ -68,4 +68,15 @@ cpan_do_install () {
done
}
+# Generate ecosystem-specific Package URL for SPDX
+def cpan_spdx_name(d):
+ bpn = d.getVar('BPN')
+ if bpn.startswith('perl-'):
+ return bpn[5:]
+ elif bpn.startswith('libperl-'):
+ return bpn[8:]
+ return bpn
+
+SPDX_PACKAGE_URLS:prepend = "pkg:cpan/${@cpan_spdx_name(d)}@${PV} "
+
EXPORT_FUNCTIONS do_configure do_compile do_install
diff --git a/meta/classes-recipe/go-mod.bbclass b/meta/classes-recipe/go-mod.bbclass
index a15dda8f0e..344712b193 100644
--- a/meta/classes-recipe/go-mod.bbclass
+++ b/meta/classes-recipe/go-mod.bbclass
@@ -32,3 +32,6 @@ do_compile[dirs] += "${B}/src/${GO_WORKDIR}"
# Make go install unpack the module zip files in the module cache directory
# before the license directory is polulated with license files.
addtask do_compile before do_populate_lic
+
+# Generate ecosystem-specific Package URL for SPDX
+SPDX_PACKAGE_URLS:prepend = "pkg:golang/${GO_IMPORT}@${PV} "
diff --git a/meta/classes-recipe/npm.bbclass b/meta/classes-recipe/npm.bbclass
index 344e8b4bec..aec69ebfd3 100644
--- a/meta/classes-recipe/npm.bbclass
+++ b/meta/classes-recipe/npm.bbclass
@@ -354,4 +354,11 @@ FILES:${PN} += " \
${nonarch_libdir} \
"
+# Generate ecosystem-specific Package URL for SPDX
+def npm_spdx_name(d):
+ bpn = d.getVar('BPN')
+ return bpn[4:] if bpn.startswith('node-') else bpn
+
+SPDX_PACKAGE_URLS:prepend = "pkg:npm/${@npm_spdx_name(d)}@${PV} "
+
EXPORT_FUNCTIONS do_configure do_compile do_install
diff --git a/meta/classes-recipe/pypi.bbclass b/meta/classes-recipe/pypi.bbclass
index 1372d85e8d..fd5cd7af95 100644
--- a/meta/classes-recipe/pypi.bbclass
+++ b/meta/classes-recipe/pypi.bbclass
@@ -55,3 +55,6 @@ UPSTREAM_CHECK_URI ?= "https://pypi.org/simple/${@pypi_normalize(d)}/"
UPSTREAM_CHECK_REGEX ?= "${UPSTREAM_CHECK_PYPI_PACKAGE}-(?P<pver>(\d+[\.\-_]*)+).(tar\.gz|tgz|zip|tar\.bz2)"
CVE_PRODUCT ?= "python:${PYPI_PACKAGE}"
+
+# Generate ecosystem-specific Package URL for SPDX
+SPDX_PACKAGE_URLS:prepend = "pkg:pypi/${@pypi_normalize(d)}@${PV} "
--
2.53.0
next prev parent reply other threads:[~2026-03-09 13:29 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-02 16:01 [PATCH v5 00/10] spdx30: SBOM enrichment and documentation Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 01/10] spdx30: Add configurable file filtering support Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 02/10] spdx30: Add supplier support for image and SDK SBOMs Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 03/10] spdx30: Add ecosystem-specific PURL generation Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 04/10] spdx30: Add version extraction from SRCREV for Git source components Stefano Tondo
2026-03-03 8:42 ` [OE-core] " Mathieu Dubois-Briand
2026-03-03 10:27 ` Tondo, Stefano
2026-03-02 16:01 ` [PATCH v5 05/10] spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 06/10] spdx30: Enrich source downloads with external refs and PURLs Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 07/10] oeqa/selftest: Add test for download_location defensive handling Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 08/10] spdx.py: Add test for version extraction patterns Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 09/10] cve_check: Escape special characters in CPE 2.3 formatted strings Stefano Tondo
2026-03-02 16:01 ` [PATCH v5 10/10] spdx-common: Add documentation for undocumented SPDX variables Stefano Tondo
2026-03-02 16:15 ` [OE-core] [PATCH v5 00/10] spdx30: SBOM enrichment and documentation Antonin Godard
2026-03-03 8:20 ` Tondo, Stefano
2026-03-04 17:05 ` [PATCH v6 " Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 01/10] spdx30: Add configurable file filtering support Stefano Tondo
2026-03-07 21:53 ` Joshua Watt
2026-03-04 17:05 ` [PATCH v6 02/10] spdx30: Add supplier support for image and SDK SBOMs Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 03/10] spdx30: Add ecosystem-specific PURL generation Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 04/10] spdx30: Add version extraction from SRCREV for Git source components Stefano Tondo
2026-03-07 22:32 ` Joshua Watt
2026-03-04 17:05 ` [PATCH v6 05/10] spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 06/10] spdx30: Enrich source downloads with external refs and PURLs Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 07/10] oeqa/selftest: Add test for download_location defensive handling Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 08/10] spdx.py: Add test for version extraction patterns Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 09/10] cve_check: Escape special characters in CPE 2.3 formatted strings Stefano Tondo
2026-03-04 17:05 ` [PATCH v6 10/10] spdx-common: Add documentation for undocumented SPDX variables Stefano Tondo
2026-03-06 6:32 ` [PATCH v6 00/10] spdx30: SBOM enrichment and documentation Mathieu Dubois-Briand
2026-03-06 13:59 ` [OE-core][PATCH v7 " Stefano Tondo
2026-03-06 13:59 ` [OE-core][PATCH v7 01/10] spdx30: Add configurable file filtering support Stefano Tondo
2026-03-06 13:59 ` [OE-core][PATCH v7 02/10] spdx30: Add supplier support for image and SDK SBOMs Stefano Tondo
2026-03-07 21:55 ` Joshua Watt
2026-03-06 13:59 ` [OE-core][PATCH v7 03/10] spdx30: Add ecosystem-specific PURL generation Stefano Tondo
2026-03-07 22:15 ` Joshua Watt
2026-03-06 13:59 ` [OE-core][PATCH v7 04/10] spdx30: Add version extraction from SRCREV for Git source components Stefano Tondo
2026-03-06 13:59 ` [OE-core][PATCH v7 05/10] spdx30: Add SPDX_GIT_PURL_MAPPINGS for Git hosting Stefano Tondo
2026-03-06 13:59 ` [OE-core][PATCH v7 06/10] spdx30: Enrich source downloads with external refs and PURLs Stefano Tondo
2026-03-07 22:42 ` Joshua Watt
2026-03-06 13:59 ` [OE-core][PATCH v7 07/10] oeqa/selftest: Add test for download_location defensive handling Stefano Tondo
2026-03-07 22:48 ` Joshua Watt
2026-03-06 14:00 ` [OE-core][PATCH v7 08/10] spdx.py: Add test for version extraction patterns Stefano Tondo
2026-03-07 22:51 ` Joshua Watt
2026-03-06 14:00 ` [OE-core][PATCH v7 09/10] cve_check: Escape special characters in CPE 2.3 formatted strings Stefano Tondo
2026-03-07 22:01 ` Joshua Watt
2026-03-06 14:00 ` [OE-core][PATCH v7 10/10] spdx-common: Add documentation for undocumented SPDX variables Stefano Tondo
2026-03-07 22:03 ` Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 0/7] SPDX 3.0 SBOM enrichment and compliance improvements stondo
2026-03-09 13:28 ` [OE-core][PATCH v8 1/7] spdx30: Add configurable file exclusion pattern support stondo
2026-03-11 20:29 ` Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 2/7] spdx30: Add supplier support for image and SDK SBOMs stondo
2026-03-11 20:31 ` Joshua Watt
2026-03-09 13:28 ` stondo [this message]
2026-03-11 20:34 ` [OE-core][PATCH v8 3/7] spdx30: Add ecosystem-specific PURL generation via bbclasses Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 4/7] spdx30: Enrich source downloads with version and PURL stondo
2026-03-11 22:49 ` Joshua Watt
2026-03-11 22:51 ` Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 5/7] oeqa/selftest: Add tests for source download enrichment stondo
2026-03-11 20:40 ` Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 6/7] cve_check: Escape special characters in CPE 2.3 strings stondo
2026-03-11 20:44 ` Joshua Watt
2026-03-09 13:28 ` [OE-core][PATCH v8 7/7] spdx-common: Add documentation for undocumented SPDX variables stondo
2026-03-11 20:42 ` Joshua Watt
2026-03-12 15:38 ` [OE-core][PATCH v9 0/7] SPDX 3.0 SBOM enrichment and compliance improvements stondo
2026-03-12 15:38 ` [OE-core][PATCH v9 1/7] spdx30: Add configurable file exclusion pattern support stondo
2026-03-12 15:38 ` [OE-core][PATCH v9 2/7] spdx30: Add supplier support for image and SDK SBOMs stondo
2026-03-12 15:38 ` [OE-core][PATCH v9 3/7] spdx30: Add ecosystem-specific PURL generation via bbclasses stondo
2026-03-19 10:25 ` Richard Purdie
2026-03-12 15:38 ` [OE-core][PATCH v9 4/7] spdx30: Enrich source downloads with version and PURL stondo
2026-03-12 15:38 ` [OE-core][PATCH v9 5/7] oeqa/selftest: Add tests for source download enrichment stondo
2026-03-13 6:14 ` Mathieu Dubois-Briand
2026-03-13 8:30 ` Tondo, Stefano
2026-03-12 15:38 ` [OE-core][PATCH v9 6/7] cve_check: Escape special characters in CPE 2.3 strings stondo
2026-03-12 15:38 ` [OE-core][PATCH v9 7/7] spdx-common: Add documentation for undocumented SPDX variables stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 0/7] SPDX 3.0 SBOM enrichment and compliance improvements stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 1/7] spdx30: Add configurable file exclusion pattern support stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 2/7] spdx30: Add supplier support for image and SDK SBOMs stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 3/7] spdx30: Add ecosystem-specific PURL generation via bbclasses stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 4/7] spdx30: Enrich source downloads with version and PURL stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 5/7] oeqa/selftest: Add tests for source download enrichment stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 6/7] cve_check: Escape special characters in CPE 2.3 strings stondo
2026-03-20 16:49 ` [OE-core][PATCH v10 7/7] spdx-common: Add documentation for undocumented SPDX variables stondo
2026-03-20 17:13 ` [OE-core][PATCH v10 0/7] SPDX 3.0 SBOM enrichment and compliance improvements Richard Purdie
2026-03-20 17:22 ` [OE-core][PATCH v9 " Mathieu Dubois-Briand
2026-03-20 17:24 ` Mathieu Dubois-Briand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260309132854.128375-4-stondo@gmail.com \
--to=stondo@gmail.com \
--cc=Peter.Marko@siemens.com \
--cc=Ross.Burton@arm.com \
--cc=adrian.freihofer@siemens.com \
--cc=jpewhacker@gmail.com \
--cc=mathieu.dubois-briand@bootlin.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=stefano.tondo.ext@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox